Administering Credentials Caching on an RODC

Thu, 30 Jun 2011 07:49:56 | Learning Windows Server

When you click the Advanced button on the Password Replication Policy tab, shown in Figure 5-14, the Advanced Password Replication Policy dialog box shown in Figure 5-15 appears .

The drop-down list at the top of the Policy Usage tab enables you to select one of the following RODC reports:

Accounts Whose Passwords Are Stored On This Read-Only Domain Controller This report displays the list of user and computer credentials currently cached on the RODC. You can use this list to determine whether credentials are being cached that you do not want to be cached on the RODC and modify the PRP accordingly

Accounts That Have Been Authenticated To This Read-Only Domain Controller This report displays the list of user and computer credentials that have been referred to a writable domain controller for authentication or service ticket processing. You can use this list to identify users or computers that are attempting to authenticate with the RODC. If any of these accounts are not being cached and you want them to be, add them to the PRP.

FIGURE 5-15 The Advanced Password Replication Policy dialog box .

The Resultant Policy tab of the Advanced Password Replication Policy dialog box enables you to evaluate the effective caching policy for an individual user or computer. Click Add to select a user or computer account for evaluation.

You can also use the Advanced Password Replication Policy dialog box to prepopulate credentials in the RODC cache. If a user or computer is on an RODC Allowed list, the account credentials can be cached on the RODC, but not until the authentication or service ticket events cause the RODC to replicate the credentials from a writable domain controller. You can ensure that authentication and service ticket activity will be processed locally by the RODC even when the user or computer is authenticating for the first time by prepopulating credentials in the RODC cache for users and computers in the branch office . To prepopulate credentials, click Prepopulate Passwords and select the appropriate users and computers. Typically, you would do this if a new employee is starting work at a branch office (or if you know that a senior manager is visiting a branch office and will want to log on).

0 0
« 
 »

Related posts

Post a comment

  • Receive news updates via email from this site