Overview#

Filtered Attribute Set (FAS) is the set of attributes NOT replicated to a Read-Only Domain Controller (RODC).

The default FAS contains the following:

• ms-PKIDPAPIMasterKeys
• ms-PKIAccountCredentials
• ms-PKIRoamingTimeStamp
• ms-FVEKeyPackage
• ms-FVERecoveryPassword
• ms-TPMOwnerInformation

Filtered Attribute Set attributes ARE NOT replicated, in case the Read-Only Domain Controller is placed at a lower security site and then compromised.

Additional Attributes may be added to the Filtered Attribute Set so they will NOT replicated

Filtered Attribute Set attributes will have the fRODCFilteredAttribute X-SEARCH-FLAGS value if they have been added.

An attribute CANNOT be a member of a Filtered Attribute Set if one of the following conditions is true:

• FLAG_ATTR_NOT_REPLICATED bit is set in attribute systemFlags of the attributeSchema object;
• FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit is set in attribute systemFlags of the attributeSchema object;
• FLAG_ATTR_IS_CONSTRUCTED bit is set in attribute systemFlags of the attributeSchema object;
• FLAG_ATTR_IS_CRITICAL bit is set in attribute schemaFlagsEx of the attributeSchema object;
• systemOnly of the attributeSchema object is true;

More Information#

There might be more information for this subject on one of the following:

• FAS
• FRODCFilteredAttribute
• Read-Only Domain Controller
• X-SEARCH-FLAGS