Configure Credential Caching on RODC Windows Server 2016

Configure Credential Caching on RODC Windows Server 2016

Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.

Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.

  1. When there are more users’ authentication requests, it can choke the bandwidth of WAN link 
  2. Users’ log on process can take more time especially if the WAN link is already slow
  3. Users’ won’t be able to authenticate if the WAN link or write-able DC is down

You can overcome the above-mentioned problems by configuring Password Replication policy (PRP) on Read-Only DC. In PRP, when a user login, an authentication request is sent to write-able DC via Read-Only DC. The user is authenticated, its password is replicated to RODC and cached on it. The same user is then authenticated directly from RODC for all subsequent logins as shown in below figure.

In one of the previous articles, I discussed why and how we deploy and RODC on Windows Server 2016 on an enterprise network. Now, I’ll demonstrate to configure Read-Only DC Windows Server 2016 for branch users’ credential caching.

Step 1. Open Active Directory Users and Computers MMC snap-in, expand domain name and choose Domain Controllers. On the right pane, right-click read-only domain controller machine-> click Properties. Open Password Replication Policy tab -> click Add -> choose to Allow passwords for the account to replicate to this RODC -> click OK

Step 2. Search and add desired user(s) you want to cache their credential, and computer on which users will log in 

 

Step 3. Click Apply

Step 4. Login to client machine, log out and then log in back

Testing the Configuration

Step 1.
While in Password Replication Policy tab in write-able DCs’ ADUC MMC snap-in, click Advanced. You should see the user and computer accounts 
 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish