Windows Advisor

Credential Caching on a Windows Server 2008 RODC

Admin wants to know what threat is posed with password caching if an RODC is stolen.

Q. I understand that the Read Only Domain Controller (RODC) in Windows Server 2008 caches passwords for users. How much of a threat is this caching if an RODC is stolen?

A. In Windows Server 2008, the RODC is a type of Domain Controller that only hosts a read-only partition of the Active Directory Domain Services (AD DS) database. You must have at least one writable copy of a Windows Server 2008, and the functional levels of domain and forest must be at least Windows Server 2003 or newer before you can deploy an RODC in your domain.

RODCs are meant to be deployed in remote offices where physical security might not be that great for you to place a writable DC, where you still need reliable authentication for users. Because RODCs only replicate in one direction (from writable DCs to themselves), you can't make changes to the RODC and replicate them to other writable DCs in your organization. With the exception of account passwords, an RODC contains all the objects that other writable DCs have. An RODC can also contain a read-only copy of the DNS database.

The caching of passwords that you referred to is known as "credential caching." With the exception of an RODC's computer account and a special krbtgt account that exists on all RODCs, by default RODCs do not store user or computer credentials. If you want to allow credential caching, you have to specifically allow it on RODCs.

Because credential caching can be limited to users who have authenticated to an RODC, you are limiting the exposure in case of a compromise. Typically, only a small subset of users in a branch office or remote location will have their credentials cached by an RODC. The password hashes are stored in the ntds.dit file (not in memory). If the RODC is stolen, these credentials can definitely be compromised. However, the entire AD database will not be at risk because user or computer credentials of all the other accounts in the organization will not be cached on the RODC.

As an administrator you can configure the default Password Replication Policy to disallow users' credentials from caching on an RODC. This will offer you a more secure environment because the users' authentication requests will be sent to a writable DC.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site,, is dedicated to technical resources for IT professionals. Zubair may be reached at [email protected].

comments powered by Disqus
Most   Popular