IT tutorials
 
Technology
 

Active Directory 2008 : Configuring Read-Only Domain Controllers (part 2) - Password Replication Policy , Administering RODC Credentials Caching, Administrative Role Separation

9/4/2013 9:24:42 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

4. Password Replication Policy

Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller.

An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached—the Denied List takes precedence.

Configuring Domain-Wide Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group.

The second group is named Denied RODC Password Replication Group. It is added to the Denied List of each new RODC. If you have users whose credentials you want to ensure are never cached by domain RODCs, add those users to the Denied RODC Password Replication Group. By default, this group contains groups for security-sensitive accounts including Domain Admins, Enterprise Admins, and Group Policy Creator Owners.

Note

COMPUTERS ARE PEOPLE, TOO

Remember that it is not only users that generate authentication and service ticket activity. Computers in a branch office also require such activity. To improve performance of systems in a branch office, allow the branch RODC to cache appropriate computer credentials as well.

Configuring RODC-Specific Password Replication Policy

The two groups described in the previous section provide a method to manage PRP on all RODCs. However, to best support a branch office scenario, you must allow the RODC in each branch office to cache credentials of users and computers in that specific location. Therefore, you must configure the Allowed List and the Denied List of each RODC.

To configure an RODC’s PRP, open the properties of the RODC’s computer account in the Domain Controllers OU. On the Password Replication Policy tab, shown in Figure 4, you can view the current PRP settings and add or remove users or groups from the PRP.

The Password Replication Policy tab of an RODC

Figure 4. The Password Replication Policy tab of an RODC

5. Administering RODC Credentials Caching

When you click the Advanced button on the Password Replication Policy tab shown in Figure 4, an Advanced Password Replication Policy dialog box appears. An example is shown in Figure 5.

The Advanced Password Replication Policy dialog box

Figure 5. The Advanced Password Replication Policy dialog box

In the drop-down list at the top of the Policy Usage tab, you can select one of two reports for the RODC:

  • Accounts Whose Passwords Are Stored On This Read-Only Domain Controller Displays the list of user and computer credentials that are currently cached on the RODC. Use this list to determine whether credentials are being cached that you do not want cached on the RODC. Then modify the PRP accordingly.

  • Accounts That Have Been Authenticated To This Read-Only Domain Controller Displays the list of user and computer credentials that have been referred to a writable domain controller for authentication or service ticket processing. Use this list to identify users or computers that are attempting to authenticate with the RODC. If any of these accounts are not being cached, consider adding them to the PRP.

In the same dialog box, you can use the Resultant Policy tab to evaluate the effective caching policy for an individual user or computer. Click Add to select a user or computer account for evaluation.

Under normal circumstances, if a user or computer is on the Allowed List of an RODC, the account credentials can be cached on the RODC but will not be cached until the authentication or service ticket events cause the RODC to replicate the credentials from a writable domain controller. However, you can also use the Advanced Password Replication Policy dialog box to prepopulate user and computer credentials in the RODC cache. This ensures that authentication and service ticket activity will be processed locally by the RODC even when the user or computer is authenticating for the first time. To prepopulate credentials, click Prepopulate Passwords and select the appropriate users and computers.

6. Administrative Role Separation

RODCs in branch offices can require maintenance such as an updated device driver. Additionally, small branch offices might combine the RODC role with the file server role on a single system, in which case it is important to be able to back up the system. RODCs support local administration through a feature called administrative role separation. Each RODC maintains a local database of groups for specific administrative purposes. You can add domain user accounts to these local roles to enable support of a specific RODC.

You can configure administrative role separation by using the Dsmgmt.exe command. To add a user to the Administrators role on an RODC, follow these steps:

  1. Open Command Prompt on the RODC.

  2. Type dsmgmt and press Enter.

  3. Type local roles and press Enter.

    At the Local Roles prompt, you can type ? and press Enter for a list of commands. You can also type list roles and press Enter for a list of local roles.

  4. Type add username administrators, where username is the pre–Windows 2000 logon name of a domain user, and press Enter.

You can repeat this process to add other users to the various local roles on an RODC.

Practice Configuring Read-Only Domain Controllers

Practice Configuring Read-Only Domain Controllers

In this practice, you implement read-only domain controllers in a simulation of a branch office scenario. You install an RODC, configure password replication policy, monitor credential caching, and prepopulate credentials on the RODC. To perform this practice, you must complete the following preparatory tasks:

  • Install a second server running a full installation of Windows Server 2008 R2. Name the server BRANCHSERVER. Do not join the computer to the domain. Set the server’s IP configuration as follows:

    • IP Address: 10.0.0.12

    • Subnet Mask: 255.255.255.0

    • Default Gateway: 10.0.0.1

    • DNS Server: 10.0.0.11 (the address of SERVER01)

  • Create the following Active Directory objects:

    • A global security group named Branch Office Users

    • A user named James Fine, who is a member of Branch Office Users

    • A user named Adam Carter, who is a member of Branch Office Users

    • A user named Mike Danseglio, who is not a member of Branch Office Users

In this and other practices in this training kit, you will log on to the domain controller with user accounts that are not a member of Domain Administrators or the domain’s Administrators group. Therefore, you must give all user accounts the right to log on locally to the domain controllers in your practice environment. Follow the steps in the article, “Grant a Member the Right to Logon Locally,” at http://technet.microsoft.com/en-us/library/ee957044(WS.10).aspx to grant the Allow Logon Locally right to the Administrators and Domain Users groups. If you will use Remote Desktop Services to connect to the domain controller—rather than logging on locally—grant the Allow Logon Through Remote Desktop Services right. Reboot the server or otherwise refresh Group Policy. This is for the practice environment only. In a production environment, you should not grant users the right to log on to domain controllers.

