Filtered Attribute Set


Filtered Attribute Set (FAS) is the set of attributes NOT replicated to a Read-Only Domain Controller (RODC).

The default FAS contains the following:

  • ms-PKIDPAPIMasterKeys
  • ms-PKIAccountCredentials
  • ms-PKIRoamingTimeStamp
  • ms-FVEKeyPackage
  • ms-FVERecoveryPassword
  • ms-TPMOwnerInformation
Filtered Attribute Set attributes ARE NOT replicated, in case the Read-Only Domain Controller is placed at a lower security site and then compromised.

Additional Attributes may be added to the Filtered Attribute Set so they will NOT replicated

Filtered Attribute Set attributes will have the fRODCFilteredAttribute X-SEARCH-FLAGS value if they have been added.

An attribute CANNOT be a member of a Filtered Attribute Set if one of the following conditions is true:

More Information#

There might be more information for this subject on one of the following: