Server 2012 R2 Questions on Read Only Domain Controllers

This is just a placeholder for questions that I've thought of, but for whatever reason haven't gotten around to answering for myself. Feel free to chime in if you know any.

  1. What happens if a user tries to login to a read only domain controller if their password has expired on the read/write domain controller, but there is no connection between the RODC and the regular DC?
  2. What happens if a user with cached credentials on a RODC attempts to change their password? What if the RODC is no longer connected to the regular network?
  3. What happens if a user with credentials that are cached on a disconnected RODC goes to corporate, changes their password (because they want to or are forced by policy), and then returns to the site with the disconnected RODC?
  4. What is the design purpose of having to add a domain controller to the "Cloneable Domain Controller" group before creating a clone?
  5. What happens if you add a RODC into the "Cloneable Domain Controller" group?

Creating a test lab for MCSA study

So despite 20 years experience administering Windows server networks I failed the 70-411 exam recently. I really got hammered on a couple of topics I knew I was weak on - NPS and VPN routing. Maybe it was just the luck of the draw. I went in hoping I'd take only a couple of flesh wounds if I got caught on material I didn't know, and instead found those 2 topics (on my exam) to be the most in depth. I

But I've decided some hands on time on some of these more obscure topics is in order. I say obscure because no one I know actually uses the Microsoft NPS or VPN routing solutions, but hey, I don't want to come across bitter.

So I took an "old" Z800 workstation I had laying around and dumped some extra memory in it to get me to 32 GB. Its been my experience that RAM is the most limiting factor in setting up labs, as just in production the CPU largely sits idle, and because we can be a little more tolerant of any sluggishness created by using a single disk.

I wanted to setup as complex environment as possible, while not buying any more equipment. Fortunately, the Z800 comes with 2 NICS built in, which is all I needed.
  • Inside - - An actual physical network connection to my production network
  • Outside - - An actual physical network connection to a "stand alone" network connected to Cable Internet
  • My Private Net - - To simulate my "main office"
  • My Private DR Net - - To simulate my "DR" site
  • My Remote Net - -  To simulate a branch office - for RODCS lab

I intend to join all the networks together with a RRAS server running routing, and to be authentic I added two additional networks to simulate my leased lines / some general internetwork.
  • My Private Interconnect - - to "connect" my main network and DR network
  • Remote Site Interconnect - - to connect my  main network to remote site network
After I did that I created my first virtual machine, a generation 2 Windows Server 2012 Std edition with GUI and loaded up all the patches (including the massive UPDATE patch). Then I ran sysprep with generalize and shut the machine down before exporting it. With this "master" in place I hope to save myself a lot of time in the future as I deploy new VMs. If I was smart I'd be doing more of this with powershell, since experience teaches us that recognizing correct powershell commands is a Microsoft exam favorite (one I don't happen to agree with)

I imported two copies of my previously exported base machine and promptly loaded ADDS on the first to create the domain, which I quite imaginatively called test.local. Then I created a file server. That's it for now. In my next post, I'll talk about the remote access and routing server buildup, which MAY be the most complex part.