Useful Command Line Tools for Managing AD Environment

01. DNSCMD -
This command-line tool assists administrators in Domain Name System (DNS) management.



Refer to :

Souce: http://technet.microsoft.com/en-us/library/cc778513%28WS.10%29.aspx 

02. DCPROMO -
Installs and removes Active Directory Domain Services (AD DS).
For examples of how to use dcpromo, see Examples.
Source: http://technet.microsoft.com/en-us/library/cc732887%28WS.10%29.aspx

Implementing Windows Server 2008 File System Quotas

Refer to this link to read about File Server Resource Manager:

http://www.simple-talk.com/sysadmin/exchange/implementing-windows-server-2008-file-system-quotas/

Wbadmin start recovery - Command Syntax

Note
This subcommand applies only to Windows Server 2008.

To perform a recovery with this subcommand, you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions. In addition, you must run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)
For examples of how to use this subcommand, see Examples.

Syntax

Copy

wbadmin start recovery
-version:<VersionIdentifier>
-items:{<VolumesToRecover> | <AppsToRecover> | <FilesOrFoldersToRecover>}
-itemtype:{Volume | App | File}
[-backupTarget:{<VolumeHostingBackup> | <NetworkShareHostingBackup>}]
[-machine:<BackupMachineName>]
[-recoveryTarget:{<TargetVolumeForRecovery> | <TargetPathForRecovery>}]
[-recursive]
[-overwrite:{Overwrite | CreateCopy | Skip}]
[-notRestoreAcl]
[-skipBadClusterCheck]
[-noRollForward]
[-quiet]

Parameters

 

Parameter	Description
-version	Specifies the version identifier of the backup to recover in MM/DD/YYYY-HH:MM format. If you do not know the version identifier, type wbadmin get versions.
-items	Specifies a comma-delimited list of volumes, applications, files, or folders to recover. If -itemtype is Volume, you can specify only a single volume—by providing the volume drive letter, volume mount point, or GUID-based volume name. If -itemtype is App, you can specify only a single application. To be recovered, the application must have registered with Windows Server Backup. You can also use the value ADIFM to recover an installation of Active Directory. See Remarks in for more information. If -itemtype is File, you can specify files or folders, but they should be part of the same volume and they should be under the same parent folder.
-itemtype	Specifies type of items to recover. Must be Volume, App, or File.
-backupTarget	Specifies the storage location that contains the backup that you want to recover. This parameter is useful when the location is different from where backups of this computer are usually stored.
-machine	Specifies the name of the computer that you want to recover the backup for. This parameter is useful when multiple computers have been backed up to the same location. It should be used when -backupTarget is specified.
-recoveryTarget	Specifies the location to restore to. This parameter is useful if this location is different than the location that was previously backed up. It can also be used for restorations of volumes, files, or applications. If you are restoring a volume, you can specify the volume drive letter of the alternate volume. If you are restoring a file or application, you can specify an alternate recovery location.
-recursive	Valid only when recovering files. Recovers the files in the folders and all files subordinate to the specified folders. By default, only files which reside directly under the specified folders are recovered.
-overwrite	Valid only when recovering files. Specifies the action to take when a file that is being recovered already exists in the same location. Skip causes Windows Server Backup to skip the existing file and continue with recovery of the next file. CreateCopy causes Windows Server Backup to create a copy of the existing file so that the existing file is not modified. Overwrite causes Windows Server Backup to overwrite the existing file with the file from the backup.
-notRestoreAcl	Valid only when recovering files. Specifies to not restore the security access control lists (ACLs) of the files being recovered from the backup. By default, the security ACLs are restored (the default value is true). If this parameter is used, the ACLs for the restored files will be inherited from the location to which the files are being restored.
-skipBadClusterCheck	Valid only when recovering volumes. Skips checking the disks that you are recovering to for bad cluster information. If you are recovering to an alternate server or hardware, we recommend not using this parameter. You can manually run the command chkdsk /b on these disks at any time to check them for bad clusters, and then update the file system information accordingly. Important Until you run chkdsk as described, the bad clusters reported on your recovered system may not be accurate.
-noRollForward	Valid only when recovering applications. Allows for previous point-in-time recovery of an application if the latest version from the backups is selected. For other versions of the application that are not the latest, previous point-in-time recovery is done as the default.
-quiet	Runs the subcommand with no prompts to the user.

