Yesterday I ran into a small problem with RODC. As we all know, RODC is a feature of Windows 2008 and later operating systems. After initial setup, RODC will replicate AD database to itself with the exception of a user and computer account passwords. This behavior can be modified by adding user accounts to a group called “Allowed RODC Password Replication Group” or by modifying properties of a RODC computer account in AD.
User and computer passwords will be replicated when user tries to authenticate to a RODC. But what if I wanted to pre-populate all user and computer passwords to RODC prior to their authentication attempt? You can do that by using AD on full read/write domain controller and by modifying properties of a RODC computer account as you can see on picture below.
Problem with this approach is that you can only do so for one account at a time. In other words, if you have 200 users that you want to pre-populate their passwords to RODC, you have to pre-populate their password one by one.
There is a workaround for this problem. We can use dsquery, dsget and repadmin commands to pre-populate user passwords to RODC even if they are members of a group. Here is a script that will do that:
For /F %%a in ('"dsquery group dc=contoso,dc=com –name
Finance dsget group -members"’) do (Repadmin /rodcpwdrepl
BranchDC01 HQDC01 %%a)
Replace group, OU and domain names with your own. There is a single and then double quotation in front of “dsquery” and after “members”.
NOTE: Make sure you pre-populate computer account also if you want to be able to login in branch office if your connection to main office fails. RODC can not pre-populate more than 1500 passwords.