If your network topology includes a perimeter network (DMZ) that contains only read-only domain controllers (RODCs), you should consider the following when installing Password Manager in this environment.
Because password changes may not get immediately replicated to RODCs, users may experience downtime when authenticating using an RODC if their passwords were changed or reset on a DC in another Active Directory site.
To mitigate this issue, it is recommended to do either of the following when installing Password Manager in the perimeter network:
- Install Password Manager Service in a dedicated RODC replication hub site (as shown below), if this hub site exists in your environment.
-
If Password Manager Service cannot be installed in the dedicated RODC replication hub site, do either of the following:
-
For your Management Policy, specify the appropriate writable DC from the hub site in the advanced settings of the domain connection. For more information, see Specifying advanced settings for domain connection.
-
For your Management Policy, specify the hub site in the list of Active Directory sites to which replication changes will be forced. For more information, see Specifying advanced settings for domain connection.
-
Enable change notification on the site link between the dedicated RODC replication hub site (or the site in which an RODC is installed) and the site in which Password Manager Service is installed.
-