Read-Only Domain Controller (RODC): Unable to Configure Password Caching

  • Article

Introduction

We know that passwords are not replicated to the read-only domain controller (RODC) during it's configuration. It relies on write able DC (RWDC) for branch user or computer account authentications. This ensures security for passwords in case RODC is stolen at branch site. However, authentication cannot be done if the WAN link between RODC and RWDC is down. By using a built-in feature, credential caching is explicitly enabled and then passwords are replicated and cached on RODC. As usual branch accounts are first authenticated from RWDC and then their subsequent authentications are done by RODC.    

This article lists few work around you can perform when you configure credential caching are unable to cache password on a read-only domain controller (RODC) Windows Server 2016. The article is actually based on the threads at

  1. https://social.technet.microsoft.com/Forums/en-US/b857a779-8ea1-4e7b-ba3c-c594ab74389f/user-account-passwords-in-rodc-are-not-cached-despite-adding-them-in-allowed-password-replication?forum=winserverDS
  2. https://social.technet.microsoft.com/Forums/en-US/422d297a-462b-4f22-8b20-bcbf14328bbb/account-passwords-in-rodc-are-not-cached?forum=winserverDS

Solution

Following are the some of the solutions you can follow to fix password caching issue on RODC. Implement them one by one, if one of the solutions doesn't work move to next.

  1. Make sure both user and computer (which user is using to log in at branch site) accounts are in Password Replication Policy (PRP) of RODC.             

  2. Make sure the client machine is actually getting authenticated from RODC and not from any writeable DC (RWDC). Execute the following on command prompt of client machine to check its logon server.             

    nltest /dsgetdc:<domain>

  3. Make sure the active directory site and services are properly configured and RODC is placed in separate site so that client request RODC for authentication.

Keep in mind that user should login to computer twice for password caching to occur at RODC.

References

  1. https://social.technet.microsoft.com/Forums/en-US/422d297a-462b-4f22-8b20-bcbf14328bbb/account-passwords-in-rodc-are-not-cached?forum=winserverDS
  2. https://social.technet.microsoft.com/Forums/en-US/b857a779-8ea1-4e7b-ba3c-c594ab74389f/user-account-passwords-in-rodc-are-not-cached-despite-adding-them-in-allowed-password-replication?forum=winserverDS
  3. https://technet.microsoft.com/en-us/library/cc731935(v=ws.11).aspx