Testing RODC password resets

ritmo2k 706 Reputation points

I am trying to test a password change against an RODC in a minimal lab environment with a single site to test the behavior of a 3rd party application.

What tooling exists that can be pointed to an RODC and have that RODC forward the request in the same fashion a client computer would where both where in their own site.

Both powershell and net use fail when changing a credential on the RODC?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,432 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,799 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,286 Reputation points Microsoft Vendor


    Can the RODC connect to a RWDC?
    The RODC can only receives the password-change request and performs the tasks associated with changing a user's password in the directory. The RODC forwards the password update request to the DC.
    So the preconditions to change password against a RODC is that the RODC has connectivity to a DC to which it can establish a secure channel and send the password update request.

    For your reference:

    Best Regards,

    0 comments No comments

  2. ritmo2k 706 Reputation points

    The RODC does have connectivity to a RWDC (both DCs are in the same site, as this is a repro) and I have read that article.

    I do not have a client PC in a site without a RWDC, the only means by which I can provoke a password reset is cmdline tooling, which does not appear to work.

  3. ritmo2k 706 Reputation points

    When I use Set-ADAccountPassword, it fails stating "A referral was returned from the server" and net user returns error code 50.