6.1.1.3.2 Read-Only Domain Controller Object
Each RODC in a domain has a read-only DC object in its default NC. The DC's RODC object is the DC's computer object (subject to the computer object constraints specified in [MS-SAMR] sections 3.1.1.6 and 3.1.1.8) with additional requirements as described in this section. An RODC object cannot be created on Windows 2000 Server operating system through Windows Server 2003 R2 operating system DCs and cannot be created until the Read-Only Domain Controllers Object exists in the domain.
userAccountControl: {ADS_UF_PARTIAL_SECRETS_ACCOUNT | ADS_UF_WORKSTATION_TRUST_ACCOUNT}
primaryGroupID: Contains the value 521.
This attribute is populated during creation of the RODC corresponding to the RODC object. The primary group of an RODC object is the domain relative well-known RODCs security group. So the primaryGroupID attribute of an RODC object equals the RID of the RODCs security group, 521.
servicePrincipalName: This attribute contains all of the SPNs (2) for the RODC, as specified in [MS-DRSR] section 2.2.2.
dNSHostName: Fully qualified DNS name of the RODC.
msDS-AdditionalDnsHostName: Additional DNS names by which the RODC can be identified.
msDS-RevealedUsers: Contains information about the user objects whose secret attributes are cached at this RODC. This attribute is maintained by the system; see procedure UpdateRevealedList, [MS-DRSR] section 4.1.10.5.9. A more usable form of this attribute is the constructed attribute msDS-RevealedList, specified in section 3.1.1.4.5.34.
msDS-AuthenticatedToAccountlist: Contains a list of user objects that have attempted to authenticate at this RODC. This attribute is a back link attribute whose corresponding forward link is the msDS-AuthenticatedAtDC attribute. The msDS-AuthenticatedAtDC attribute is maintained by the system; see section 6.1.4.6.
msDS-NeverRevealGroup: This attribute is maintained by an administrator. It contains a set of user and security-enabled group objects. A user in this set, or reachable from this set by traversing any number of member links from a group in this set, will not change state from not being cached to being cached at this RODC. If a user is added to this attribute (directly or indirectly) while one of its secret attributes is already cached, the secret attribute remains cached until the secret attribute changes, at which time the caching stops. For the use of this attribute, see procedure RevealSecretsForUserAllowed, [MS-DRSR] section 4.1.10.5.15.
msDS-RevealOnDemandGroup: This attribute is maintained by an administrator. It contains a set of user and security-enabled group objects. A user in this set, or reachable from this set by traversing any number of member links from a group in this set, and not excluded by membership in msDS-NeverRevealGroup can change state from not being cached to being cached at this RODC. For the use of this attribute see procedure RevealSecretsForUserAllowed, [MS-DRSR] section 4.1.10.5.15.
msDS-KrbTgtLink: This attribute is populated during creation of the RODC object. It contains a reference to the secondary Kerberos ticket-granting ticket (TGT) account of the RODC. See [MS-KILE] section 3.1.5.10.
managedBy: If the value of this attribute points to a valid security principal, that security principal will be an implicit member of the administrators group of this RODC. This applies to this RODC only.
objectCategory: Contains the distinguished name of the classSchema object for the computer class. This is the value of the defaultObjectCategory attribute of the computer class.