12/27/2016

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

TechieBird
Home|Windows|Network|InterviewQuestions|Database|Virtualization|KnowledgeBase|ContactUs
RelatedLinks

WindowsServer2008RODCInterviewQuestions

Windows2003KB
Windows2008KB
Windows2012KB
MSClusterFAQ's
Virtualization

Commandreference

>WhatnewattributessupporttheRODCPasswordReplicationPolicy?
PasswordReplicationPolicyisthemechanismfordeterminingwhetherauserorcomputerscredentialsare
allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is
alwayssetonawritabledomaincontrollerrunningSERVER2008.
ThefollowingattributeshavebeenaddedtotheActiveDirectoryschematoexpeditethefunctionalitythat
isrequiredforRODCcachingoperations:

ExchangeQ&A

msDSRevealOnDemandGroup. This attribute points to the distinguished name (DN) of the

Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the
RODC.
msDSNeverRevealGroup. This attribute points to the distinguished names of security principals
whose credentials are denied replication to the RODC. This has no impact on the ability of these
security principals to authenticate using the RODC. The RODC never caches the credentials of the
members of the Denied List. A default list of security principals whose credentials are denied
replication to the RODC is provided. This improves the security of RODCs that are deployed with
defaultsettings.
msDSRevealedList. This attribute is a list of security principals whose current passwords have
beenreplicatedtotheRODC.
msDSAuthenticatedToAccountList.Thisattributecontainsalistofsecurityprincipalsinthelocal
domainthathaveauthenticatedtotheRODC.Thepurposeoftheattributeistohelpanadministrator
determinewhichcomputersandusersareusingtheRODCforlogon.Thisenablestheadministrator
torefinethePasswordReplicationPolicyfortheRODC.

LinuxInterviewQ&A
VMInterviewQ&A
DNSFAQ's
DHCPFAQ's

ActiveDirectory
FAQ's
ADHistory
ConfiguringNew
Domain
DeletedObject
RecoveryinAD
GlobalCatalogServer

NetDomCommand
ReplmonCommand
NTDSUtilityGuide

>HowcanyouclearapasswordthatiscachedonanRODC?
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a
passwordthatisstoredonanRODC,anadministratorshouldresetthepasswordinthehubsite.Thisway,
thepasswordthatiscachedinthebranchwillnolongerbevalidforaccessinganyresourcesinthehubsite
orotherbranches.
InthebranchthatcontainstheRODConwhichthepasswordmayhavebeencompromised,thepassword
willstillbevalidforauthenticationpurposesuntilthenextreplicationcycle,atwhichtimeitsvaluethatis
stored on the RODC will be changed to Null. The new password will be cached only after the user
authenticates with itor the new password is prepopulated on the RODCand if the PRP has not been
changed.IntheeventthatanRODCiscompromised,youshouldresetthepasswordsforallaccountsthat
havecachedpasswordsandthenrebuildtheRODC.

FSMOGuide
FSMOFailure
NetworkInterview
Questions
SQLInterview
Questions
ActiveDirectoryTrust
GroupPolicyGuide
IIS6.0

>CananRODCreplicatetootherRODCs?
No,anRODCcanonlyreplicatefromawritableWindowsServer2008domaincontroller.Inaddition,two
RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple
RODCsforthesamedomaininthesamesite,butitcanleadtoinconsistentlogonexperiencesforusersif
theWANtothewriteabledomaincontrollerinahubsiteisoffline.
ThisisbecausethecredentialsforausermightbecachedononeRODCbutnottheother.IftheWANtoa
writabledomaincontrollerisofflineandtheusertriestoauthenticatewithanRODCthatdoesnothavethe
userscredentialscached,thenthelogonattemptwillfail.
>WhatoperationsfailiftheWANisoffline,buttheRODCisonlineinthebranchoffice?
IftheRODCcannotconnecttoawritabledomaincontrollerrunningWindowsServer2008inthehub,the
followingbranchofficeoperationsfail:

RAIDLevels
RPCGuide
Domain&Forest
FunctionalLevels
http://www.techiebird.com/rodc.html

Passwordchanges
Attemptstojoinacomputertoadomain
Computerrename
AuthenticationattemptsforaccountswhosecredentialsarenotcachedontheRODC
Group Policy updates that an administrator might attempt by running the gpupdate /force
command.
1/6

