RODC prepopulate passwords and now access denied on shares

I recently configured PRP for a branch site and immediately prepopulated
passwords for all users for that site. Bizarrely users at this site could not
access shares on a local file server, getting access denied.
This only happened after i prepopulated their passwords as before they could
access the shares ok.
After a bit of troubleshooting it looked like anyone who authenticated
against the branch site RODC were getting access denied when accessing
shares. Users who were authenticating against a hub DC could access the
shares fine.
I decided to remove the allowed groups from the Pasword Replication Policy
to stop anyone from having their passwords cached by the RODC and this seemed
to make things better as everyone started authenticating against a hub DC and
therfore could access the shares.

The problem is i need to allow all branch users to cache their passwords
again in the event that the WAN link goes down.
So my question is, if i re-create my allow list within PRP will this cause
the same problems all over again or do i need to reset all passwords for the
user accounts at that site?

Howdie!

paperhat schrieb:
> The problem is i need to allow all branch users to cache their passwords
> again in the event that the WAN link goes down.
> So my question is, if i re-create my allow list within PRP will this cause
> the same problems all over again or do i need to reset all passwords for the
> user accounts at that site?

Okay, the problem does indeed look weird. In order to have user log
locally when the WAN link is down, you either have to pre-populate the
passwords or allow the passwords to be cached on RODCs and have users
and computers logged on once correctly.

I am not sure as to why people would be denied access after you
pre-populated their passwords, but I'd start another try. Make sure you
pre-populate both user and computer passwords on the RODC as both are
needed for successful authentication. Also, once you pre-populated
passwords, I'd try to log people off and re-log them in if they had open
session while you populated the passwords.

Also, a network trace could reveal what's going on.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

I second with Florian!

You have to cache the cerdentials of both users and their respective
computers in order t have a successful authentication.

"paperhat" <paperhat@discussions.ms.com> wrote in message
news:80CED9F9-8C38-4FEB-ACB0-6A0656499AB4@microsoft.com...
>I recently configured PRP for a branch site and immediately prepopulated
> passwords for all users for that site. Bizarrely users at this site could
> not
> access shares on a local file server, getting access denied.
> This only happened after i prepopulated their passwords as before they
> could
> access the shares ok.
> After a bit of troubleshooting it looked like anyone who authenticated
> against the branch site RODC were getting access denied when accessing
> shares. Users who were authenticating against a hub DC could access the
> shares fine.
> I decided to remove the allowed groups from the Pasword Replication Policy
> to stop anyone from having their passwords cached by the RODC and this
> seemed
> to make things better as everyone started authenticating against a hub DC
> and
> therfore could access the shares.
>
> The problem is i need to allow all branch users to cache their passwords
> again in the event that the WAN link goes down.
> So my question is, if i re-create my allow list within PRP will this cause
> the same problems all over again or do i need to reset all passwords for
> the
> user accounts at that site?
>

Yes i understand that the computer accounts have to be cached as well and
this was the case.
We may have found the problem now though as it turns out. I added 2 groups
to the PRP allowed list, one for users and one for computers.
All the accounts appear to have been cached at some point. But upon further
investigation when you check group membership on a writeable DC all users are
part of the users group, however when you check the same group membership on
the RODC then there are no members so somewhere at some point replication
failed. By removing the users from the group and re-adding them it starts
updating on the RODC also confirming that replication is happening again.
Tested this so far with one user and they can now access shares when
authenticating against the RODC.




"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> paperhat schrieb:
> > The problem is i need to allow all branch users to cache their passwords
> > again in the event that the WAN link goes down.
> > So my question is, if i re-create my allow list within PRP will this cause
> > the same problems all over again or do i need to reset all passwords for the
> > user accounts at that site?
>
> Okay, the problem does indeed look weird. In order to have user log
> locally when the WAN link is down, you either have to pre-populate the
> passwords or allow the passwords to be cached on RODCs and have users
> and computers logged on once correctly.
>
> I am not sure as to why people would be denied access after you
> pre-populated their passwords, but I'd start another try. Make sure you
> pre-populate both user and computer passwords on the RODC as both are
> needed for successful authentication. Also, once you pre-populated
> passwords, I'd try to log people off and re-log them in if they had open
> session while you populated the passwords.
>
> Also, a network trace could reveal what's going on.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> ANY advice you get on the Newsgroups should be tested thoroughly in your
> lab.
> .
>