How much of a threat is password caching if an RODC is stolen?
by Zubair Alexander
8/13/2008 -- I understand that the Read Only Domain Controller (RODC) in Windows Server 2008 caches passwords for users. How much of a threat is this caching if an RODC is stolen?
Answer:
In Windows Server 2008, the RODC is a type of Domain Controller that only hosts a read-only partition of the Active Directory Domain Services (AD DS) database. You must have at least one writable copy of a Windows Server 2008 and the functional levels of domain and forest must be at least Windows Server 2003 or higher before you can deploy an RODC in your domain.
RODCs are meant to be deployed in remote offices where physical security might not be that great for you to place a writable DC but you need a reliable authentication for your users. Because RODC only replicate in one direction (from writable DCs to themselves), you can't make changes to the RODC and replicate them to other writable DCs in your organization. With the exception of account passwords, an RODC contains all the objects that other writable DCs have. An RODC can also contain a read-only copy of the DNS database.
The caching of passwords that you referred to is known as "credential caching." With the exception of RODC's computer account and a special krbtgt account that exists on all RODCs, by default RODCs do not store user or computer credentials. If you want to allow credential caching, you will have to specifically allow it on RODCs. Because credential caching can be limited to users who have authenticated to an RODC, you are limiting the exposure in case of a compromise. Typically, only a small subset of users in a branch office or remote location will have their credentials cached by an RODC. The password hashes are stored in the ntds.dit file (not in memory). If the RODC is stolen, these credentials can definitely be compromised. However, the entire AD database will not be at risk because user or computer credentials of all the other accounts in the organization will not be cached on the RODC
As an administrator you can configure the default Password Replication Policy to disallow users' credentials from caching on an RODC. This will offer you a more secure environment because the users' authentication requests will be sent to a writable DC.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at .
There are 5 user Comments for “Credential Caching on a Read-Only DC”
Page 1 of 1
8/14/08: Pete from South Australia says:
And more importantly, administrator credentials are not cached. Tools exist for checking what credentials have been cached on the RODC and for resetting those passwords in the event of a breach from HQ.
6/20/13: dacdefqggz says:
If you are looking to really make your skin look it�s absolute best, you should use this foaming facial cleanser in addition to a full line of Obagi skin care products. Not only because the items add beauty to their overall getup but most especially because items for women are usually a combination of form and function. http://lvbags0620a.weebly.com/ http://lvbags0620b.weebly.com/ http://chanelbags0502a5.blogspot.com/2013/06/new-features-in-golf-stand-bag.html http://lvbags0606a7.blogspot.com/2013/06/enjoy-versatility-of-bean-bags-in-your.html http://chanelbags0602c2.blogspot.com/2013/06/green-tea-production-crafts-bamboo-can.html http://chanelbags0602b4.blogspot.com/2013/06/the-secrets-of-bed-in-bag-revealed.html http://www.bulkping.com/rss-feed-generator-creator/feed/9889120a257828d2f2d92fa62ea75870.xml http://www.bulkping.com/rss-feed-generator-creator/feed/4f58e4ea2db956c91a2126c2a2d0dd64.xml The most important factor that you need to consider here is what you are going to use your hand bag for. You get bettr deals, less work, and a more enjoyable eBay experience. http://chanelbags0602b1.blogspot.com/2013/06/injury-air-bag-lawyer-california.html http://lvbags0606b4.blogspot.com/2013/06/pc-gamers-have-to-stop-accepting-second.html http://lvbags0516a5.blogspot.com/2013/06/fashion-tote-bags-dream-of-every-trendy.html http://chanelbags0602b5.blogspot.com/2013/06/should-you-buy-bagless-vacuum-cleaner.html Further, with a bed in a bag, putting together a room is inexpensive. Lost in an ocean of handbags? madeinchina. http://21337506.blog.hexun.com/86209776_d.html http://21635439.blog.hexun.com/86209797_d.html http://21757934.blog.hexun.com/86209905_d.html http://21642573.blog.hexun.com/86209840_d.html http://21337506.blog.hexun.com/86209766_d.html If we had to name a winner when it comes to this year�s purse models, it would be the Dior line. It might just be a unimportant stitchhing failing, or a minor cut fault.
Some acquaintance medication I there existsed particularly this blog. He aide for the reason that on your own enough. This post is generally launched some helpless. Your own loved ones cann't adopt basic modes much time I chosen covered it also info! Bless you actually! air jordan shoes http://www.jordanssneakersmall.com/
I'm though to educate yourself you against experts, as I'm attempting to scale so that you can my target. I sure a relationship reading a host of an is almost certainly without using speculate prepared inside of your website.Maintain your stories entrance. I appreciated so that! Air Jordan 9 http://www.2013jordans13.com/air-jordan-9-c-9.html
Home | Microsoft® | Cisco® | Oracle® | A+/Network+" | Linux/Unix | MOS | Security | List of Certs Advertise | Contact Us | Contributors | Features | Forums | News | Pop Quiz | Tips | Press Releases | RSS Feeds Search | Site Map | Redmond Media Group | TechMentor Conferences | Tech Library Webcasts This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. CiscoÆ and Cisco SystemsÆ are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. OracleÆ is a registered trademark of Oracle Corp. A+Æ, i-Net+T, Network+T, and Server+T are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). LinuxT is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.
Reprints allowed with written permission from the publisher. For more information, e-mail
Application Development Trends | Campus Technology | CertCities.com | The Data Warehousing Institute
E-Gov | EduHound | ENTmag.com | Enterprise Systems | Federal Computer Week | FTPOnline.com | Government Health IT
IT Compliance Institute | MCPmag.com | Recharger | Redmond Developer News | Redmond | Redmond Events | Redmond Channel Partner | Redmond Report
TCPmag.com | T.H.E. Journal | Virtualization Review | Visual Studio Magazine | VSLive!
Copyright 1996-2009 1105 Media, Inc. See our Privacy Policy.