Review the removal of the default members from the Denied RODC Password Replication Group
Why Consider this
One or more default members have been removed from the Denied RODC Password Replication Group. This group is used to ensure that passwords for certain highly-privileged users or groups are not cached on Read-Only Domain Controllers (RODCs). Removing default members from this group can create a security vulnerability.
Watch a Customer Engineer explaining the issue
Context & Best Practices
RODCs were introduced in Windows Server 2008. They are designed to provide some read-only domain controller functionality in environments that may be less physically secure than centralized IT departments or data centers, such as branch offices. The read-only nature of the RODC provides some functionality to local users while providing some protection from local security breaches to the broader corporate infrastructure.
RODCs are paired with a writeable domain controller (RWDC), which replicates changes to the RODC. If an RODC receives a write request, the request is forwarded to a RWDC over the Wide Area Network (WAN) link. The updates are then replicated back to the RODC.
RODCs are typically configured to allow certain user accounts (typically branch office staff) to authenticate locally, even if the WAN link to the central IT infrastructure is offline. To do this, the RODC needs to cache passwords for those users locally. If a user attempts to authenticate to an RODC and the RODC does not have a cached password for the user, the RODC forwards the request to a RWDC over the WAN link.
The Denied RODC Password Replication Group is a domain local group that specifies users and groups whose passwords cannot be cached on RODCs. By default, this group contains the following highly-privileged users and groups:
- The Enterprise Domain Controllers group.
- The Enterprise Read-Only Domain Controllers group.
- The Enterprise Admins group.
- The Domain Admins group.
- The Schema Admins group.
- The Group Policy Creator Owners group.
- The Cert Publishers group.
- The domain-wide krbtgt account.
Microsoft recommends that you do not remove these users and groups from the Denied RODC Password Replication Group.
Note: Domain controllers use a key derived from the password of the krbtgt account (the key distribution service account) to encrypt Kerberos Ticket-Granting Tickets (TGTs). As such, every domain controller needs a krbtgt account. To prevent compromised RODCs from jeopardizing other domain controllers, each RODC is given its own unique krbtgt account. This account is named krbtgt*[numbers]*, where [numbers] is a string of random numbers.
Suggested Actions
The Denied RODC Password Replication Group is used to specify users and groups whose passwords cannot be cached on RODCs. By default, this group contains various highly-privileged users or groups, such as domain administrators. Removing these default users and groups can increase the exposure of administrator passwords to RODCs. This in turn defeats some of the objectives of implementing RODCs, and may increase the vulnerability of the entire Active Directory forest.
Review the password replication policy for the RODC. The RODC should only be permitted to cache passwords for users who need to be able to log on locally, even if the Wide Area Network (WAN) link to the central IT infrastructure is offline. In the absence of a compelling business case for removing default members from the Denied RODC Password Replication Group, restore all default members to the group.
The links in the Learn More section provide more guidance on planning and configuring password replication policies.
Learn More
For general guidance on creating a password replication policy, see Password Replication Policy at https://technet.microsoft.com/library/cc730883.aspx.
For procedural guidance on configuring the password replication policy, see Administering the Password Replication Policy at https://technet.microsoft.com/library/rodc-guidance-for-administering-the-password-replication-policy.aspx.
For more information about credential caching on RODCs, see RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODCat https://technet.microsoft.com/library/cc753459.aspx.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for