Enable RODC to authenticate domain admin accounts

What are the processes and group policy settings to change to enable Read-Only Domain Controllers to authenticate domain admin accounts in Server 2016?
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
There is no way to do the same, You have to demote and promote the DC with RODC.
0
MaheshArchitectCommented:
RODC can't store domain admins credentials by default by design, it has to authenticate these high privileged accounts with r/w dc... There is no alternative / policy for that

There is allowed password replication policy for RODC which can store users  and computers password and so those accounts can authenticate from *RODC* but all high privileged principals are excluded from that policy by default by design and you cannot alter this behaviour
0
Shaun VermaakTechnical Specialist IVCommented:
What are the processes and group policy settings to change to enable Read-Only Domain Controllers to authenticate domain admin accounts in Server 2016?
Domain Admins can be authenticated by the RODC if it can talk to another full DC. Other than that, you have to designate a user account that can manage the RODC (stop AD service etc.)

The above applies to password hash caching
0
IT GuyNetwork EngineerAuthor Commented:
Shaun,

Are there any special settings or group policy settings that need to be enabled to enable a domain admin account to be authenticated by a Read Only Domain Controller (RODC)?
0
MaheshArchitectCommented:
All accounts including domain admins can authenticate with rodc
Question is password caching for domain admins accounts, domain admins password cannot be cached by rodc
So what is problem with that?
The problem is if rw dc is not available, domain admins cannot logon to rodc
I am wondering what u want to achieve with rodc....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Group Policy management

From novice to tech pro — start learning today.