Remarks

• To view a list of items that are available for recovery from a specific backup version, use wbadmin get items. If a volume did not have a mount point or drive letter at the time of backup, then this subcommand would return a GUID-based volume name that should be used for recovering the volume.
• When the -itemtype is App, you can use a value of ADIFM for -item to perform an Install from Media operation to recover all the related data needed for Active Directory. ADIFM creates a copy of the Active Directory database, registry, and SYSVOL state, and then saves this information in the location specified by -recoveryTarget. Use this parameter only when -recoveryTarget is specified.

Note
Before using wbadmin to perform an Install from Media operation, you should consider using the ntdsutil command because ntdsutil only copies the minimum amount of data needed, and it uses a more secure data transport method.

Examples

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of volume d:, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:Volume -items:d:

To run a recovery to drive d of the backup from March 31, 2005, taken at 9:00 A.M., of the registry, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:App -items:Registry -recoverytarget:d:\

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of the d:\folder and folders subordinate to d:\folder, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:File -items:d:\folder -recursive

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of the volume \\?\Volume{cc566d14-44a0-11d9-9d93-806e6f6e6963}\, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:Volume 
-items:\\?\Volume{cc566d14-44a0-11d9-9d93-806e6f6e6963}\

To run a recovery of the backup from April 30, 2005, taken at 9:00 A.M., of the shared folder \\servername\share from server01, type:

Copy

wbadmin start recovery -version:04/30/2005-09:00 -backupTarget:\\servername\share -machine:server01 

Source: http://technet.microsoft.com/en-US/library/52381316-a0fa-459f-b6a6-01e31fb21612.aspx

Volume Shadow Copy Service Tools and Settings

In this section

• Volume Shadow Copy Service Tools
  
  
• Volume Shadow Copy Service Registry Entries
  
  
• Volume Shadow Copy Service WMI Classes
  
  
• Related Information
  
  

Volume Shadow Copy Service Tools

The following tools are associated with the Volume Shadow Copy Service.

DiskRaid.exe: RAID Configuration Tool

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running the Windows Server 2003 operating systems.
Enables configuration and management of redundant array of independent (or inexpensive) disks (RAID) storage subsystems.
To find more information about DiskRaid.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

VSSadmin.exe: Volume Shadow Copy Service Administrative Tool

Category

Windows Server 2003 operating system tool

Version compatibility

Runs on computers running the Windows XP or Windows Server 2003 operating systems.
Displays current volume shadow copies and all installed shadow copy writers and providers in the command window. The Windows Server 2003 version of this command contains more parameters than the one that is in Windows XP.
To find more information about VSSadmin.exe, see “Command Line References” in the Tools and Settings Collection.

VolPerf.exe: Shadow Copy Performance Counters

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running any of the Windows Server 2003 operating systems.
Enables administrators to use System Monitor to monitor their shadow copies.
To find more information about Volperf.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

VolRest.exe: Shadow Copies for Shared Folders Restore Tool

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running the Windows XP or Windows Server 2003 operating systems.
Searches for and restores previous file versions from shared folders that are protected by the Shadow Copies for Shared Folders feature. With VolRest, administrators can browse or restore previous versions of one or multiple files that are stored on a server where Shadow Copies for Shared Folders has been enabled.
To find more information about Volrest.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

Vrfydsk.exe: Verify Disk

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running Windows Server 2003 operating systems.
Checks the consistency and integrity of the file system (FAT or NTFS) on a specified volume. It creates and displays a status report for the volume based on the file system and also lists the errors on that volume, if any. However, if any errors are discovered, VrfyDsk cannot correct them. To correct these errors, run Chkdsk in fix mode.
To find more information about Vrfydsk.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

Volume Shadow Copy Service Registry Entries

The following registry entries are associated with Volume Shadow Copy Service.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

VSS

The following registry entry is located under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS.

