Configure Credential Caching on RODC Windows Server 2016

Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.

Karim Buzdar

April 27, 2017

3 Min Read
Configure Credential Caching on RODC Windows Server 2016

Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.

  1. When there are more users’ authentication requests, it can choke the bandwidth of WAN link 

  2. Users’ log on process can take more time especially if the WAN link is already slow

  3. Users’ won’t be able to authenticate if the WAN link or write-able DC is down

You can overcome the above-mentioned problems by configuring Password Replication policy (PRP) on Read-Only DC. In PRP, when a user login, an authentication request is sent to write-able DC via Read-Only DC. The user is authenticated, its password is replicated to RODC and cached on it. The same user is then authenticated directly from RODC for all subsequent logins as shown in below figure.

In one of the previous articles, I discussed why and how we deploy and RODC on Windows Server 2016 on an enterprise network. Now, I’ll demonstrate to configure Read-Only DC Windows Server 2016 for branch users’ credential caching.

Step 1. Open Active Directory Users and Computers MMC snap-in, expand domain name and choose Domain Controllers. On the right pane, right-click read-only domain controller machine-> click Properties. Open Password Replication Policy tab -> click Add -> choose to Allow passwords for the account to replicate to this RODC -> click OK

Step 2. Search and add desired user(s) you want to cache their credential, and computer on which users will log in 

 

Step 3. Click Apply

Step 4. Login to client machine, log out and then log in back

Testing the Configuration

Step 1. While in Password Replication Policy tab in write-able DCs’ ADUC MMC snap-in, click Advanced. You should see the user and computer accounts 

Step 2. Now turn off the write-able DC and you should login to RODC without no logon servers available error

References

1. http://windowsitpro.com/windows-server/q-how-do-i-control-read-only-domain-controllers-rodcs-credential-caching-and-password

2. http://windowsitpro.com/windows-server-2016/deploy-read-only-domain-controller-rodc-windows-server-2016

3. http://www.rebeladmin.com/2014/10/password-replication-in-rodc/

 

 

About the Author

Karim Buzdar

Karim Buzdar

https://www.linkedin.com/in/karimbuzdar/

See more from Karim Buzdar
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

the interface of the PowerShell search tool with a hand holding a magnifying glass on a background of a blue sky and clouds in the shape of gears
PowerShell
How I Built My Own PowerShell Multi-File Search Tool
How I Built My Own PowerShell Multi-File Search Tool

Oct 22, 2024

burnout gif featuring a mannequin surrounded by office technology on fire
Career Tips
Am I Burned Out? How To Identify and Address Burnout in IT
Am I Burned Out? How To Identify and Address Burnout in IT

Oct 24, 2024

MLOps
Ops and More
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?

Oct 23, 2024

Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

DevOps logo on top of code
DevOps
DevOps: Key to Faster, More Efficient Government Software Development
DevOps: Key to Faster, More Efficient Government Software Development
Windows 11 logo on laptop screen
Microsoft Windows
Exploring eBPF for Windows: Opportunities and Limitations
Exploring eBPF for Windows: Opportunities and Limitations
MLOps
Ops and More
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

cartoon shows a person next to a checklist and several icons that represent disaster scenarios
Disaster Recovery
BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster RecoveryBCDR Basics: A Quick Reference Guide for IT Pros
technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables