Re: RODC ...

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Meinolf,

My concern is we have a high user turn arround in our remote offices. Can I
simply create a PRP global group for each remote site and intruct my
helpdesk to add the new users to this group we creating new user accounts ?
Thanks

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d70778cc14abc5213476@xxxxxxxxxxxxxxxxxxxxxxx
Hello southpaw,

Without PRP logons are not possible correct, but this is a one time
configuration, so not an administrative overhead.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Sorry one question..
Just to be clear it seems as though there would be more administrative
overhead if we were to use RODCs in our remote sites. Reason being for
example we have local Win2003 DCs currently in our small remote
offices and
if the WAN link goes down I believe the users are still able Auth and
logon
to the local DC and access local resources file servers , share ,
printers
etc in that site.
My dilemma...We are currently have in place a central helpdesk staff
in
corp headquarters that creates all user accounts etc
From what I have gather it seems that if we were to replace our remote
Win2003 DCs with RODC the WAN link between the RODC and RWDC goes
down,
users in the remote office will not be able to log on, or access local
resources if PRP allow is not enable for the remote user, is this
correct ?
If so this may be an administrative nightmare to manage for remote
offices
..
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d706a8cc14a51e11585b@xxxxxxxxxxxxxxxxxxxxxxx

Hello southpaw,

Only if the PRP is configured for that account it will be cached.
Only then the users are able to logon if the WAN link is down.

The Password Replication Policy acts as an access control list (ACL).
It
determines if an RODC should be permitted to cache a password. After
the
RODC receives an authenticated user or computer logon request, it
refers
to the Password Replication Policy to determine if the password for
the
account should be cached. The same account can then perform
subsequent
logons more efficiently.
The Password Replication Policy lists the accounts that are permitted
to
be cached, and accounts that are explicitly denied from being cached.
The
list of user and computer accounts that are permitted to be cached
does
not imply that the RODC has necessarily cached the passwords for
those
accounts. An administrator can, for example, specify in advance any
accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
See also:
http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx
You should consider using a newsreader like outlook express or other
ones like Omea reader for example. That way you have a good overview
and do not rely on the web based version.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf,

Sorry for the dupe post but interestingly I can't find my post from
yesterday . Not sure why I can't see it..:-)

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d70638cc14a2a64abf42@xxxxxxxxxxxxxxxxxxxxxxx

Hello southpaw,

Please see the answer to your posting form yesterday.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,

By default I believe I read some where users and computers
password are cached on an RODC after first logon. I assume "yes",
correct ? If so when would I use PRP can you give an example ?

What happens if the WAN link between my RODC and RWDC is down will
users still be able to logon and access local shared resources,
file shares in the local RODC site ?





.

Relevant Pages

  • Re: RODC ...
    ... My concern is we have a high user turn arround in our remote offices. ... helpdesk to add the new users to this group we creating new user accounts ... Win2003 DCs with RODC the WAN link between the RODC and RWDC goes ... The Password Replication Policy acts as an access control list. ...
    (microsoft.public.windows.server.active_directory)
  • Re: RODC ...
    ... overhead if we were to use RODCs in our remote sites. ... Win2003 DCs with RODC the WAN link between the RODC and RWDC goes down, ... The Password Replication Policy acts as an access control list. ... The Password Replication Policy lists the accounts that are permitted to ...
    (microsoft.public.windows.server.active_directory)
  • Re: RODC ...
    ... Use the "Allowed RODC Password Replication Group" group to add the new created user accounts. ... This posting is provided "AS IS" with no warranties, ...
    (microsoft.public.windows.server.active_directory)
  • Re: RODC ...
    ... Win2003 DCs with RODC the WAN link between the RODC and RWDC goes ... Only then the users are able to logon if the WAN link is down. ... The Password Replication Policy acts as an access control list. ... The Password Replication Policy lists the accounts that are permitted ...
    (microsoft.public.windows.server.active_directory)
  • Re: RODC ...
    ... btw I do use OE as my newsreader and for posting message .. ... The Password Replication Policy acts as an access control list. ... RODC receives an authenticated user or computer logon request, ... The Password Replication Policy lists the accounts that are permitted to ...
    (microsoft.public.windows.server.active_directory)