How to periodically update the computer password in AD on servers connected to only RODC?

Jan Adolfsson 21 Reputation points
2021-09-06T17:39:59.82+00:00

How to automatically update the compuer obejct password on servers that only has access to a RODC?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,113 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 85,651 Reputation points
    2021-09-06T18:20:05.047+00:00

    Hi @Jan Adolfsson ,

    This blog post might be helpful:
    Machine Account (AD Computer Object) Password Updates

    Quoting from it:

    Since computer password updates occur over secure channel, if the computer has an existing secure channel session with a RODC (the RODC has the existing computer’s password in its AD database), the RODC forwards the change request to a writable DC. The RODC then attempts to replicate the password using ReplicateSingleObject (RSO). If the computer’s password is not cached on the RODC (no secure session), the password change request follows the existing secure session the computer has with a writable DC.

    ----------

    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,
    Leon

    0 comments
  2. Limitless Technology 39,351 Reputation points
    2021-09-07T10:35:51.61+00:00

    Hello Jan,

    The domain name option in the Network Credentials dialog displays the domain targeted by the Active Directory Administrative Center by default. Your current credentials are used by default. If they do not include membership in the Domain Admins group, click Alternate Credentials, and click Set to provide the wizard with a user name and password that is a member of Domain Admins.

    The Specify the Password Replication Policy dialog enables you to modify the default list of accounts that are allowed to cache their passwords on this read-only domain controller. Accounts in the list configured with Deny or that are not in the list (implicit) do not cache their password. Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active Directory.

    To get to know further on the issue do follow up the link

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-

    0 comments