VssAccessControl

Registry path

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Version

Windows Server 2003
Enables or prevents a writer from using a specific user account.
In order for any writer to use the VSS infrastructure, the writer must run under an account that is a member of the local Administrators or Backup Operators group on the local computer. For example, a writer running under the Local System account meets this requirement. This is true for the vast majority of writers.
You can, however, enable a writer to use a specific user account by adding the appropriate registry entry. You can also prevent a writer from using a specific user account.
To enable a writer to use a specific user account, add a REG_DWORD entry with the name equal with the user name. Set the value of the registry entry to 1 (one).
To prevent a writer from using a specific user account, add a REG_DWORD entry with the name equal with the user name. Set the value of the registry entry to 0 (zero).

VOLSNAP

The following registry entry is located under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VOLSNAP.

MinDiffAreaFileSize

Registry path

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VOLSNAP\MinDiffAreaFileSize

Version

Windows Server 2003
Controls the initial size of the shadow copy storage area for each snapshot. The MinDiffAreaFileSize registry key uses the REG_DWORD data type.
The MinDiffAreaFileSize registry key specifies the minimum size of the shadow copy storage area. The default size of the shadow copy storage area is 300 MB, and the maximum size is 3 gigabytes (GB). For an accurate setting, specify a value that is a multiple of 300 MB. Otherwise, the next multiple of 300 MB will be used. A value of 300 is equal to 300 MB, and a value of 3,000 is equal to 3 GB.
Shadow copies might not function correctly if the value of the MinDiffAreaFileSize registry key is larger than the maximum size of the shadow copy storage area. Before you change this registry entry, run the vssadmin list shadowstorage command. Make sure that the shadow copy storage area is larger than 300 MB or that the shadow copy storage area is larger than the value that is set in the registry. Also, make sure that you have at least 300 MB of free space on the shadow copy storage volume.

Volume Shadow Copy Service WMI Classes

The following table lists and describes the WMI classes that are associated with the Volume Shadow Copy Service.
WMI Classes Associated with Volume Shadow Copy Service

 

Class Name	Namespace	Version Compatibility
Win32_ShadowBy	\root\cimv2	Windows Server 2003 family
Win32_ShadowContext	\root\cimv2	Windows Server 2003 family
Win32_ShadowCopy	\root\cimv2	Windows Server 2003 family
Win32_ShadowDiffVolumeSupport	\root\cimv2	Windows Server 2003 family
Win32_ShadowFor	\root\cimv2	Windows Server 2003 family
Win32_ShadowOn	\root\cimv2	Windows Server 2003 family
Win32_ShadowProvider	\root\cimv2	Windows Server 2003 family
Win32_ShadowStorage	\root\cimv2	Windows Server 2003 family
Win32_ShadowVolumeSupport	\root\cimv2	Windows Server 2003 family
Win32_Volume	\root\cimv2	Windows Server 2003 family

How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008

This step-by-step article describes how to use Group Policy to automatically distribute programs to client computers or users. You can use Group Policy to distribute computer programs by using the following methods:

• Assigning Software
  You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized.
• Publishing Software
  You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

Note Windows Server 2003 Group Policy automated-program installation requires client computers that are running Microsoft Windows 2000 or later.

Back to the top

Create a Distribution Point

To publish or assign a computer program, you must create a distribution point on the publishing server:

1. Log on to the server computer as an administrator.
2. Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute.
3. Set permissions on the share to allow access to the distribution package.
4. Copy or install the package to the distribution point. For example, to distribute Microsoft Office XP, run the administrative installation (setup.exe /a) to copy the files to the distribution point.

