{"id":2091,"date":"2015-09-11T21:24:16","date_gmt":"2015-09-11T19:24:16","guid":{"rendered":"http:\/\/www.windows-infrastructure.de\/?p=2091"},"modified":"2021-03-06T18:09:00","modified_gmt":"2021-03-06T16:09:00","slug":"rodc-passwords-cache-limit","status":"publish","type":"post","link":"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/","title":{"rendered":"RODC, Password Cache Limit?"},"content":{"rendered":"

Recently I came across an article,\u00a0where someone claimed about a\u00a0RODC (Read Only Domain Controller) <\/em>limitation for the amount of 1500 cache-able passwords.\u00a0I couldn’t believe that, as there’s no technical reason for having a limitation at this point; every User-, Computer- or Service- account and a password for each object.<\/p>\n

One of the major benefits of a RODC<\/em> is that object passwords are not stored on the server by default. For each server, objects can selective be allowed (or denied)\u00a0to cache their passwords. The GUI setup can be found in\u00a0the servers properties tab\u00a0Password Replication Policy (PRP)<\/em> of the domain controllers computer object in Active Directory Users and Computers. The allow entries referred to as Allow List<\/em> are stored in the computer object attribute field msDS-RevealOnDemandGroup<\/em>. And that’s the point where the limitation comes\u00a0from; the size of the attribute field.<\/p>\n

This setting is only the policy which defines cacheable allowed objects. At this time\u00a0no passwords are cached. The RODC keeps the password, if allowed, after the first password exchange with the AD object has taken place. Alternatively\u00a0we’re able to push passwords for allowed objects to the specific RODC.<\/p>\n<\/span>\n

\"Password<\/p>\n

For testing I created some users and added 2000 directly to the allow list. No GUI error.<\/p>\n<\/span>\n

\"RODC<\/p>\n

\n

repadmin \/rodcrepl <\/span>
\nError: Replication access was denied. (8453)<\/span><\/p>\n<\/blockquote>\n

But by prepopulate a specific users passwords an error occurs. After removing 1000 Accounts \u00a0from the allowed list<\/em> and having 1000 left, the error disappears and the prepopulating process works for the single objects.<\/p>\n

<\/span><\/span><\/p>\n

and now?<\/h4>\n

A best practice is to take the user as well as the computer objects to an group and set the group to the allowed<\/em> or denied\u00a0list<\/em>. This shrinks the msDS-RevealOnDemandGroup <\/em>attribte field to a an absolute minimized size. This way\u00a0more than 1500\u00a0objects\u00a0can be added to the allowed list<\/em> and prepopulated.<\/p>\n

\"policy<\/p>\n

<\/span><\/span><\/p>\n

delete cached passwords<\/h4>\n

It seems Microsoft has forgotten to implement a function for deleting\u00a0cached passwords in a RODC. You can remove objects from the allowed list<\/em>, but passwords are still cached. For now the only workaround I see, is either to change the objects password or to delete the object from Active Directory.<\/p>\n<\/span>\n

tested on Windows Server 2012R2 Environment, Domain Level 2012<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently I came across an article,\u00a0where someone claimed about a\u00a0RODC (Read Only Domain Controller) limitation for the amount of 1500 cache-able passwords.\u00a0I couldn’t believe that, as there’s no technical reason for having a limitation at this point; every User-, Computer-… Weiterlesen →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":2093,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10],"tags":[145,144],"yoast_head":"\nRODC, Password Cache Limit? - windows-infrastructure.de<\/title>\n<meta name=\"description\" content=\"The allow entries referred to as Allow List are stored in the computer objects attribute field msDS-RevealOnDemandGroup. And that's the point where the limitation came from\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RODC, Password Cache Limit? - windows-infrastructure.de\" \/>\n<meta property=\"og:description\" content=\"The allow entries referred to as Allow List are stored in the computer objects attribute field msDS-RevealOnDemandGroup. And that's the point where the limitation came from\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/\" \/>\n<meta property=\"og:site_name\" content=\"windows-infrastructure.de\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-11T19:24:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-03-06T16:09:00+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.windows-infrastructure.de\/wp-content\/uploads\/hc_128.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"404\" \/>\n\t<meta property=\"og:image:height\" content=\"475\" \/>\n<meta name=\"twitter:label1\" content=\"Gesch\u00e4tzte Lesezeit\">\n\t<meta name=\"twitter:data1\" content=\"2 Minuten\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.windows-infrastructure.de\/#website\",\"url\":\"http:\/\/www.windows-infrastructure.de\/\",\"name\":\"windows-infrastructure.de\",\"description\":\"Windows Server Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"http:\/\/www.windows-infrastructure.de\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/#primaryimage\",\"inLanguage\":\"de-DE\",\"url\":\"http:\/\/www.windows-infrastructure.de\/wp-content\/uploads\/hc_128.jpg\",\"width\":404,\"height\":475,\"caption\":\"Password replication policy allowed list allow deny\"},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/#webpage\",\"url\":\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/\",\"name\":\"RODC, Password Cache Limit? - windows-infrastructure.de\",\"isPartOf\":{\"@id\":\"http:\/\/www.windows-infrastructure.de\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/#primaryimage\"},\"datePublished\":\"2015-09-11T19:24:16+00:00\",\"dateModified\":\"2021-03-06T16:09:00+00:00\",\"author\":{\"@id\":\"http:\/\/www.windows-infrastructure.de\/#\/schema\/person\/60ba29b74ac5d95d2d152448d563e4a8\"},\"description\":\"The allow entries referred to as Allow List are stored in the computer objects attribute field msDS-RevealOnDemandGroup. And that's the point where the limitation came from\",\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.windows-infrastructure.de\/rodc-passwords-cache-limit\/\"]}]},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.windows-infrastructure.de\/#\/schema\/person\/60ba29b74ac5d95d2d152448d563e4a8\",\"name\":\"Holger Wache\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/www.windows-infrastructure.de\/#personlogo\",\"inLanguage\":\"de-DE\",\"url\":\"http:\/\/www.windows-infrastructure.de\/wp-content\/uploads\/Holger1.png\",\"caption\":\"Holger Wache\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/posts\/2091"}],"collection":[{"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/comments?post=2091"}],"version-history":[{"count":18,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/posts\/2091\/revisions"}],"predecessor-version":[{"id":2170,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/posts\/2091\/revisions\/2170"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/media\/2093"}],"wp:attachment":[{"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/media?parent=2091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/categories?post=2091"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.windows-infrastructure.de\/wp-json\/wp\/v2\/tags?post=2091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}