The real Enterprise Read-Only Domain Controllers group [498]

Posted: 3rd February 2009 by Christoffer Andersson in Uncategorized

It’s been yet another sleepless night working, actually I have a lot of stuff going on right now, I guess I don’t will feel too well when this week is over, anyway some interesting facts about the Enterprise Read-Only Domain Controllers group (Yes the _real_ one this time, with RID 498 that’s not an FSP), have you ever look thru the members of that group? Why would you ever do that, isn’t it obvious that it’s going to contain the RODC accounts in the enterprise? Nope, in fact it won’t, it will always be empty J

So how does this really work? Adprep /rodcprep stamps each NC head with an ACE (in order to allow RODCs replicate changes from the NC), NDNCs are stamped with an ACE for the Read-Only Enterprise Domain Controllers group (Note that the group doesn’t exist at this stage, but always has a well-known RID of 498, so that’s how adprep dose it)

But won’t replication of NDNCs fail as Enterprise Read-Only Domain Controllers is granted extended-right Replicate Changes but the group is empty? Nope RODCs will always include the RID 498 in its token J

So what do we really need the group for? It’s there for display purposes, so you don’t have to see something like (Unknown Account) if you look at the ACL.