본문 바로가기
Microsoft/Windows Server 2008

Administering the Password Replication Policy

장성한군사 2008. 7. 22. 17:30

Administering the Password Replication Policy

Updated: June 13, 2008

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs).

Viewing the PRP

You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP.

Note:

You can perform the following procedures on any Windows Server 2008 domain controller or any computer in the forest or a trusted forest that has the Active Directory Domain Controller Tools from the Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see RODC Administration .

Any domain user can view the PRP.

Note:

If you are managing an Active Directory domain from a different forest, security identifier (SID) filter quarantining must be configured to allow for external administrative authentication, which may not be desirable from a security standpoint. In addition, if selective authentication is enabled, the domain controller that is targeted for management must be allowed for authentication.

To view the PRP using Active Directory Users and Computers

1.

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

2.

Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain.

3.

Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties.

4.

Click the Password Replication Policy tab. An example is shown in the following illustration.

Password Replication Policy RODC
RODC PRP

To view the PRP using Repadmin

1.

Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

2.

To view the accounts that are configured in the PRP, use the command repadmin /prp view <hostname> allow|deny. Substitute the actual host name or fully qualified domain name (FQDN) of the appropriate RODC for hostname in the command, and then type either allow or deny to the see the accounts that are allowed or not allowed to have their passwords cached on the RODC, respectively. The following examples show how to view the accounts that are configured in the PRP that applies to an RODC with host name RODC2 in the domain hq.cpandl.com:

1.

To view the accounts that are allowed to have their passwords cached on the RODC, type repadmin /prp view rodc2.hq.cpandl.com allow, and then press ENTER.

2.

To view the accounts that are denied from having their passwords cached on the RODC (also known as the Deny list), type repadmin /prp view rodc2.hq.cpandl.com deny, and then press ENTER.

Note:

For more information, see Repadmin /prp (http://go.microsoft.com/fwlink/?LinkId=120184 ).

Reviewing the accounts that are authenticated to an RODC

You should periodically review the accounts that have been authenticated to an RODC. This information can help you plan updates that you intend to make to the existing PRP. For example, you may want to review which user and computer accounts have authenticated to an RODC so that you can add those accounts to the Allowed List.

Important:

You will probably see more accounts in the Accounts that have been authenticated to this Read-only Domain Controller list than will have passwords cached. Although you may see accounts of writeable domain controllers or members of the Domain Admins group in the list of authenticated accounts, it does not necessarily indicate that those accounts authenticated to the domain through the RODC. Instead, it means that the RODC in one way or another verified the credentials of those accounts. All default administrative accounts and domain controllers are denied explicitly or through their membership from having their passwords cached. If there are additional accounts that you want to make sure are not cached, include them in the Deny list or make them members of the Denied RODC Password Replication Group. The Deny list comprises of the accounts that are specifically denied in the PRP from caching their credentials on the RODC.

Caution:

When you view and access the PRP through Active Directory Users and Computers, be sure to target the console to a Windows Server 2008 writeable domain controller. Changes and tracking information are updated first on the writeable domain controller and then replicated to the RODC.

Any domain user can view accounts that have authenticated to the RODC.

To view authenticated accounts using Active Directory Users and Computers

1.

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

2.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

3.

Click Domain Controllers.

4.

In the details pane, right-click the RODC computer account, and then click Properties.

5.

Click the Password Replication Policy tab.

6.

Click Advanced.

7.

In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

Advanced Password Replication Policy for RODC
Accounts that are authenticated to the RODC

To view the authenticated accounts using Repadmin

1.

Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

2.

Run the command repadmin /prp view <hostname> auth2. Substitute the actual host name of the RODC that you want to query. For example, if you want to review the list of authenticated accounts for RODC2 in the hq.cpandl.com domain, type repadmin /prp view rodc2.hq.cpandl.com auth2, and then press ENTER.

Clearing the authenticated accounts list

In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477 .

To clear the authenticated accounts list

1.

Open an elevated Command Prompt window using the credentials of a Domain Admin. To do this, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

2.

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all. Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.

Configuring the PRP

You can configure the PRP in the GUI by using the Active Directory Users and Computers snap-in or from a Command Prompt window by using the repadmin command. You can use the following procedures to configure the PRP.

