Testing RODC password resets

ritmo2k 706 Reputation points
2020-12-04T01:14:38.847+00:00

I am trying to test a password change against an RODC in a minimal lab environment with a single site to test the behavior of a 3rd party application.

What tooling exists that can be pointed to an RODC and have that RODC forward the request in the same fashion a client computer would where both where in their own site.

Both powershell and net use fail when changing a credential on the RODC?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,432 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,799 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,286 Reputation points Microsoft Vendor
    2020-12-04T02:45:07.967+00:00

    Hi,

    Can the RODC connect to a RWDC?
    The RODC can only receives the password-change request and performs the tasks associated with changing a user's password in the directory. The RODC forwards the password update request to the DC.
    So the preconditions to change password against a RODC is that the RODC has connectivity to a DC to which it can establish a secure channel and send the password update request.

    For your reference:
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/84f88bd0-ba4d-4d27-83ec-5d6149e3390b

    Best Regards,

    0 comments No comments

  2. ritmo2k 706 Reputation points
    2020-12-04T03:04:48.11+00:00

    Hi,
    The RODC does have connectivity to a RWDC (both DCs are in the same site, as this is a repro) and I have read that article.

    I do not have a client PC in a site without a RWDC, the only means by which I can provoke a password reset is cmdline tooling, which does not appear to work.


  3. ritmo2k 706 Reputation points
    2020-12-04T17:20:54.527+00:00

    When I use Set-ADAccountPassword, it fails stating "A referral was returned from the server" and net user returns error code 50.