question

JanAdolfsson-5178 avatar image
0 Votes"
JanAdolfsson-5178 asked LimitlessTechnology-2700 answered

How to periodically update the computer password in AD on servers connected to only RODC?

How to automatically update the compuer obejct password on servers that only has access to a RODC?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered

Hi @JanAdolfsson-5178,

This blog post might be helpful:
Machine Account (AD Computer Object) Password Updates


Quoting from it:

Since computer password updates occur over secure channel, if the computer has an existing secure channel session with a RODC (the RODC has the existing computer’s password in its AD database), the RODC forwards the change request to a writable DC. The RODC then attempts to replicate the password using ReplicateSingleObject (RSO). If the computer’s password is not cached on the RODC (no secure session), the password change request follows the existing secure session the computer has with a writable DC.


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Jan,

The domain name option in the Network Credentials dialog displays the domain targeted by the Active Directory Administrative Center by default. Your current credentials are used by default. If they do not include membership in the Domain Admins group, click Alternate Credentials, and click Set to provide the wizard with a user name and password that is a member of Domain Admins.

The Specify the Password Replication Policy dialog enables you to modify the default list of accounts that are allowed to cache their passwords on this read-only domain controller. Accounts in the list configured with Deny or that are not in the list (implicit) do not cache their password. Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active Directory.

To get to know further on the issue do follow up the link

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.