August 12

Windows: RODC – Read Only Domain Controller authentication explained

If you are new to a Read Only Domain Controller concept it is easy to get lost in the options and specifics.  One aspect that is sometimes misunderstood with an RODC server is that all users can still authenticate through them.   There is an ability to allow and denied users and groups, but what is denied is the ability for the RODC to cache the user’s credentials.  When in “Active Directory Users and Computers”, if you right click on an RODC and choose properties, there is a new tab that is available called “Password Replication Policy”.  In this tab are the Groups of users that are Allowed or Denied the ability to cache their credentials on the server.  Caching credentials will speed up the authentication process, but also leave the hashes on the server.

Below is a great summary from Ned Pyle’s technet blog , “Understanding “Read Only Domain Controller” authentication”

Now let’s take a look at the “Password Replication Policies” and how they affect the RODC authentication behavior. With the installation of an RODC, there are four new attributes and two built-in groups to support RODC operations:

  • msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.
  • msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals that are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This helps ensure that RODCs are secure by default.
  • msDS-RevealedList. This attribute is a list of security principals whose passwords have ever been replicated to the RODC.
  • msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.


  • Allowed RODC Password Replication Group. This group is added to the msDS-Reveal-OnDemandGroup.
  • Denied RODC Password Replication Group. This group is added to the msDS-NeverRevealGroup.

Note: The “Allowed RODC Password Replication Group” has no members by default, and the “Denied RODC Password Replication Group” contains all the ‘VIP’ accounts (Enterprise Administrators, Cert Publishers, Schema Administrators, Etc). As with most things, Deny always trumps Allow.

Using the commands for “Repadmin.exe” (this is built into Windows Server 2008) an administrator can modify the Password Replication Policy groups. To view the current PRP for a specified user:

Repadmin /prp view <RODC> {<List_Name >|<User>}

Copyright 2021. All rights reserved.

Posted August 12, 2015 by Timothy Conrad in category "Windows

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B