Back to the top

Create a Group Policy Object

To create a Group Policy object (GPO) to use to distribute the software package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type a name for this new policy (for example, Office XP distribution), and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Apply Group Policy check box for the security groups that you want to prevent from having this policy applied.
7. Click to select the Apply Group Policy check box for the groups that you want this policy to apply to.
8. When you are finished, click OK.

Back to the top

Assign a Package

To assign a program to computers that are running Windows Server 2003, Windows 2000, or Microsoft Windows XP Professional, or to users who are logging on to one of these workstations:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, select the group policy object that you want, and then click Edit.
4. Under Computer Configuration, expand Software Settings.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi.
   
   Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7. Click Open.
8. Click Assigned, and then click OK. The package is listed in the right pane of the Group Policy window.
9. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
10. When the client computer starts, the managed software package is automatically installed.

Back to the top

Publish a Package

To publish a package to computer users and make it available for installation from the Add or Remove Programs tool in Control Panel:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the group policy object that you want, and then click Edit.
4. Under User Configuration, expand Software Settings.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type the full UNC path of the shared installer package that you want. For example, \\file server\share\file name.msi.
   
   Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7. Click Open.
8. Click Publish, and then click OK.
9. The package is listed in the right pane of the Group Policy window.
10. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
11. Test the package:
    
    Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
    1. Log on to a workstation that is running Windows 2000 Professional or Windows XP Professional by using an account that you published the package to.
    2. In Windows XP, click Start, and then click Control Panel.
    3. Double-click Add or Remove Programs, and then click Add New Programs.
    4. In the Add programs from your network list, click the program that you published, and then click Add. The program is installed.
    5. Click OK, and then click Close.

Back to the top

Redeploy a Package

In some cases you may want to redeploy a software package. For example, if you upgrade or modify the package. To redeploy a package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
5. Click the software installation container that contains the package.
6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Redeploy application. You will receive the following message:
   Redeploying this application will reinstall the application everywhere it is already installed. Do you want to continue?
7. Click Yes.
8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Back to the top

Remove a Package

To remove a published or assigned package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
5. Click the software installation container that contains the package.
6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Remove.
7. Do one of the following:
   • Click Immediately uninstall the software from users and computers, and then click OK.
   • Click Allow users to continue to use the software but prevent new installations, and then click OK.
8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Back to the top

Troubleshoot

Published Packages Are Displayed on a Client Computer After You Use a Group Policy to Remove Them

This situation can occur when a user has installed the program but has not used it. When the user first starts the published program, the installation is finalized. Group Policy then removes the program.

Source: http://support.microsoft.com/kb/816102

Password Replication Policy Administration

Applies To: Windows Server 2008
This section provides procedures for the following administrative tasks that are related to Password Replication Policy for an RODC:

• Configure the Password Replication Policy for an RODC
  
  
• View Current Credentials That Are Cached on an RODC
  
  
• Review Whose Accounts Have Been Authenticated to an RODC
  
  
• Prepopulate the password cache for an RODC
  
  
• Reset the Current Credentials That Are Cached on an RODC If It Is Stolen

Configure the Password Replication Policy for an RODC

Administrative credentials
To configure the Password Replication Policy for an RODC, you must be a member of the Domain Admins group.

To configure the Password Replication Policy for an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab, as shown in the following figure.
   
5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed List and the Denied List on the RODC. To add other groups that should be included in either the Allowed List or the Denied List, click Add. To add other accounts that will not have credentials cached on the RODC, click Deny. To add other accounts that will have credentials cached on the RODC, click Allow.
   Accounts that will not have credentials cached on the RODC can still use the RODC for domain logon. The credentials, however, will not be cached for subsequent logon using the RODC.
   

View current credentials that are cached on an RODC

By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.
Administrative credentials
Any domain user can view current credentials that are cached on an RODC.

To view current credentials that are cached on an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.
   

