RODC and disabled credential caching

Roman Annenko 141 Reputation points
2021-03-29T14:57:03.757+00:00

Hi all!

I have an AD site with its own RODC for specific set of clients. For security requirements the traffic to the writable DCs from this site/subnet is disabled on firewall (except RODC) so all clients have to authenticate to this RODC.

Computers only authenticate in that site if their credentials are cached (accounts are members of password replication policy allowed group). The computers without allowed credentials caching get Netlogon 5721 event

The session setup to the Windows Domain Controller \RODC for the domain MyDomain failed because the Domain Controller did not have an account MyServer$ needed to set up the session by this computer MyServer

User accounts are not members of any PRP allowed group and still authenticate without problems.

According to docs the caching is useful to ensure users and computers can authenticate to RODC when RWDC is inaccessible and RODC cannot forward requests to it.
So I think it is an option only and not the requirement in conditions when RWDC is always accessible from RODC.
As I can see - if passwords are not cached RODC works like authentication proxy forwarding client authentication requests to RWDC and passing back responses.

"When users or computers in a site that is serviced by an RODC attempt to authenticate to the domain, the RODC by default cannot validate their credentials. The RODC then forwards the authentication request to a writable domain controller"

cc753459(v=ws.10)

The "main" article about RODC authentication describes only the case with password caching enabled but request forwarding to RWDC presents here too cc754218(v=ws.10)

So it all should work.
On the other hand in the RODC event log I've found Netlogon events 5723:

The session setup from computer 'MyServer' failed because the security database does not contain a trust account 'MyServer$' referenced by the specified computer.
...If this is a Read-Only Domain Controller and 'MyServer$' is a legitimate machine account for the computer 'MyServer' then 'MyServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller)...

(Account for 'MyServer$' of course is present on RODC)

I'm at loss. Can the computers without cached passwords be authenticated on RODC or cannot?
Something wrong with my setup? Or RODC is not usable for it by design?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,805 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-03-30T05:56:30.867+00:00

    Hi,
    Based on my understanding , the traffic is blocked from the clients to the RWDC ,but the RODC can still contact to the RWDC, right?
    If i misunderstand you ,please feel free to let me know.

    If the RODC can still contact to the RWDC, no matter the password cached or not , the users and machines can be authenticated since the RODC will send the request to the RWDC.
    But if the RODC can't contact to the RWDC, both the computers' credentials and the users' credentials should be cached in the RODC.

    To enable the password replication policy for user account to logon computer through RODC
    User account must be in the allowed list
    The client machine that the user needs to logon , must be in the allow list, too. The computer account must be in the allowed list, too.

    An administrator could also use the “ Repadmin ” utility to populate the password cache with the following command:
    Repadmin /rodcpwdrepl [DSA_LIST] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished name> <User2 Distinguished Name>…].

    For more information , you can refer to the following link:
    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-8220-read-only-domain-controller-8221/ba-p/395031

    Best Regards,