Modifying filtered attribute set

The Filtered Attribute Set (FAS) is the set of attributes not replicated to an RODC. The default FAS contains the following:
- ms-PKI-DPAPIMasterKeys
- ms-PKI-AccountCredentials
- ms-PKI-RoamingTimeStamp
- ms-FVE-KeyPackage
- ms-FVE-RecoveryPassword
- ms-TPM-OwnerInformation
Items you place in the FAS aren’t replicated, in case the RODC is placed at a lower security site and then compromised. Therefore, you can add items to the FAS so that they aren’t replicated.


Like confidential attributes, the FAS is modified using the ldifde tool. For example, to mark an attribute as being part of the FAS, first view the attribute in ADSI Edit. Figure 5-4 shows the secretary object found at CN=secretary,CN=Schema,CN=Configuration. Notice that the value for SearchFlags is 0x0, meaning that no flags are set for this attribute.


Modifying filtered attribute set


FIGURE 5-4 Viewing the searchFlags to determine if any are now set for this object.


Open a command prompt as Administrator and run the following command, again using secretary as the example and the adventure-works.com domain:
ldifde -d “CN=secretary,CN=Schema,CN=Configuration,DC=adventure-works,DC=com” -f en_ldif -l searchflags


The ldifde command produces a file in the current directory called en_ldif. The contents of that file look like the following:
dn: CN=secretary,CN=Schema,CN=Configuration,DC=adventure-works,DC=com
changetype: add
searchFlags: 0


Edit the file with a text editor such as Notepad. Set the changetype to modify, add the line replace: searchFlags, change the searchFlags value to 512, and add a - at the end. The final result looks like this:
dn: CN=secretary,CN=Schema,CN=Configuration,DC=adventure-works,DC=com
changetype: modify
replace: searchFlags
searchFlags: 512


Save that file as en-confidential.
Now import the file with the following command:
ldifde -i -f en-confidential


Examine the searchFlag value through ADSI Edit again. Notice in Figure 5-5 that the value is now 0x200 (bitwise representation of 512), reflecting the change that you made.


Modifying filtered attribute set


FIGURE 5-5 The object’s searchFlags is now set to 0x200 = (RODC_FILTERED), which indicates that it’s part of the FAS.