The Password Replication Policy can be configured when the AD DS role is being configured or afterward through Active Directory Users and Computers, within the Password Replication Policy tab of the RODC’s Properties sheet, shown in Figure 5-6.
FIGURE 5-6 The Password Replication Policy tab in an RODC’s Properties sheet.
You can add accounts to be cached by clicking Add. You can allow the accounts to have their credentials cached by clicking Allow Passwords For The Account To Replicate To This RODC or deny by clicking Deny Passwords For The Account From Replicating To This RODC, as shown in Figure 5-7.
FIGURE 5-7 Adding a security principal to the Password Replication Policy.
Clicking Advanced in the Properties sheet brings up the Advanced Password Replication Policy dialog box, as shown in Figure 5-8.
FIGURE 5-8 Advanced properties for Password Replication Policy.
The accounts shown in Figure 5-8 are stored on the RODC. You can clear this list with the following command, run as a Domain Admin:
repadmin /prp delete <server> auth2 /all
The Resultant Policy tab shows whether an account is allowed to cache its password at the RODC.
NOTE: WORKAROUND FOR PASSWORD CACHING
If the Allowed list contains more than 1,500 accounts (users, computers, or groups), the RODC stops caching passwords for all security principals. To work around this, add the security principals to a group and then add that group to the Allowed List.
A best practice related to RODCs is to create a separate group for each RODC, grant each group the right to cache passwords only on that RODC, and then prepopulate the RODC with the appropriate accounts.