Password Replication Policy is the
mechanism for determining whether a user or computer’s credentials are allowed
to replicate from a writable domain controller to an RODC. The Password Replication
Policy is always set on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to
expedite the functionality that is required for RODC caching operations:
- msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN)
of the Allowed List. The credentials of the members of the Allowed List
are permitted to replicate to the RODC.
- msDS-NeverRevealGroup. This attribute points to the distinguished names of
security principals whose credentials are denied replication to the RODC.
This has no impact on the ability of these security principals to
authenticate using the RODC. The RODC never caches the credentials of the
members of the Denied List. A default list of security principals whose
credentials are denied replication to the RODC is provided. This improves
the security of RODCs that are deployed with default settings.
- msDS-RevealedList.
This attribute is a list of security principals whose current passwords
have been replicated to the RODC.
- msDS-AuthenticatedToAccountList. This attribute contains a list of security principals
in the local domain that have authenticated to the RODC. The purpose of
the attribute is to help an administrator determine which computers and users
are using the RODC for logon. This enables the administrator to refine the
Password Replication Policy for the RODC.
0 Comments