question

RomanAnnenko-1281 avatar image
0 Votes"
RomanAnnenko-1281 asked RomanAnnenko-1281 commented

RODC and disabled credential caching

Hi all!

I have an AD site with its own RODC for specific set of clients. For security requirements the traffic to the writable DCs from this site/subnet is disabled on firewall (except RODC) so all clients have to authenticate to this RODC.

Computers only authenticate in that site if their credentials are cached (accounts are members of password replication policy allowed group). The computers without allowed credentials caching get Netlogon 5721 event

The session setup to the Windows Domain Controller \\RODC for the domain MyDomain failed because the Domain Controller did not have an account MyServer$ needed to set up the session by this computer MyServer

User accounts are not members of any PRP allowed group and still authenticate without problems.

According to docs the caching is useful to ensure users and computers can authenticate to RODC when RWDC is inaccessible and RODC cannot forward requests to it.
So I think it is an option only and not the requirement in conditions when RWDC is always accessible from RODC.
As I can see - if passwords are not cached RODC works like authentication proxy forwarding client authentication requests to RWDC and passing back responses.

"When users or computers in a site that is serviced by an RODC attempt to authenticate to the domain, the RODC by default cannot validate their credentials. The RODC then forwards the authentication request to a writable domain controller"

cc753459(v=ws.10)

The "main" article about RODC authentication describes only the case with password caching enabled but request forwarding to RWDC presents here too cc754218(v=ws.10)

So it all should work.
On the other hand in the RODC event log I've found Netlogon events 5723:

The session setup from computer 'MyServer' failed because the security database does not contain a trust account 'MyServer$' referenced by the specified computer.
...If this is a Read-Only Domain Controller and 'MyServer$' is a legitimate machine account for the computer 'MyServer' then 'MyServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller)...


(Account for 'MyServer$' of course is present on RODC)

I'm at loss. Can the computers without cached passwords be authenticated on RODC or cannot?
Something wrong with my setup? Or RODC is not usable for it by design?




windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered RomanAnnenko-1281 commented

Hi,
Based on my understanding , the traffic is blocked from the clients to the RWDC ,but the RODC can still contact to the RWDC, right?
If i misunderstand you ,please feel free to let me know.

If the RODC can still contact to the RWDC, no matter the password cached or not , the users and machines can be authenticated since the RODC will send the request to the RWDC.
But if the RODC can't contact to the RWDC, both the computers' credentials and the users' credentials should be cached in the RODC.

To enable the password replication policy for user account to logon computer through RODC
User account must be in the allowed list
The client machine that the user needs to logon , must be in the allow list, too. The computer account must be in the allowed list, too.

An administrator could also use the “ Repadmin ” utility to populate the password cache with the following command:
Repadmin /rodcpwdrepl [DSA_LIST] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished name> <User2 Distinguished Name>…].

For more information , you can refer to the following link:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-8220-read-only-domain-controller-8221/ba-p/395031

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Hi FanFan-MSFT,
Thank you for quick answer.
Yes, you understand right - RODC has no limitations contacting RWDC, and the client traffic is blocked.

I've checked the RODC traffic with wireshark and made sure it gets krb requests from client and passes them to RWDC and responses back to client just as described in documentation.

But Netlogon errors still confuse me. Do they signal about some functionality failure? Maybe it's all about NTLM which is not proxied by RODC?

5805: The session setup from the computer MyComp failed to authenticate. The following error occurred:

Access is denied.

5723: The session setup from computer 'MyComp' failed because the security database does not contain a trust account 'MyComp$' referenced by the specified computer.

0 Votes 0 ·