Announcement

Collapse
No announcement yet.

Rodc

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rodc

    hi folks, i'm just implementing a new RODC in a branch office.... joining it to our main branch.... seems to working.
    when i added a test workstation i was able to add it using the full domain name eg. domain.local
    now when i check the Netlogon directory on the branch server the contents are replicated. how do others handle the scripts for the different servers? have multiple ones?
    i tested by creating a txt file in the main server's netlogon directory and it instantly showed up on the branch server.

    we want to get away from having completely independent domains in these branch offices. if we can deploy RODC in them and have them under one domain would be great. our pipe between the sites is very small.

  • #2
    Re: Rodc

    RODC is still a DC, so netlogon contents will replicate.
    Unclear what you mean with "Handle the scripts for the different servers"

    On some of our remote sites we have RODC. Scripts for mapping drives, printers etc are handled via Group Policies on the AD.

    In the rare occasion that we have script that need to be called upon, those would also reside on the primary DC. You could chuck those in a netlogon subfolder.

    Comment


    • #3
      Re: Rodc

      hi, thanks for the info. yes we used the Kix scripts so that is what was being called from the GPO or in some cases since Win7 these don't get called so we have to do other creative things to get them to run. they sit in the Netlogon folder and didn't realize the contents would replicate.
      i can work with this but didn't know for sure whether this was the correct method with RODC.
      and to confirm, there is no way to add workstations to the RODC... must have access to the main DC, correct?
      wondering how i can check whether it is authenticating against the RODC?

      Comment


      • #4
        Re: Rodc

        RODCs are (as the name implies) READ ONLY
        All AD changes (including adding computers) are made at a writable DC so rely on suitable access. You then add the computer to the list of ones cached on the RODC and the information replicates down to it.

        Use DC event logs to see which DC a computer authenticates against
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Rodc

          thanks for the confirmation.
          i will dig for logs and then fix the scripts.

          Comment


          • #6
            Re: Rodc

            As per Ossian his post. RODC is read only indeed. It only holds a local copy to read from. When your local workstation at RODC site asks for example to logon, your RODC acts as the local security authority (LSA) ti receive the logon request, which negotiates with the Kerberos and raises communication to the actual the domain controller. The domain controller then in his turn, returns the logon acceptance/success to the LSA onsite (RODC) which generates the userís access token.

            Any systems added to domain are done via DC, which then replicates to local RODC.

            P.S. A tool which I find handy to see what server I authenticated against is BGInfo.
            My domain admin accounts have been configured to auto start with the bginfo tool running on my screen, so I always get a clean timestamp, and some generic info such as IP, Logon server etc on my background. Saves me going through logs for some info.

            Comment


            • #7
              Re: Rodc

              ah yes, good ol' BGInfo. i've set it up on my test machine and it is indeed authenticating to the wrong server. one of our DCs in the Main building, not the Branch Server.

              Comment


              • #8
                Re: Rodc

                Run a DCDIAG via cmd prompt, see if you notice any odd occurrences.
                Would start investigation at RODC, and work outward from there.

                If you logon to the RODC, I presume the RODC does show logon server as itself? Or does the RODC also point to other DC?

                Comment


                • #9
                  Re: Rodc

                  Hello, still working on this issue with Logon Server and RODC.

                  i have my test user account 'RODCuser' properly working within the RODC Password Replication Policy now along with the machine that user is using.
                  so i have the script firing from the Profile on that user and mapping to the correct drive on that RODC Server. i'm trying to use a script in a GPO but it is detecting a Slow Link so it is suppressing it... for another thread i think.
                  BUT i still notice that the %logonserver% is different some of the time. we have 3 DC's and it will grab whichever it seems to want. i thought it would look to the RODC first as that is the one at that site. there has to be another parameter that i need to define to keep this RODC first and then look to others if it isn't available.

                  EDIT: RODC does show our Main DC as the %logonserver% so it isn't pointing to itself, should it?
                  Last edited by swixtt; 10th December 2012, 19:46. Reason: Dutch question.

                  Comment


                  • #10
                    Re: Rodc

                    Have you configured the sites and subnets in ADSS?
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Rodc

                      No i haven't defined anything in there....other than what was defined as default.

                      Comment


                      • #12
                        Re: Rodc

                        You need to configure a site for each of your physical locations and associate the subnets at each location with their site. This way the clients will authenticate on the DC closest to them.

                        EDIT: Almost forgot, you also need to put each DC in their respective sites.
                        Last edited by JeremyW; 11th December 2012, 15:32.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: Rodc

                          right, thanks. do i need to then mod the costs? or just leave as 100 (default) until we add the other sites. will the KCC figure it all out or is it even easier as it would be based on the subnets.
                          all of these additional sites that i will add in the future are over a WAN slow adsl 500k link. i'm just using this current remote site to figure it out. only have 4 total sites.

                          Comment


                          • #14
                            Re: Rodc

                            It depends on your topology and link speeds between your sites. You'll want to configure a site link for every site that has a physical link. (VPN, MPLS, etc) You'll then want to configure the cost based on the speed of the connection relative to the other connections. So if one link has a 1.5mbps link and another has a 768kbps you could configure the first with a cost of 90 and the other with a cost of 180.

                            The KCC will then setup the replication between sites based on the information you've put in ADSS.
                            Regards,
                            Jeremy

                            Network Consultant/Engineer
                            Baltimore - Washington area and beyond
                            www.gma-cpa.com

                            Comment


                            • #15
                              Re: Rodc

                              i have this setup now but may need to give it some time so the workstations at the remote site will use the RODC to authenticate.... still going to other DC's.

                              Comment

                              Working...
                              X