Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.
- When there are more users’ authentication requests, it can choke the bandwidth of WAN link
- Users’ log on process can take more time especially if the WAN link is already slow
- Users’ won’t be able to authenticate if the WAN link or write-able DC is down
You can overcome the above-mentioned problems by configuring Password Replication policy (PRP) on Read-Only DC. In PRP, when a user login, an authentication request is sent to write-able DC via Read-Only DC. The user is authenticated, its password is replicated to RODC and cached on it. The same user is then authenticated directly from RODC for all subsequent logins as shown in below figure.
In one of the previous articles, I discussed why and how we deploy and RODC on Windows Server 2016 on an enterprise network. Now, I’ll demonstrate to configure Read-Only DC Windows Server 2016 for branch users’ credential caching.
Step 1. Open Active Directory Users and Computers MMC snap-in, expand domain name and choose Domain Controllers. On the right pane, right-click read-only domain controller machine-> click Properties. Open Password Replication Policy tab -> click Add -> choose to Allow passwords for the account to replicate to this RODC -> click OK
Step 2. Search and add desired user(s) you want to cache their credential, and computer on which users will log in
Step 3. Click Apply
Step 4. Login to client machine, log out and then log in back
Step 1. While in Password Replication Policy tab in write-able DCs’ ADUC MMC snap-in, click Advanced. You should see the user and computer accounts
Step 2. Now turn off the write-able DC and you should login to RODC without no logon servers available error