2

I have numerous servers that sit in a DMZ which has an RODC in it as well. As you probably know, the machine passwords will change after a certain amount of time. After which I have to disjoin-rejoin these machines to the domain.

Is there a better practice to prevent this from happening other than having the servers never change their passwords?

What are the security risks of not having these machine change their passwords?

burns
  • 39
  • 1
  • 3

1 Answers1

1

http://technet.microsoft.com/en-us/library/cc754218(v=ws.10).aspx says, basically, to add the computer objects to Allowed RODC Password Replication Group. At least, that is what I'm testing, as I've run across the same issue as you describe.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Barnaby Arnott
  • 11
  • 1
  • I do that when joining the Server to the RODC. Manually setting the password on the RODC, which then replicates the the main DC's fine. However once the Server changes its password, it is not allowed to update the RODC. Password replication between the RODC and DC's is not an issue in my situation. – burns Dec 18 '14 at 18:52