12/27/2016

SQLFailoverCluster

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

>WhatoperationssucceediftheWANisoffline,buttheRODCisonlineinthebranchoffice?
IftheRODCcannotconnecttoawritabledomaincontrollerrunningWindowsServer2008inthehub,the
followingbranchofficeoperationssucceed:
Authenticationandlogonattempts,ifthecredentialsfortheresourceandtherequesterarealready
cached.
LocalRODCserveradministrationperformedbyadelegatedRODCserveradministrator.
>WillRODCsupportmyActiveDirectoryintegratedapplication?
Yes,RODCsupportsanActiveDirectoryintegratedapplicationiftheapplicationconformstothefollowing
rules:
Iftheapplicationperformswriteoperations,itmustsupportreferrals(enabledbydefaultonclients).
TheapplicationmusttolerateWriteoutageswhenthehubisoffline.
>Does an RODC contain all of the objects and attributes that a writable domain controller
contains?
Yes,anRODCcontainsalltheobjectsthatawritabledomaincontrollercontains.IfyoucomparetheLDAP
store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the
RODCdoesnotcontainallofthecredentialsorattributesthataredefinedin the RODC filtered attribute
set.
>WhydoestheRODCnothavearelativeID(RID)pool?
All writable domain controllers can allocate RIDs from their respective RID pools to create security
principalsasneeded.BecauseanRODCcannotcreatesecurityprincipals,itcannotprovideanyRIDs,and
itisneverallocatedaRIDpool.
>CanIlistthekrbtgtaccountthatisusedbyeachRODCinthedomain?
Yes.TolistthekrbtgtaccountthatisusedbyeachRODCinthedomain,typethefollowingcommandata
commandline,andthenpressENTER:
Repadmin /showattr <WritableDcName> <distinguished name of the domain partition> /subtree
/filter:(&(objectclass=computer)(msDSKrbtgtlink=*))/atts:msDSkrbtgtlink
>HowdoestheclientDNSupdatereferralmechanismwork?
BecausetheDNSserverthatrunsonanRODCcannotdirectlyregisterclientupdates,ithastoreferthe
clienttoaDNSserverthathostsaprimaryorActiveDirectoryintegratedcopyofthezonefile.Thisserver
is sometimes referred to as a writable DNS server. When a client presents a Find Authoritative Query,
which is the precursor to an update request, the DNS server on the RODC uses the domain controller
Locatortofinddomaincontrollersintheclosestsite.
TheRODCthencomparesthelistofdomaincontrollersthatisreturnedwiththelistofnameserver(NS)
resource records that it has. The RODC returns to the client the NS resource record of a writable DNS
serverthattheclientcanusetoperformtheupdate.Theclientcanthenperformitsupdate.
IfnodomaincontrollerintheclosestsitematchesanentryinthelistofNSrecordsforthezone,theRODC
attemptstodiscoveranydomaincontrollerintheforestthatmatchesanentryinthelist.
SupposethatanewclientisintroducedtoasitethathasaDNSserverrunningonlyonanRODC.Inthis
case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the
writable DNS server. This occurs approximately five minutes after the RODC provides a response to the
originalFindAuthoritativeQuery.
If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows
Server2008isreturnedsothattheRODCcanperformtheupdate.
>WhydoesnttheKCConwritabledomaincontrollerstrytobuildconnectionsfromanRODC?
Tobuildthereplicationtopology,theKnowledgeConsistencyChecker(KCC)examinesthefollowing:
Allthesitesthatcontaindomaincontrollers
Thedirectorypartitionsthateachdomaincontrollerholds
Thecostthatisassociatedwiththesitelinkstobuildaleastcostspanningtree
TheKCCdeterminesifthereisadomaincontrollerinasitebyqueryingADDSforobjectsoftheNTDS
DSA categorythe objectcategory attribute value of the NTDS Settings object. The NTDS Settings
objectsforRODCsdonothavethisobjectcategory.Instead,theysupportanewobjectcategoryvalue
namedNTDSDSARO.
As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication
topology.ThisisbecausetheNTDSSettingsobjectsarenotreturnedinthequery.
However,theKCConanRODCalsoneedstoconsiderthelocaldomaincontroller(itself)tobepartofthe
replicationtopologytobuildinboundconnection objects. This is achieved by a minor logic change to the
algorithmthattheKCCusesonalldomaincontrollersrunningWindowsServer2008thatforcesittoadd
the NTDS Settings object of the local domain controller to the list of potential domain controllers in the
topology.ThismakesitpossiblefortheKCConanRODCtoadditselftothetopology.However,theKCCon
anRODCdoesnotaddanyotherRODCstothelistofdomaincontrollersthatitgenerates.
>HowdoestheKCCbuildinboundconnectionslocallyonanRODCwhentheRODCissupposed

http://www.techiebird.com/rodc.html

2/6

12/27/2016

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

tobereadonly?
An RODC is completely readonly from the perspective of external clients, but it can internally originate
changesforalimitedsetofobjects.Itpermitsreplicatedwriteoperationsandalimitedsetoforiginating
writeoperations.
BoththeKCCandthereplicationenginearespecialwritersonanRODC.Thereplicationengineperforms
replicatedwriteoperationsonanRODCinexactlythesamewayasitdoesonthereadonlypartitionsofa
globalcatalogserver that runs Windows Server 2003. The KCC is permitted to perform originating write
operations of the objects that are required to perform Active Directory replication, such as connection
objects.

>Why
doesanRODChavetwoinboundconnectionobjects?
This is because File Replication Service (FRS) requires its own pair of connection objects in order to
functioncorrectly.InpreviousversionsofWindowsServer,FRSwasabletoutilizetheexisting connection
objectsbetweentwodomaincontrollerstosupportitsreplicationofSYSVOLcontent.
However, because an RODC only performs inbound replication of Active Directory data, a reciprocal
connectionobjectonthewritablereplicationpartnerisnotneeded.
Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of
connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection
objectsarenotrequiredbyDFSReplication.
>HowdoesRODCconnectionfailoverwork?
If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a
connection to another partner. By default, this happens after about two hours, which is the same for a
writabledomaincontroller.However,theFRSconnectionobjectonanRODCmustusethesametargetas
theconnectionobjectthattheKCCgeneratesontheRODCforActiveDirectoryreplication.Toachievethis,
thefromServervalueonthetwoconnectionsissynchronized.
However,thetriggerforchangingthefromServervalueontheFRSconnectionobjectisnotthecreation
ofthenewconnectioninstead,itistheremovaloftheoldconnection.Theremovalstephappenssome
hours after the new connection object is created. Consequently, the fromServer value continues to
referencetheoriginalpartneruntiltheoldconnectionisremovedbytheKCC.
AsideeffectofthisisthatwhileActiveDirectoryreplicationworkssuccessfullyagainstthenewpartner,
FRSreplicationfailsduringthisperiod.TheadditionaldelayisbydesignitavoidscausingFRStoperform
anexpensiveVVJoinoperationagainstthenewpartner,whichisunnecessaryiftheoutageoftheoriginal
partnerisonlytemporary.
>HowcananadministratordeleteaconnectionobjectlocallyonanRODC?
TheKCConanRODCwillbuildinboundconnectionobjectsforActiveDirectoryreplication.Theseobjects
cannotbeseenonotherwriteabledomaincontrollersbecausetheyarenotreplicatedfromtheRODC.
YoucannotusetheActiveDirectorySitesandServicessnapintoremovetheseconnectionobjects,but
youcanuseLdp.exeorAdsiedit.msc.TheKCContheRODCwillthenrebuildaconnection.Thisway,you
cantriggerredistributionofconnectionobjectsacrossasetofRODCsthathavesitelinkstoasinglehub
sitethathasmultiplebridgeheadservers.
>HowcananadministratortriggerreplicationtoanRODC?
Youcanusethefollowingmethods:
1.Byrunningtherepadmin/replicateorrepadmin/syncalloperations.
2.By using the Active Directory Sites and Services snapin. In this case, you can rightclick the
connectionobjectandclickReplicateNow.
3.YoucanuseActiveDirectorySitesandServicesonawritabledomaincontrollertocreateaninbound
replication connection object on any domain controller, including an RODC, even if no inbound
connectionexistsonthedomaincontroller.Thisissimilartorunningarepadmin/addoperation.
>Howarewritabledirectorypartitionsdifferentiatedfromreadonlydirectorypartitions?
Thiscomesfromanattributeonthedirectorypartitionheadcalledinstancetype.Thisisabitmask.Ifbit
3(04)isset,thedirectorypartitioniswritable.Ifthebitisnotset,thedirectorypartitionisreadonly.
>Why can an RODC only replicate the domain directory partition from a domain controller
runningWindowsServer2008inthesamedomain?
ThisishowthefilteringofsecretsisenforcedduringinboundreplicationtoanRODC.Adomaincontroller
runningWindowsServer2008isprogrammednottosendsecretmaterialtoanRODCduringreplication,
http://www.techiebird.com/rodc.html

