Tuesday 6 January 2015

RODC Deployed and not authenticating local users

I've seen this a few times so I am going to quickly write something about it.
Scenario:
Read Only Domain Controllers (RODCs) are deployed and yet the users that you would expect to authenticate to it, are going to a different domain controller (a normal DC).

Question:
Have you configured Password Replication Policy on the RODC?
Without configuring this they are not doing a lot... (apart from DNS etc. obviously)

I have seen this a few times where someone has deployed an RODC and not followed through the configuration - generally because they understand the concept but not how to put it into practice.



To check the config - go to the DC in Active Directory Users and Computers > Properties > Password Replication Policy

The standard groups are shown and I'd hope a custom one set to "allow"
Standard Groups:
Account Operators - Deny
Administrators - Deny
Allowed RODC Password Replication Group - Allow
Backup Operators - Deny
Denied RODC Password Replication Group - Deny
Server Operators - Deny

Basically, by default - there's nothing allowed!


One of the points of an RODC is that it limits what is hit if its stolen.

If you add authenticated users in there –great, it’ll cache everyone's passwords locally (apart from those denied)  If its stolen you've lost the lot… there’s an option when removing an RODC (by force) that says “do you want to force reset all the cached passwords”

That’d cause massive headaches for those users if authenticated users is in there as every single account would be prompted to change password, and if you have a stray service account in there. uhoh.

Allowed RODC Password Replication Group by default contains nothing… you can populate this, but you will distribute this around all RODCs - this may not be desirable.


I created an admin group in there for delegated RODC admins only, as they may be done by a single infrastructure team (using nested groups).
Then separated each RODC with its own custom resource group, in which there were computer groups and user groups for users/computers and servers.

In the password delegation tab on the RODC:
RG-RODC-Cache

in the RG-RODC-Cache group:
UG-RODC_Cache-Users
CG-RODC_Cache-Workstations
CG-RODC_Cache-Servers

Any users/workstations/servers added to the above groups (split up for ease of delegation between users/servers as may be done by different teams) will be able to authenticate to the RODC as their password is cached. Any others will go to the RW DCs.



Some screenshots would be useful here, but I don't have time to add them at the moment - I may come back and add them later.

No comments:

Post a Comment