LAPS and RODC

Question

_{Friday, September 20, 2019 4:48 PM}

We have second thoughts about adding the ms-Mcs-AdmPwd attribute to a RODC because of it being stored clear text.  Will omitting the attribute from the RODC affect LAPS working properly?  Will LAPS just look for one of our other DCs instead?

All replies (2)

_{Tuesday, September 24, 2019 1:29 AM}

If you have an RODC installed in the environment and you need to replicate the value of the attribute ms-Mcs-AdmPwd to the RODC. You will need to change the 10th bit of the searchFlags attribute value for ms-Mcs-AdmPwd schema objet to 0 (substract 512 from the current value of the searchFlags attribute).

Source:

/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754794(v=ws.10)?redirectedfrom=MSDN

In fact, for RDOC question, you’d better ask for help from Directory Services forum.

https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS

The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn. 

Thanks for your understanding and cooperating.

I search online and find out a good article for you

Add or Remove Active Directory attributes from Read-Only Domain Controllers (RODCs)

https://www.petri.com/modify-the-read-only-domain-controller-filtered-attribute-set-using-adsi-edit

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Regards

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Thursday, October 3, 2019 9:43 AM}

We have not heard from you in a couple of days. Please post back at your convenience if we can assist further.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].