Password replication for read-only domain controllers in Windows Server 2008

The read-only domain controller is easy to set up, but you need to perform a few more steps to properly use it. Here are the steps required for computer accounts.

If your organization wants to fully take advantage of the read-only domain controller, there are plenty of considerations that go with setting up this new feature of Windows Server 2008.

When a domain controller is initially configured, the options are straightforward to add it as a read-only domain controller. Figure A shows the option to select the new domain controller to be read-only. Figure A

Once the domain controller build is complete, additional steps are required to make it correctly process logon events for computer accounts.

After a default installation, it appears that everything works fine — that is, until the writable domain controllers are not available. Though the read-only domain controller is read-only, it still needs to be able to process logon requests in the event that writeable domain controllers are not available. If the writable domain controllers are not available, the message in Figure B will appear during logon events. Figure B

There are corresponding Windows event logs about the computer account not being cached and questioning whether the computer account is valid. The quick fix for the computer account is to create a security group that has the computer accounts to log into a read-only domain controller be a member of a default group called Allowed RODC Password Replication Group. Figure C shows the RWVDEV.INTRA domain having a computer account added to a designated group that is a member of the Allowed RODC Password Replication Group. Figure C

The Allowed RODC Password Replication Group is given the permission to replicate the passwords (in this case for computer accounts) to the read-only domain controller. This is also a good way to specify which computer accounts will be permitted to log on to the read-only domain controller. In the case of the computer account, it has a password associated with it in Active Directory. Unlike a user account, it is system administered (like the managed service account feature).

Like the computer account, the user account needs to be in the Allowed RODC Password Replication Group to be permitted to authenticate against a read-only domain controller. Also like the computer account, this group can specify if a user can authenticate against the read-only domain controller; which may be associated with a remote site. Note: The default Administrator account is not a member of the Allowed RODC Password Replication Group. A best practice recommendation is to add the explicit inventory of users to the Allowed RODC Password Replication Group who are expected to log in at (presumably) a remote site with a read-only domain controller.

Check out TechNet's thorough listing of password replication resources.

Have you tested using the read-only domain controller without the writable domain controllers available? If so, what surprises have you encountered? Share your comments.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

By Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.