How to Configure Credential Caching on Read-Only Domain Controller Windows Server 2016

By default when users attempt to login to a computer at a branch site, a read-only domain controller contacts the writeable DC for their authentication as it doesn't store user passwords. This happens every time when users log in. However,  a read-only domain controller can be configured to cache user passwords using Password Replication Policy (PRP). With PRP, a password is replicated from writeable DC to read-only DC and cached on it when a user login for the first time. During subsequent logins, users are directly authenticated from read-only DC.

This reduces the users login time and they can still login if a WAN link between read-only DC and writeable DC is down. This can also help when a read-only DC is configured at the data center of the main branch and then shipped to the branch office.

In this article, I'll show you how to configure credential caching on read-only domain controller Windows Server 2016.

Configure Credential Caching on Read-Only Domain Controller

Step 1. Open server manager dashboard. Click Tools -> Active Directory Users and Computers.

Active Directory Users and Computers

Step 2. In ADUC MMC snap-in, expand domain name. Click Domain Controllers -> right-click read-only domain controller computer account -> Properties

Domain Controllers -> right-click read-only domain controller computer account -> Properties

Step 3. Go to Password Replication Policy tab and click Add.

Password Replication Policy

Step 4. Choose to Allow passwords for the account to replicate to this RODC and click OK.

Allow passwords for the account to replicate to this RODC
Step 5. Provide user name or computer account you wish to add to Password Replication Policy and then click OK.

Set username
Step 6. Login twice on client machine (by log out and log in).

Step 7. Click on Advanced.

Advanced settings

Step 7. You will see the newly added user in accounts whose passwords are stored on this Read-only Domain Controller. You can be sure that your configuration is successful and the passwords are replicating and caching to Read-Only Domain Controller.

Replicated users

Leave a Comment