Testing RODC password resets

Question

I am trying to test a password change against an RODC in a minimal lab environment with a single site to test the behavior of a 3rd party application.

What tooling exists that can be pointed to an RODC and have that RODC forward the request in the same fashion a client computer would where both where in their own site.

Both powershell and net use fail when changing a credential on the RODC?

Answer 1

Hi,

Can the RODC connect to a RWDC?
The RODC can only receives the password-change request and performs the tasks associated with changing a user's password in the directory. The RODC forwards the password update request to the DC.
So the preconditions to change password against a RODC is that the RODC has connectivity to a DC to which it can establish a secure channel and send the password update request.

For your reference:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/84f88bd0-ba4d-4d27-83ec-5d6149e3390b

Best Regards,

Answer 2

Hi,
The RODC does have connectivity to a RWDC (both DCs are in the same site, as this is a repro) and I have read that article.

I do not have a client PC in a site without a RWDC, the only means by which I can provoke a password reset is cmdline tooling, which does not appear to work.

Answer 3

When I use Set-ADAccountPassword, it fails stating "A referral was returned from the server" and net user returns error code 50.