Needless to say, this is not very efficient since it would only increase the traffic going between
domain controllers. You can enable credential caching on an RODC. In this case, if
an authentication request arrives, it can check whether the user??™s password has already
been cached on the RODC??™s Active Directory database: If so, it can process the authentication
on its own; otherwise, it will forward the request to a writable DC and then store
the password for future authentication requests by the same account.
You can control how often this replication occurs with an RODC. You want it frequent
enough so that password changes are propagated effectively while minimizing
replication traffic. This default behavior of caching credentials only of accounts that are
137 Chapter 4: Active Directory Domain Services
already authenticated limits the potential exposure of your domain database. If someone
were to gain access to this read-only data store, it would contain the cached passwords
of those accounts that have authenticated and not passwords of every account in your
domain. Since you will typically deploy RODCs at remote branch offices, this default
behavior is ideal, since only a very small subset of your users would be authenticating
from that site anyway.
To address maintenance concerns, Microsoft designed the RODC so that you can
delegate a regular user account with administrative rights specifically on your RODC
server.
Pages:
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186