CertCities.com | Column: Credential Caching on a Read-Only DC

CertCities.com -- The Ultimate Site for Certified IT Professionals

Microsoft®

Advanced Search

Free Newsletter

Sign-up for the #1 Weekly IT
Certification News
and Advice.

See What's New on
Redmondmag.com!

• Cover Story: IE8: Behind the 8 Ball

• Tech-Ed: Let's (Third) Party!

• A Secure Leap into the Cloud

• Windows Mobile's New Moves

• SQL Speed Secrets

Let us know what you
think! E-mail us at:
ccfeedback@certcities.com

Home

Editorial

Columns

Column Story

Friday: July 30, 2010

Participate in a
Web Seminar
and you could win
a FREE iPod nano!

TECH LIBRARY
WEBCASTS

Zubair Alexander

Credential Caching on a Read-Only DC

How much of a threat is password caching if an RODC is stolen?

by Zubair Alexander

8/13/2008 -- I understand that the Read Only Domain Controller (RODC) in Windows Server 2008 caches passwords for users. How much of a threat is this caching if an RODC is stolen?

Answer:
In Windows Server 2008, the RODC is a type of Domain Controller that only hosts a read-only partition of the Active Directory Domain Services (AD DS) database. You must have at least one writable copy of a Windows Server 2008 and the functional levels of domain and forest must be at least Windows Server 2003 or higher before you can deploy an RODC in your domain.

RODCs are meant to be deployed in remote offices where physical security might not be that great for you to place a writable DC but you need a reliable authentication for your users. Because RODC only replicate in one direction (from writable DCs to themselves), you can't make changes to the RODC and replicate them to other writable DCs in your organization. With the exception of account passwords, an RODC contains all the objects that other writable DCs have. An RODC can also contain a read-only copy of the DNS database.

The caching of passwords that you referred to is known as "credential caching." With the exception of RODC's computer account and a special krbtgt account that exists on all RODCs, by default RODCs do not store user or computer credentials. If you want to allow credential caching, you will have to specifically allow it on RODCs. Because credential caching can be limited to users who have authenticated to an RODC, you are limiting the exposure in case of a compromise. Typically, only a small subset of users in a branch office or remote location will have their credentials cached by an RODC. The password hashes are stored in the ntds.dit file (not in memory). If the RODC is stolen, these credentials can definitely be compromised. However, the entire AD database will not be at risk because user or computer credentials of all the other accounts in the organization will not be cached on the RODC

As an administrator you can configure the default Password Replication Policy to disallow users' credentials from caching on an RODC. This will offer you a more secure environment because the users' authentication requests will be sent to a writable DC.

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at alexander@techgalaxy.net.

More articles by Zubair Alexander:
FrontPage Server Extensions on 64-bit Windows Server 2008

Synching Outlook 2007 Contacts with SharePoint

Saving SharePoint Files to the Server

Moving, Deleting a File That's Always in Use

-- advertisement --

There is 1 user Comments for “Credential Caching on a Read-Only DC”
Page 1 of 1
8/14/08: Pete from South Australia says: And more importantly, administrator credentials are not cached. Tools exist for checking what credentials have been cached on the RODC and for resetting those passwords in the event of a breach from HQ.

Your comment about: “Credential Caching on a Read-Only DC”

Name: (optional)
Location: (optional)
E-mail Address: (optional)

Comment:

top

Sponsored Links

Search | Site Map | Redmond Media Group | TechMentor Conferences | Tech Library Webcasts
This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. Cisco® and Cisco Systems® are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. Oracle® is a registered trademark of Oracle Corp. A+®, i-Net+T, Network+T, and Server+T are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). LinuxT is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.

Reprints allowed with written permission from the publisher. For more information, e-mail editor@certcities.com