Step 4: Customize the RODC Filtered Attribute Set
Updated: June 29, 2009
Applies To: Windows Server 2008
The read-only domain controller (RODC) filtered attribute set (FAS) is a set of attributes of the Active Directory schema that is not replicated to an RODC. If you have data that you do not want to be replicated to an RODC in case it is stolen, you can add these attributes to the RODC FAS. If you add the attributes to the RODC FAS before you deploy the first RODC, the attributes are never replicated to any RODC.
As an alternative, you can add attributes to the RODC FAS after you deploy RODCs, but attribute values that have already replicated to an RODC may not be physically removed from the database or could still be present in an old local backup copy of the server. Therefore, if you want complete assurance that the attribute values do not appear on an RODC, add attributes to the FAS before you assign any values to them.
In addition, if you plan to add attributes to the RODC FAS, as a best practice, ensure that the forest functional level is Windows Server 2008. Until the forest functional level is Windows Server 2008, an RODC can replicate data of the RODC FAS from a global catalog server that is running Windows Server 2003.
Only a compromised RODC (for example, an RODC that is being used for malicious purposes) would attempt to replicate data from a global catalog server that is running Windows Server 2003.
To decide which attributes to add to the RODC FAS, review any schema extensions that have been performed in your environment and determine whether they contain credential-like data or not. In other words, you can exclude from consideration any attributes that are part of the base schema, and review all other attributes. Base schema attributes have the systemFlags attribute value 16 (0x10) set.
If this complete set of attributes is too large, you can also look at which attributes in your environment have the Confidential bit (0x80, or 128 in decimal format) for the searchFlags attribute set. These attributes are more likely to contain credential-like data that should not replicate to RODCs.
For example, you can use the Ldifde.exe tool to search the schema for attributes that are not part of the base schema and that have the confidential bit set by using the following Lightweight Directory Access Protocol (LDAP) search filter:
Ldifde /d "cn=schema,cn=configuration,dc=contoso,dc=com" /f output.ldf /p subtree /r "(&(objectClass=attributeSchema)(!(systemFlags:1.2.840.113518.104.22.1683:=16))(searchFlags:1.2.840.113522.214.171.1243:=128))"
You cannot add system-critical attributes to the RODC FAS. An attribute is system critical if it is required for Active Directory Domain Services (AD DS); Local Security Authority (LSA); Security Accounts Manager (SAM); or any of Microsoft-specific Security Service Providers, such as the Kerberos authentication protocol, to function properly. A system-critical attribute has a schemaFlagsEx attribute value of (schemaFlagsEx attribute value & 0x1 = TRUE).
For more information about the RODC FAS, see Adding Attributes to the RODC Filtered Attribute Set (http://go.microsoft.com/fwlink/?LinkId=153620).