Remove confidential attributes from Read-Only Domain Controllers

Hello all,

Hope this post finds you in good health and spirit.

This post is regarding how we can exclude the confidential attributes from RODC database. As we know RODC contain the read only database and only sync the password for those accounts which we allow in password sync group.

I have seen many active directory admin just install and configured the RODC at remote location where there is less physical as well less network security. but they do not take the advantage of its features. Many companies has custom attributes that contains the confidential information about theirs employee as well password information if they are using the two way authentication by Vasco as well PKI services.

There are many PKI and Vasco related attributes that has confidential information and these should be excluded from RODC database.

Suppose, your RODC server stolen from remote location. Now what will happened? Everyone know that there will be no risk if someone stolen the RODC, he/she only can read the active directory database and he/she can not do anything with user’s credentials and same goes for DNS if DNS installed on RODC.

But please keep in mind, if your company has custom attributes for confidential information or your company use the two way authentication or PKI related services, Then What will happened?

Hacker easily get the information from these attributes and can publish on social media or can miss-use the confidential information.So this post is about how we can prevent such issue. To protect the confidential information from hacker or unauthorized peoples, exclude the highly confidential information from RODC database. if we exclude these attributes from replication,those will not be replicated to RODC database.

In this post, we are going to exclude the attribute ms-PKI-AccountCredentials from RODC database or we can also say that we are removing this attribute value from RODC database means this value will not be synced to RODC.

Attribute Search Flags Value

Search Flags Value is showing 0 that means its syncing to RODC database.

To exclude this value, please follow the below steps:-

To identify Schema Master by netdom query the following command in the command prompt.

Schema Master details.png

Login to Schema master domain controller via -E account as there should be -E account for such types of activities and access should only granted whenever any activity scheduled and access should be revoked immediately after activity completion.Please avoid to make such types of changes by normal accounts.

  • Perform AD health Check, confirm all replication is working. You can do the replication checks by executing Repadmin /replsummary command. This will give the replication status for entire forest. If you guys has some script for AD health check, do the same if not then just do the health check by DCDIAG tool. This is inbuilt tool and its very easy to use.
  • Confirm or Create the registry key to enable the schema to be updated on the Schema Master domain controller.

Key Name: HLLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value Name: Schema Update Allowed
Value Type: REG_DWORD
Value Data: 1

Schema Update Allowed Registry
  • Kindly disable the outbound replication before start the schema changes. Doing this we can stop the replicate changes to entire forest if in case of any issue comes. It is very important and recommended to disabling outbound replication on a domain controller will not have any effect on inbound replication; the DC will still receive updates from its other replication partners unless you disable inbound replication on them as well.

repadmin.exe /options  <server name> +DISABLE_OUTBOUND_REPL

Disable Outbound Replication

When your replication is disabled, warning events 1115 will be generated from source NTDS General will be logged in the Directory Service event log.

warning events 1115

Once Outbound replication stopped, Do the schema changes to exclude these attributes from RODC database.

  • Open the Run windows and type ADSIEDIT.Msc as we are going to make the changes in schema partition.
ADSIEDIT

ADSIEDIT-Console will look like as below-

ADSIEDIT-Console

Do the right click on ADSI Edit and click on connect as per below screenshot.

ADSI Edit Console

Put the details in connect setting as per screenshot.Select the well known naming context as Schema and under computer details, put the schema master details. You can get these details by netdom tool.Kindly check this article to know about how we can check the FSMO roles.

Click on OK

Now All the attributes will show like below-

Attributes details

Its very difficult to check the required attribute details one by one. We can search the attribute by clicking on new query.

New Query for Attribute Search.png

Put the attribute details that need to be changed under schema partition and OK.

Attribute details

Go to the Search Flags value.

Search-Flag.png

Click on Edit

SearchFlagValue.png

If we see the value of this flags, its showing 0 and this was also showing when we ran the dsquey for ms-PKI-AccountCredentials attribute.

Change the value from 0 to 512 as 512 value is for RODC Filtered Attribute Set .

RODC Filtered Attribute Set Value

Click on OK, apply and again click on OK

RODC Filtered Attribute Set Value

Kindly check the search flags value for ms-PKI-AccountCredentials attribute by executing the following below command.

Rodc-Filtered-Set

We can see the changes in above screenshot. Now we have to do the health as well check the replication status on Schema master. All test passed and got the warning as outbound replication is disabled and changes can not be replicate to its partners.

DCDIAG Status

We also getting the below error while doing the replication checks.its throwing the error” The replication operation failed because of a schema mismatch between the servers involved

Attempts to replicate AD when schema information is not consistent between the DC partners involved will result in a “Schema Mismatch” error status. This symptom can be manifested in a number of different ways as outlined above. However the underlying cause of the error being raised can vary.

The AD schema has been recently updated One or more partners of a DC is reporting a schema mismatch for an extended period The registry and AD schema versions on the source DC are in sync and match the expected forest wide version.

It is possible that a reboot of the source DC will resolve the replication failures. The underlying cause is thought to be failure to correctly reload the in memory version of schema after the schema update has been received.

Please do not panic if you made any changes in AD schema . We have to wait for some time to replicate these changes to all domain controllers in domains. or you can force the replication between domain controllers.

We have wait to complete the replication then check the status. After some time it has been replicated to all domain controllers and clear the schema mismatch error.

Replication Status.png

Now we can enable the outbound replication as everything is working perfectly and we can replicate these changes to entire forest.

To start outbound replication for a specific DC, Use this command

repadmin.exe /options <server name> -DISABLE_OUTBOUND_REPL  

Enabling the Outbound Replication

When your replication is enable, warning events 1116 will be generated from source NTDS General will be logged in the Directory Service event log.

Event 1116

After completion of entire forest replication, Kindly login to RODC and check the value for ms-PKI-AccountCredentials attribute. The value of this attribute should not be there and it should be show like “Not Set”

Attribute Value on RODC.png

Now this attribute value will not be synced to any of RODC in forest and it will protect from miss-use of this attribute information if in case of RODC stolen. This is just an example for RODC Filtered Attribute Set changes. There are many companies those has lot of custom attributes and that attributes contain the confidential information about organizations as some contain password related information. This is how we can exclude RODC Filtered Attribute set.

So, thatโ€™s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please donโ€™t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!