Important:

Although there is a default security group named Allowed RODC Password Replication Group, by default this group grants its members the ability to cache passwords on any RODC in the domain. As a security best practice, you should create separate security groups for each RODC to allow the caching of passwords on only that RODC and then prepopulate the groups with the appropriate accounts.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to configure the PRP for an RODC.

To configure the PRP using Active Directory Users and Computers

1.

Open Active Directory Users and Computers as a member of the Domain Admins group. To open Active Directory Users and Computers as a member the of Domain Admins group, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and type the name of a user account that is a member of the Domain Admins group for <username>. Enter the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

2.

Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.

3.

Click the Password Replication Policy tab.

4.

The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed List and the Deny list on the RODC. To add other groups that should be included in either the Allow list or the Deny list, click Add.

1.

To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.

2.

To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.

Note:

Accounts that are denied from caching credentials on the RODC can still use the RODC for domain logon, but the RODC will contact another domain controller to verify the account logon credentials and it will not cache those credentials for subsequent logons.

5.

Click OK.

6.

In the Select Users, Computers, or Groups dialog box, under Enter the object names to select, type the account name that you want to add, click Check Names to resolve the account name, and then click OK. You can enter multiple account names at the same time by separating them with a semicolon.

Note:

You may experience some latency between authorizing a user to cache their password and the user actually being allowed to cache the password. You can reduce the latency by purging the Kerberos ticket cache on the domain controller that you are modifying. To purge the ticket cache, run the command klist -li 3e7 purge from an elevated command prompt on the writeable domain controller. However, running this command will purge all Kerberos tickets that are issued to the local system and may temporarily interrupt other services that are running on the writeable domain controller.

To configure the PRP using Repadmin

1.

Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

2.

Run the command repadmin /prp add|delete <hostname> allow|deny <AccountLdapPath>. Replace <hostname> with the actual host name of the applicable RODC, and then type the Lightweight Directory Access Protocol (LDAP) path to the account that you want to include for <AccountLdapPath>. For example, if you want to configure an account named RODC2users from a top-level organizational unit (OU) named West in the domain hq.cpandl.com to the PRP for the RODC computer with a hostname of RODC2, use one of the following commands:

Note:

To find the LDAP distinguished name of a directory object from the command line, you can use the dsquery command. For example, if you want to find the distinguished name of a group that has “RODC” as part of its name from a computer in the local domain, you can run the command dsquery group –name *RODC*. The asterisks around “RODC” indicate that any number of characters can come before or after the letters RODC. If instead you want to find the distinguished name of a computer or user, substitute either the word computer or the word user (respectively) for the word group in the command. For more information about dsquery command syntax, see Dsquery (http://go.microsoft.com/fwlink/?LinkId=120196 ).

1.

To allow the account RODC2users to be cached on RODC2, run the command repadmin /prp add rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

2.

To remove the account from the Allowed List, run the command repadmin /prp delete rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

3.

To prevent the account from being cached, run the command repadmin /prp add rodc2.hq.cpandl.com deny cn= RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

4.

To remove the account from the Deny list, run the command repadmin /prp delete rodc2.hq.cpandl.com deny cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com.

Moving accounts from the Auth2 list to the Allow list

The Repadmin tool has one capability that the Active Directory Users and Computers snap-in does not have when it comes to allowing accounts to cache passwords. You can use a single repadmin command to create a security group that allows members to cache passwords and prepopulate that group with accounts from the list of accounts that were authenticated by the RODC (also known as the Auth2 list). If you have already created a security group that is used to allow accounts to cache their passwords, you can specify that group as the group to which the accounts will be added. If you have not created a security group, a new group will be created for that purpose in the default Users container of the domain in which the RODC is a member. You can use the following procedure to use the repadmin /prp move command to move accounts from the Auth2 to the Allow list. The Allow list comprises the accounts that have been given the Allow permission in the PRP to cache their credentials on the RODC.

Note:

When you use the repadmin /prp move command to copy accounts from the Auth2 list to the Allow list on the RODC, all accounts in the Auth2 list are moved (you cannot select individual accounts). The Allow list is the list of accounts that are specifically granted Allow permissions to cache their credentials on the RODC. Accounts that are specifically denied (either directly or through group membership) from having their passwords cached will not be copied from the Auth2 list to the Allow list.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477 .