Review whose accounts have attempted to authenticate to an RODC

Periodically, you should review whose accounts have tried to authenticate to an RODC. This information can help you plan updates that you intend to make to the existing Password Replication Policy. For example, look at which user and computer accounts have tried to authenticate to an RODC so that you can add those accounts to the Allowed List. After their credentials are cached on the RODC, the accounts can be authenticated by the RODC in the branch office when the wide area network (WAN) to the hub site is offline.
You can use the repadmin /prp move command to automatically move accounts that try to authenticate to an RODC to the Allowed List for that RODC. For more information, see Repadmin /prp (http://go.microsoft.com/fwlink/?LinkId=112118).
Administrative credentials
Any domain user can view which user and computer accounts have authenticated to an RODC.

To review the accounts that have been authenticated to an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.
   

Prepopulate the password cache for an RODC

You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to it. When you prepopulate the RODC password cache, you trigger the RODC to replicate and cache the passwords for users and computers before the accounts try to log on in the branch office.
Prepopulating the password cache helps ensure that a user can log on to the network in the branch office, even if the WAN link to the data center is offline. For example, suppose that a user who normally works in the data center travels to a branch office and attempts to log on there with a laptop. The RODC contacts the writable domain controller in the data center. If the Password Replication Policy allows it, the RODC caches the password. However, if the WAN link is offline when the user attempts to log on, then the logon attempt fails because the RODC has not yet replicated the password for the account.
To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and the laptop. This eliminates the need for the RODC to replicate the password from the Windows Server 2008 domain controller over the WAN link.
In addition, prepopulating the password cache is a good idea if you build an RODC in a central location, such as in a data center, before you transport the RODC to the branch office. By prepopulating the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting the Windows Server 2008 domain controller over the WAN link.
You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.
You can prepopulate the password cache for an RODC by using Active Directory Users and Computers or by using the Repadmin command-line tool.
Administrative credentials
To prepopulate the password cache for an RODC, you must be a member of the Domain Admins group.

To prepopulate the password cache for an RODC by using Active Directory Users and Computers

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. Click Prepopulate Passwords.
   
7. Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.
   
8. When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
   

To prepopulate the password cache for an RODC by using the Repadmin command-line tool

1. Log on to a writable domain controller that is running Windows Server 2008.
   
2. Click Start, right-click Command Prompt, and then click Run as administrator.
   
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   
4. Type the following command. and then press ENTER:
   repadmin /rodcpwdrepl [DSA_List] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished Name> <User2 Distinguished Name> …]
   In the command, use the values from the following table.
   

    

   Placeholder	Value
   DSA_List	The name of the RODC whose password cache you want to prepopulate.
   Hub DC	The name of the writable Windows Server 2008 domain controller that is the replication partner of the RODC.
   User1, Computer1, ….	The names of the user and computers whose passwords you want to cache on the RODC. You must add the computer accounts of the users or they cannot log on.

   For example, the following command prepopulates the password cache for RODC15 with the passwords for Mike Danseglio and his computer, MikeDanLaptop. The hub domain controller is named HUBDC12.
   Repadmin /rodcpwdrepl RODC15 HUBDC12 CN=MikeDan,OU=DatacenterUsers,DC=contoso,DC=com CN= MikeDanLaptop,OU=DatacenterComputers,DC=contoso,DC=com
   

Reset the current credentials that are cached on an RODC if it is stolen

Administrative credentials
To reset the current credentials that are cached on an RODC, you must be a member of the Domain Admins group.

To reset the current credentials that are cached on an RODC if it is stolen

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Delete.
   
4. To confirm the deletion, click Yes.
   
5. In the Deleting Active Directory Domain Controller dialog box, select the Reset all passwords for user accounts that were cached on this read-only domain controller check box, as shown in the following figure. As an option, you can also select the Export the list of accounts that were cached on this read-only domain controller to this file check box to create a list of user accounts whose passwords must be reset after the RODC account is deleted. That list of accounts is not available after the RODC account is deleted.
    

Source: http://technet.microsoft.com/en-us/library/cc753470%28WS.10%29.aspx