3/6

12/27/2016

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

unless the Password Replication Policy permits it. Because a domain controller running Windows
Server2003hasnoconceptofthePasswordReplicationPolicy,itsendsallsecrets,regardlessofwhether
theyarepermitted.
>How does the KCC differentiate between domain controllers running Windows Server 2003
anddomaincontrollersrunningWindowsServer2008?
TheNTDSDSAobjecthasanmsDSBehaviorVersionattribute.Avalueof2indicatesthatthedomain
controllerisrunningWindowsServer2003.Avalueof3indicatesthatitisrunningWindowsServer2008.
>WhyarebuiltingroupssuchasAccountOperatorsandServerOperatorsspecifiedseparately
intheDeniedListattribute,butnotintheDeniedRODCPasswordReplicationGroup?
The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are
domainlocalgroups.Domainlocalgroupscannotcontainbuiltingroups.
>WhatactuallyhappenswhenyouaddausertoanAdministratorRoleSeparationrole?
Theconfigurationaddsentriestothefollowingregistrysubkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\lsa\rodcroles
Name:544
Datatype:REG_MULTI_SZ
Value:S1521760266474138648229742370898791107
The role is denoted by the entry name544, for example, is the well known RID for the
builtin\administrators group. Then, each value represents the security identifier (SID) of a user who has
beenassignedtotherole.
>Howcananadministratordeterminetheclosestsiteforanygivensite?
LookatthesitelinkcoststhatappearinActiveDirectorySitesandServices.or
AfteranRODCisinstalledsuccessfullyinanActiveDirectorysite,runthenltestcommandagainst
theRODC.
Thefollowingexampleshowsthecommandandtheresults:
C:\>nltest/dsgetdc:rodc/server:rodcdc02/try_next_closest_site/avoidself
DC:\\HUBDC01
Address:\\2001:4898:28:4:5e1:903a:7987:eea5
DomGuid:00e80237c5ce4143b0b8cfa5c83a5654
DomName:RODC
ForestName:rodc.nttest.contoso.com
DcSiteName:Hub
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE
FULL_SECRET
Thecommandcompletedsuccessfully.
>Whydoes%logonserver%havethenameofadomaincontrollerinmyhubsiteratherthan
theRODCinmysite?
If your user account password cannot be replicated to the RODC in your site or if the RODC does not
currentlyhaveyourpassword,theKerberosAS_REQisforwardedtoahubdomaincontrollerthatprovides
yourTGT.
Theprocessthatupdatestheenvironmentvariablesusesthehubdomaincontrollerasthelogonserverfor
theenvironmentvariable.The%logonserver%environmentvariableisnotupdatedforthedurationofthat
logonsession,eventhoughtheuserisforcedtoreauthenticateagainsttheRODC.
>PasswordchangesarenotalwayschainedbyanRODC.Why?
Some passwordchange operations, such as a user initiating a passwordchange request by pressing
Ctrl+Alt+Del,specificallyrequireawritabledomaincontroller.Whentheclientcomputerdetectsthatthe
RODCisnotwritable,itlocatesawritabledomaincontrollerinstead.Otherpasswordchangeoperations,
suchasauserspasswordexpiringandwhentheuserispromptedtochangeitatlogon,donotspecifically
requireawritabledomaincontroller.
>Howdoesahubdomaincontrollerrecognizethatarequesttoreplicateapasswordiscoming
fromanRODC?
TheRODCdoesabindandcallsthereplicatesingleobjectapplicationprogramminginterface(API).The
bindinghandleshowsthatitisanRODCaccount.
>Why does an RODC replicate in a cached password both by RSO operation and normal
replication?
http://www.techiebird.com/rodc.html