To move accounts from the Auth2 list to the Allow list using Repadmin

1.

Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user: <domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

2.

Run the command repadmin /prp move<hostname> <GroupName>. Substitute the actual name of the RODC for <hostname> and the actual name of the security group for <GroupName>. If you do not want to clear the list of accounts that have authenticated to the RODC, include the /noauth2cleanup command. You can also specify that only user accounts or only computer accounts be transferred by using the /users_only or /comps_only parameters, respectively.

For example, to move the current list of only the users from RODC2 to the Allowed Lit, type Repadmin /prp move rodc2 /users_only.

Note:

You cannot selectively move entries from the Auth2 list to the Allow list using the repadmin /prp move command. However, when you have created an appropriate group, you can use Active Directory Users and Computers, Dsadd, and similar tools to add users or computers to that group.

Reviewing PRP resultant policy

You can use the Resultant Policy tab in the Advanced Password Replication Policy dialog box for an RODC to determine whether certain accounts are allowed to cache their passwords or not. This can be useful if you want to make sure that certain accounts, which should be able to authenticate by using an RODC when a connection to a writeable domain controller is not available, are cacheable on the RODC. You can also use this feature to make sure that sensitive accounts, which should not be cached on the RODC, are not cacheable.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477 .

To determine whether an account is allowed to cache its password

1.

Open Active Directory Users and Computers as a member of Domain Admins. To Open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and then type the name of a user account that is a member of the Domain Admins group for <username>. Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

2.

Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain..

3.

Click Domain Controllers.

4.

In the details pane, right-click the RODC computer account, and then click Properties.

5.

Click the Password Replication Policy tab.

6.

Click Advanced.

7.

Click the Resultant Policy tab.

8.

Click Add.

9.

In the Select Users or Computers dialog box, under Enter the object names to select, type the account name that you want to add, click Check Names to resolve the account name, and then click OK. To enter multiple account names at the same time, separate the account names with semicolons.

Reviewing accounts with cached passwords on the RODC

In addition to periodically reviewing the accounts that have been authenticated to the RODC, you should also check the accounts that have passwords cached on the RODC. Verify that only the appropriate account passwords are cached. You can use Active Directory Users and Computer or Repadmin to perform this task.

Important:

When a network connection to a writeable domain controller is not available, a user is able to log on through an RODC only if the passwords of both the user account and the computer account (of the workstation that the user is accessing) are cached on the RODC.

Any domain user can view the accounts with cached passwords.

Note:

If you find an account with a cached password that should not be in the list, ensure that the account is added to the Deny list and then change the account’s password. You may also want to further investigate the situation to determine whether additional security issues occurred.

To view accounts that have cached passwords on an RODC using Active Directory Users and Computers

1.

Open Active Directory Users and Computers. To Open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

2.

Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain..

3.

Click Domain Controllers.

4.

In the details pane, right-click the RODC computer account, and then click Properties.

5.

Click the Password Replication Policy tab.

6.

Click Advanced.

7.

In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.

RODC cached accounts
Accounts that are cached on the RODC

To view accounts with cached passwords on an RODC using Repadmin

1.

Open a Command Prompt window. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

2.

Run the command repadmin /prp view <hostname> reveal. Insert the actual host name of the RODC for <hostname>. For example, to see the accounts with cached passwords on an RODC with the host name RODC2 in the domain contoso.com, type repadmin /prp view rodc2.contoso.com reveal.

Important:

If you have a large number of accounts cached, the repadmin /prp view <hostname> reveal command might return only a subset of the accounts. For more information, see Repadmin /PRP might return only a subset of accounts .

Prepopulating the password cache for an RODC

You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to the RODC. To prepopulate the password cache of the RODC is to submit entries into the password cache by using the Prepopulate button, as opposed to waiting for the password cache to be populated automatically as users log on. When you prepopulate the RODC password cache, the RODC replicates and caches the passwords for users and computers before their accounts attempt to log on to the computers that are authenticated by the RODC.

