Read-Only Domain Controller


Read-Only Domain Controller (RODC) is a ReadOnly Microsoft Active Directory Domain Controller

The Filtered Attribute Set (FAS) is the set of attributes NOT replicated to an Read-Only Domain Controller. The default FAS contains the following: – ms-PKI-DPAPIMasterKeys – ms-PKI-AccountCredentials – ms-PKI-RoamingTimeStamp – ms-FVE-KeyPackage – ms-FVE-RecoveryPassword – ms-TPM-OwnerInformation Items you place in the FAS aren’t replicated, in case the RODC is placed at a lower security site and then compromised. Therefore, you can add items to the FAS so that they aren’t replicated.

More Information#

There might be more information for this subject on one of the following: