Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:
- msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.
- msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals whose credentials are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This improves the security of RODCs that are deployed with default settings.
- msDS-RevealedList. This attribute is a list of security principals whose current passwords have been replicated to the RODC.
- msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.
0 Comments