{"id":2091,"date":"2015-09-11T21:24:16","date_gmt":"2015-09-11T19:24:16","guid":{"rendered":"http:\/\/www.windows-infrastructure.de\/?p=2091"},"modified":"2021-03-06T18:09:00","modified_gmt":"2021-03-06T16:09:00","slug":"rodc-passwords-cache-limit","status":"publish","type":"post","link":"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/","title":{"rendered":"RODC, Password Cache Limit?"},"content":{"rendered":"
Recently I came across an article,\u00a0where someone claimed about a\u00a0RODC (Read Only Domain Controller) <\/em>limitation for the amount of 1500 cache-able passwords.\u00a0I couldn’t believe that, as there’s no technical reason for having a limitation at this point; every User-, Computer- or Service- account and a password for each object.<\/p>\n One of the major benefits of a RODC<\/em> is that object passwords are not stored on the server by default. For each server, objects can selective be allowed (or denied)\u00a0to cache their passwords. The GUI setup can be found in\u00a0the servers properties tab\u00a0Password Replication Policy (PRP)<\/em> of the domain controllers computer object in Active Directory Users and Computers. The allow entries referred to as Allow List<\/em> are stored in the computer object attribute field msDS-RevealOnDemandGroup<\/em>. And that’s the point where the limitation comes\u00a0from; the size of the attribute field.<\/p>\n This setting is only the policy which defines cacheable allowed objects. At this time\u00a0no passwords are cached. The RODC keeps the password, if allowed, after the first password exchange with the AD object has taken place. Alternatively\u00a0we’re able to push passwords for allowed objects to the specific RODC.<\/p>\n<\/span>\n <\/p>\n For testing I created some users and added 2000 directly to the allow list. No GUI error.<\/p>\n<\/span>\n <\/p>\n repadmin \/rodcrepl <\/span> But by prepopulate a specific users passwords an error occurs. After removing 1000 Accounts \u00a0from the allowed list<\/em> and having 1000 left, the error disappears and the prepopulating process works for the single objects.<\/p>\n <\/span><\/span><\/p>\n A best practice is to take the user as well as the computer objects to an group and set the group to the allowed<\/em> or denied\u00a0list<\/em>. This shrinks the msDS-RevealOnDemandGroup <\/em>attribte field to a an absolute minimized size. This way\u00a0more than 1500\u00a0objects\u00a0can be added to the allowed list<\/em> and prepopulated.<\/p>\n <\/p>\n <\/span><\/span><\/p>\n It seems Microsoft has forgotten to implement a function for deleting\u00a0cached passwords in a RODC. You can remove objects from the allowed list<\/em>, but passwords are still cached. For now the only workaround I see, is either to change the objects password or to delete the object from Active Directory.<\/p>\n<\/span>\n tested on Windows Server 2012R2 Environment, Domain Level 2012<\/p>\n","protected":false},"excerpt":{"rendered":" Recently I came across an article,\u00a0where someone claimed about a\u00a0RODC (Read Only Domain Controller) limitation for the amount of 1500 cache-able passwords.\u00a0I couldn’t believe that, as there’s no technical reason for having a limitation at this point; every User-, Computer-… Weiterlesen \n
\nError: Replication access was denied. (8453)<\/span><\/p>\n<\/blockquote>\nand now?<\/h4>\n
delete cached passwords<\/h4>\n