Credential Cashing

Credential caching is the storage of user or computer credentials. By default, a read-only domain controller (RODC) does not store user credentials or computer credentials except for its own computer account and a special krbtgt account for that RODC. You must explicitly allow any other credentials to be cached on that RODC.

Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy (PRP) on the writable domain controller that will be its replication partner. The PRP acts as an access control list (ACL). It determines whether an RODC should be permitted to cache credentials for an account. After the RODC receives a user or computer logon request, it attempts to replicate the credentials for that account from a writable Windows Server 2008 or Windows Server 2008 R2 domain controller. The writable domain controller refers to the PRP to determine if the credentials for the account should be cached. If the PRP allows the account to be cached, the writable Windows Server 2008 domain controller replicates the credentials for that account to the RODC and the RODC caches the credentials. During subsequent logons for that account, the RODC can authenticate the account by referring to the credentials that it has cached. The RODC does not have to contact the writable domain controller.

PRP Allowed and Denied Lists

Two built-in groups are present in Windows Server 2008 and Windows Server 2008 R2 Active Directory domains to support RODC operations. These built-in groups are the Domain RODC Password Replication Allowed Group and the Domain RODC Password Replication Denied Group. These groups help implement a default Allowed List and a Denied List for the RODC Password Replication Policy.

By default, the Domain RODC Password Replication Denied Group contains the following members:

  • Enterprise Domain Controllers

  • Enterprise Read-Only Domain Controllers

  • Group Policy Creator Owners

  • Domain Admins

  • Cert Publishers

  • Enterprise Admins

  • Schema Admins

  • Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

  • Domain RODC Password Replication Denied Group

  • Account Operators

  • Server Operators

  • Backup Operators

  • Administrators

Clearing cached passwords

There is no mechanism to clear the cached password for a given user on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. If an RODC is compromised, reset the passwords that are currently cached and then rebuild the RODC.

Additional references