4/6

12/27/2016

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

WhenasingleobjectisreplicatedtotheRODCinthebranchsite,theupdatesequencenumber(USN)and
thehighwatermarkarenotupdated.Asaresult,theobjectisreplicatedtothebranchsiteagainatalater
time.
>Does an RODC perform password validation forwarding even when it has a password for a
user?
Yes,inthecasewhereauserpresentsapasswordthatdoesnotmatchwhattheRODChasstoredlocally,
theRODCwillforwardtheauthenticationrequest.TheRODCforwardstherequesttothewritableWindows
Server2008domaincontrollerthatisitsreplicationpartner,whichinturnforwardstherequesttothePDC
emulator if required. If the authentication is validated at the writable Windows Server 2008 domain
controllerorthePDCemulator,theRODCwillpurgethecurrentlystoredpasswordandreplicatethenew
passwordbyRSOoperation.

>Can
youremovethelastdomaincontrollerinadomainifthereareunoccupied(ordisabled)RODC
accountsinthedomain?
AsforallpreviousversionsofWindowsServer,itisarequirementthatallotherdomaincontrollershave
been removed from the domain before you can remove the last domain controller. For Windows
Server2008,thisrequirementincludestheremovalofallRODCsandtheremovalofanyprecreatedbut
unusedRODCaccounts.
>WhatrelevantRODCeventlogentriesarethere?
If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password
Replication Policy prevents from replicating to the RODC, the hub domain controller that the RODC
contactslogseventID1699.
ThedetailsforeventID1699include:
LogName:DirectoryService
Source:NTDSReplication
Date:5/2/20062:37:39PM
EventID:1699
TaskCategory:Replication
Level:Error
Keywords:Classic
User:RODC\RODCDC02$
Computer:HUBDC01
Description:
This directory service failed to retrieve the changes requested for the following directory partition. As a
result,itwasunabletosendchangerequeststothedirectoryserviceatthefollowingnetworkaddress.
Directorypartition:
CN=test10,OU=Branch1,OU=Branches,DC=rodc,DC=nttest,DC=contoso,DC=com
Networkaddress:
c6ef8d14f0154cd094ccc7f5c9c834ba._msdcs.rodc.nttest.contoso.com
Extendedrequestcode:
7
AdditionalData
Errorvalue:
8453Replicationaccesswasdenied.
AsuccessfullogonlogseventID4768onthehubdomaincontrollerandontheRODC.
ThedetailsofeventID4768onthehubdomaincontrollerincludethefollowing:
LogName:Security
Source:MicrosoftWindowsSecurityAuditing
Date:5/2/20063:58:05PM
EventID:4768
TaskCategory:KerberosTicketEvents
Level:Information
Keywords:AuditSuccess
User:N/A
Computer:hubdc01.rodc.nttest.contoso.com
Description:
AuthenticationTicketRequest:
AccountName:test10
SuppliedRealmName:RODC
UserID:S15213503915162242128803420030802291128
ServiceName:krbtgt
ServiceID:S1521350391516224212880342003080229502
TicketOptions:040810010
ResultCode:00
http://www.techiebird.com/rodc.html

5/6

12/27/2016

Readonlydomaincontrollerinwindowsserver2008,RODC,ReadonlyDC

TicketEncryptionType:017
PreAuthenticationType:2
ClientAddress:2001:4898:28:4:6182:4acd:65c9:283a
ClientPort:55763
CertificateIssuerName:
CertificateSerialNumber:
CertificateThumbprint:
AtthedefaultEventlogsettings,noreplicationeventshowsthatthepasswordhasreplicatedtotheRODC.
+1 Recommend this on Google

Comments
Name
Enteryourcommenthere

Comment byHtmlCommentBox

(Aug3,2013)Abdulkalamsaid:

VeryBeneficialinterviewQuestion

DesignedbyTechieBird

http://www.techiebird.com/rodc.html

6/6