Prepopulating the password cache helps ensure that a user can log on to the network using the RODC, even when a link to a writeable domain controller is not available. For example, suppose that a user who used to work in a data center transfers to a branch office with his computer. The RODC contacts the writable domain controller in the data center. If the PRP allows it, the RODC caches the password. However, if the wide area network (WAN) link is offline when the user attempts to log on, the logon attempt fails because the RODC has not cached the password for the account.

To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and his computer. This makes it unnecessary for the RODC to replicate the password from the writeable Windows Server 2008 domain controller over the WAN link.

In addition, prepopulating the password cache is a good idea if you build an RODC in a central location—for example, in a data center—before you transport the RODC to the branch office. When you prepopulate the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting a writeable Windows Server 2008 domain controller over the WAN link.

You can prepopulate the password cache for an RODC by using the Active Directory Users and Computers snap-in or by using the Repadmin command-line tool.

Note:

You can prepopulate the cache only for accounts that the PRP allows to be cached. If you try to prepopulate a password of an account that the PRP does not allow to be cached, the operation fails. Also, there can be latency between the RODC and the writeable domain controller after PRP permission changes are implemented. If you recently allowed an account permission to cache its password on an RODC, you may not immediately be able to prepopulate the password cache. You can reduce the latency by purging the Kerberos ticket cache on the domain controller that you are modifying. To purge the ticket cache, run the command klist -li 3e7 purge from an elevated Command Prompt on the writeable domain controller. However, running this command will purge all Kerberos tickets that are issued to the local system and may temporarily interrupt other services that are running on the writeable domain controller.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477 .

To prepopulate the password cache for an RODC by using Active Directory Users and Computers

1.

Open Active Directory Users and Computers as a member of Domain Admins. To open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:<domain>\<username>, and then press ENTER. Substitute the actual domain name for <domain>, and type the name of a user account that is a member of the Domain Admins group for <username>. Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.

2.

Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively..

3.

Click Domain Controllers.

4.

Click Domain Controllers.

5.

In the details pane, right-click the RODC computer account, and then click Properties.

6.

Click the Password Replication Policy tab.

7.

Click Advanced.

8.

Click Prepopulate Passwords.

9.

Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.

10.

When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.

To prepopulate the password cache for an RODC by using Repadmin

1.

Open an elevated Command Prompt window using the credentials of a Domain Admin. To open an elevated Command Prompt window using the credentials of a Domain Admin, click Start. In Start Search, type runas /user: <domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

2.

Run the command

Repadmin /rodcpwdrepl <hostnameRODC> <hostnameWDC> <User1LdapPath> <Computer1LdapPath> <User2LdapPath> <Computer2LdapPath>, where:

1.

<hostnameRODC> is the host name or fully qualified domain name (FQDN) of the target RODC’s password cache that you want to prepopulate. If you are running the command from outside the target domain, use the FQDN.

2.

<User1LdapPath> is the LDAP distinguished name of the first user account password that you want to prepopulate.

3.

<Computer1LdapPath> is the LDAP distinguished name of the first computer account password that you want to populate. You must add the computer accounts of the users or they will not be able to log on.

4.

<User2LdapPath> is the LDAP distinguished name of the second user account password that you want to populate.

5.

<Computer2LdapPath> is the LDAP distinguished name of the second computer account password that you want to prepopulate. You must add the computer accounts of the users or they will not be able to log on.

6.

<hostnameWDC> is the host name or FQDN of the writable Windows Server 2008 domain controller that is the replication partner of the RODC. If you are running the command from outside the target domain, use the FQDN.

For example, assume that you want to prepopulate the password cache for an RODC named RODC2 in the domain hq.cpandl.com. You want to use the writeable domain controller named WS2008A to transfer the passwords for a user account for Mike Danseglio (MikeDan) and his computer named MDVista1. The MikeDan account is in a top-level organizational unit (OU) named B1Users, and the MDVista1 account is in the default Computers container. To accomplish all this, run the following command:

repadmin /rodcpwdrepl rodc2.hq.cpandl.com ws2008a.hq.cpandl.com “cn=mikedan,ou=b1users, dc=hq,dc=cpandl,DC=com” cn=mdvista1,cn=Computers,dc=hq,dc=cpandl,dc=com

'Microsoft/Windows Server 2008' Related Articles

티스토리툴바