The real Enterprise Read-Only Domain Controllers group [498]

It’s been yet another sleepless night working, actually I have a lot of stuff going on right now, I guess I don’t will feel too well when this week is over, anyway some interesting facts about the Enterprise Read-Only Domain Controllers group (Yes the _real_ one this time, with RID 498 that’s not an FSP), have you ever look thru the members of that group? Why would you ever do that, isn’t it obvious that it’s going to contain the RODC accounts in the enterprise? Nope, in fact it won’t, it will always be empty J

So how does this really work? Adprep /rodcprep stamps each NC head with an ACE (in order to allow RODCs replicate changes from the NC), NDNCs are stamped with an ACE for the Read-Only Enterprise Domain Controllers group (Note that the group doesn’t exist at this stage, but always has a well-known RID of 498, so that’s how adprep dose it)

But won’t replication of NDNCs fail as Enterprise Read-Only Domain Controllers is granted extended-right Replicate Changes but the group is empty? Nope RODCs will always include the RID 498 in its token J

So what do we really need the group for? It’s there for display purposes, so you don’t have to see something like (Unknown Account) if you look at the ACL.


I was working late tonight to finish my session “Incorporate RODCs (Read Only Domain Controllers) to your existing Active Directory” that I’m going to present at Microsoft TechDays 17-18 mars in Västerås. If you’re interested in a deep dive session (level 400+) about Read-Only Domain Controllers, then my session is for you, read more at:

However, I was about to reproduce a bug that we have found with “adprep /rodcprep” to include it in the session, and how to correct and avoid it to happen, when I was reviewing the security of my NCs I noticed a strange group: NT AUTHORITYENTERPRISE READ-ONLY DOMAIN CONTROLLERS BETA. It’s a part of the NT AUTHORITY and my guess is that this group was introduced in my forest in the early days of Longhorn Server when there was still a requirement to have the PDC running Longhorn Server in order to incorporate RODCs to your forest. Now days (Post Beta 3) Enterprise Read-Only Domain Controllers and Read-Only Domain Controllers (Domain specific) is created in your domain using a trigger that happens on the promotion of the first RODC or the first Pre-Stage of an RODC.