mat at samba.org
Thu Oct 18 12:06:47 MDT 2012
On 10/17/2012 10:21 AM, Edgar Olougouna wrote:
> There will be an update to MS-ADTS and I will communicate the change as soon as the draft is ready.
> However, the algorithm in MS-DRSR already covers the required processing.
> Allowed RODC Password Replication Group and Denied RODC Password Replication Group are by default added to attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup respectively during dcpromo, therefore there is no extra processing needed, following the processing rules as documented in MS-DRSR 220.127.116.11.14 GetRevealSecretsPolicyForUser will get the right results. These attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup) are maintained by an administrator and implementations must not take a dependency on any specifics of their contents. More information relating to these attributes can be found in 18.104.22.168.2 MS-ADTS 22.214.171.124.2 Read-Only Domain Controller Object .
So if I read you right then it means that those groups are used only at
(rodc)dcpromo to populate the attributes that are used for checking in
Did you verify this behavior ?
seems to indicate that it's a constant check
Reviewing the accounts that are authenticated to an RODC
You should periodically review the accounts that have been authenticated
to an RODC. This information can help you plan updates that you intend
to make to the existing PRP. For example, you may want to review which
user and computer accounts have authenticated to an RODC so that you can
add those accounts to the Allowed List.
You will probably see more accounts in the *Accounts that have been
authenticated to this Read-only Domain Controller* list than will have
passwords cached. Although you may see accounts of writeable domain
controllers or members of the Domain Admins group in the list of
authenticated accounts, it does not necessarily indicate that those
accounts authenticated to the domain through the RODC. Instead, it means
that the RODC in one way or another verified the credentials of those
accounts. All default administrative accounts and domain controllers are
denied explicitly or through their membership from having their
passwords cached. If there are additional accounts that you want to make
sure are not cached, include them in the Deny list or make them members
of the Denied RODC Password Replication Group. The Deny list comprises
of the accounts that are specifically denied in the PRP from caching
their credentials on the RODC.
More information about the cifs-protocol