Overview#

Read-Only Domain Controller (RODC) is a ReadOnly Microsoft Active Directory Domain ControllerThe Filtered Attribute Set (FAS) is the set of attributes NOT replicated to an Read-Only Domain Controller. The default FAS contains the following: – ms-PKI-DPAPIMasterKeys – ms-PKI-AccountCredentials – ms-PKI-RoamingTimeStamp – ms-FVE-KeyPackage – ms-FVE-RecoveryPassword – ms-TPM-OwnerInformation Items you place in the FAS aren’t replicated, in case the RODC is placed at a lower security site and then compromised. Therefore, you can add items to the FAS so that they aren’t replicated.

More Information#

There might be more information for this subject on one of the following:

• Filtered Attribute Set
• Forest functional levels
• PARTIAL_SECRETS_ACCOUNT
• RODC
• User-Account-Control Attribute Values
• Well-known Security Identifiers