EXERCISE 1 Install an RODC

In this exercise, you configure the BRANCHSERVER server as an RODC in the contoso.com domain.

  1. Log on to BRANCHSERVER as Administrator.

  2. Click Start, and then click Run.

  3. Type dcpromo and click OK.

    A window appears, informing you that the Active Directory Domain Services binaries are being installed. When installation is complete, the Active Directory Domain Services Installation Wizard appears.

  4. On the first page of the wizard, click Next.

  5. On the Operating System Compatibility page, click Next.

  6. On the Choose A Deployment Configuration page, click Existing Forest, and then click Add A Domain Controller To An Existing Domain. Click Next.

  7. On the Network Credentials page, type contoso.com.

  8. Click Set.

  9. In the User Name box, type CONTOSO\Administrator.

  10. In the Password box, type the password for the domain’s Administrator account. Click OK, and then click Next.

  11. On the Select A Domain page, select contoso.com and click Next.

  12. On the Select A Site page, select Default-First-Site-Name and click Next.

    In a production environment, you would select the site for the branch office in which the RODC is being installed.

  13. On the Additional Domain Controller Options page, select Read-Only Domain Controller (RODC). Also ensure that DNS Server and Global Catalog are selected. Then click Next.

  14. On the Delegation Of RODC Installation And Administration page, click Next.

  15. On the Location For Database, Log Files, And SYSVOL page, click Next.

  16. On the Directory Services Restore Mode Administrator Password page, type a password in the Password and Confirm Password boxes, and then click Next.

  17. On the Summary page, click Next.

  18. In the progress window, select the Reboot On Completion check box.

EXERCISE 2 Configure Password Replication Policy

In this exercise, you configure PRP at the domain level and for an individual RODC. PRP determines whether the credentials of a user or computer are cached on an RODC.

  1. Log on to SERVER01 as Administrator.

  2. Open the Active Directory Users And Computers snap-in, expand the domain, and select the Users container.

  3. Examine the default membership of the Allowed RODC Password Replication Group.

  4. Open the properties of the Denied RODC Password Replication Group.

  5. Add the DNSAdmins group as a member of the Denied RODC Password Replication Group. Click OK to close the group Properties dialog box.

  6. Select the Domain Controllers OU.

  7. Open the properties of BRANCHSERVER.

  8. On the Password Replication Policy tab, identify the PRP settings for the two groups: Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

  9. Click Add.

  10. Select Allow Passwords For The Account To Replicate To This RODC and click OK.

  11. In the Select Users, Computers, Or Groups dialog box, type Branch Office Users and click OK, and then click OK again.

EXERCISE 3 Monitor Credential Caching

In this exercise, you simulate the logon of several users to the branch office server and evaluate the credentials caching of the server.

  1. Log on to BRANCHSERVER as James Fine, and then log off.

  2. Log on to BRANCHSERVER as Mike Danseglio, and then log off.

  3. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

  4. Open the properties of BRANCHSERVER in the Domain Controllers OU.

  5. On the Password Replication Policy tab, click Advanced.

  6. On the Policy Usage tab, in the Display Users And Computers That Meet The Following Criteria drop-down list, select Accounts Whose Passwords Are Stored On This Read-Only Domain Controller.

  7. Locate the entry for James Fine.

    Because you had configured the PRP to allow caching of credentials for users in the Branch Office Users group, James Fine’s credentials were cached when he logged on in step 1. Mike Danseglio’s credentials are not cached.

  8. In the drop-down list, select Accounts That Have Been Authenticated To This Read-Only Domain Controller.

  9. Locate the entries for James Fine and Mike Danseglio.

  10. Click Close, and then click OK.

EXERCISE 4 Prepopulate Credentials Caching

In this exercise, you prepopulate the cache of the RODC with the credentials of a user.

  1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

  2. Open the properties of BRANCHSERVER in the Domain Controllers OU.

  3. On the Password Replication Policy tab, click Advanced.

  4. Click Prepopulate Passwords.

  5. Type Adam Carter and click OK.

  6. Click Yes to confirm that you want to send the credentials to the RODC. A dialog box informs you that the action was successful. Click OK.

  7. On the Policy Usage tab, select Accounts Whose Passwords Are Stored On This Read-Only Domain Controller.

  8. Locate the entry for Adam Carter.

    Adam’s credentials are now cached on the RODC.

  9. Click Close, and then click OK.
 
Others
 
- Active Directory 2008 : Configuring Read-Only Domain Controllers (part 1) - Read-Only Domain Controllers, Deploying an RODC
- Active Directory 2008 : Improving the Security of Authentication in an AD DS Domain - Auditing Authentication
- Microsoft Lync Server 2010 : Enterprise Voice - Remote Site Survivability
- Microsoft Lync Server 2010 : Enterprise Voice - Enhanced 911
- Microsoft Lync Server 2010 : Enterprise Voice - Media Bypass
- Exchange Server 2010 : Object-Oriented Use of PowerShell (part 2) - Formatting Output, Directing Output to Other Cmdlets
- Exchange Server 2010 : Object-Oriented Use of PowerShell (part 1) - Filtering Output
- Exchange Server 2010 : Introduction to PowerShell and the Exchange Management Shell - Understanding the Command Syntax
- Windows 8 : Controlling Access to Files and Folders with NTFS Permissions (part 5) - Determining the Effective Permissions and Troubleshooting
- Windows 8 : Controlling Access to Files and Folders with NTFS Permissions (part 4) - Applying Permissions Through Inheritance
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us