Sometimes we need to create users/groups/computers in Active Directory that will be used temporary (by a contractor, for testing etc.). The typical workflow is: Create > Use for a while > Delete. The deletion is manual and often these objects are being forgotten which poses some security risks.
It is little known fact that we can create the so called Dynamic objects (DOs, a.k.a. temporary objects) that get deleted from AD automatically when the associated TTL expires. Microsoft added this capability in Windows Server 2003. In fact the “Dynamic object” is an auxiliary class (OID = 188.8.131.52.4.1.14184.108.40.206). When linked to an object it adds some new attributes like the entryTTL (Entry-TTL) and ms-DS-Entry-Time-To-Die attribute.
The task was to promote the first RODC in a mixed OS domain with Windows 2003 Forest/Domain functional levels. Before DC promotion the AD Schema was successfully extended and there was one Writable Domain Controller (Windows Server 2013 R2) up and running.
I noticed some RODC related groups are missing even trough adprep finished without any errors:
Read-only Domain Controllers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
I thought they will appear after first RODC promotion. But that was not the case!
These groups, along with many others, are created AFTER you transfer the PDC role to a domain controller, running Windows Server 2008 or later!
After transferring the PDC role these groups were created: