Announcement

Collapse
No announcement yet.

RODC Replication Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RODC Replication Issue

    Hi all,

    I DID MY RESEARCH BEFORE POSTING ON THIS SITE

    I am going absolutely crazy try to configure RODC that will authenticate the clients after credential caching has been done so that the authentication is done on the RODC.

    This what I am doing, can some one please tell me what I'm doing wrong.

    1.I configure the clients to get an IP from the DC DHCP and join the clients to the DC. (TESTED AND WORKING)

    2.Then I configure the RODC on the DC for Password Retention Policy and set up the RODC Server as a new Server VM. (TESTED AND WORKING, IMAGES ATTACHED)

    3.Then I change the RODC primary DNS IP to itself (127.0.0.1) and the alternate DNS as the DC IP (AS MENTIONED ON MICROSOFT WEBSITE).

    4.Then I point the clients to use the RODC as the primary DNS IP and the DC as the alternate DNS IP (this only works until the clients are not rebooted, once the clients are rebooted the clients lose their assigned ip by the DC DHCP and after that even if I reconnect the clients to the domain from the start they are not issued an IP by the DHCP until the DHCP is restarted)

    5.Then I turn off the DC and test the clients to authenticate by the RODC, the clients login but then the network is unknown and not Domain Network. At this point I have checked that the clients IP is something other than what the DHCP has given them it is probably because of changing the primary DNS of clients to RODC IP.

    As you can see in the attachments the W10, W8 and W7 computers and MAdmin, M1 and M2 clients are allowed in the Password Retention Policy yet the authentication happens only at the DC, am I missing some step.

    Could some one kindly please let me know where I am doing wrong.

    Thank You Very Much

    NB : PLEASE NOTE THAT MY RODC IS ALSO THE DNS SERVER AND THE PRIMARY DC IS ALSO THE DHCP SERVER

  • #2
    Hi,

    Anybody would like to say something, I m not bale to understand what I'm doing wrong.

    Comment


    • #3
      Please do NOT bump your posts - if someone can contribute something, they will.
      I have always avoided RODCs so did not feel able to contribute anything to the discussion, but we have other experts who have - a couple of questions that might help, though:

      Is the RODC in a different AD site to the main DC?
      Are you changing the DNS servers via DHCP or over-riding the DHCP settings in the local connection properties?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Originally posted by Ossian View Post
        Please do NOT bump your posts - if someone can contribute something, they will.
        I have always avoided RODCs so did not feel able to contribute anything to the discussion, but we have other experts who have - a couple of questions that might help, though:

        Is the RODC in a different AD site to the main DC?
        Are you changing the DNS servers via DHCP or over-riding the DHCP settings in the local connection properties?
        Sorry about the bumping, I spend 17+ hours on it and yet it didn't work, and I was frustrated about it.

        To your 1st question, No its the same site in the AD.

        To your second question, I change the DNS in the clients local connection properties, if I leave the DNS IP of the DC it works fine, if I change teh IP to RODC they do not connect to the RODC, even if I don't change the DNS IP of clients the clients only authenticate from DC and never through RODC.
        Last edited by TryllZ; 19th September 2016, 13:56.

        Comment


        • #5
          I have a feeling the same site issue is the problem - RODCs are not designed to live in an AD site with writable DCs there - see https://technet.microsoft.com/en-us/...(v=ws.10).aspx as a starting point
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Originally posted by Ossian View Post
            I have a feeling the same site issue is the problem - RODCs are not designed to live in an AD site with writable DCs there - see https://technet.microsoft.com/en-us/...(v=ws.10).aspx as a starting point
            Hi,

            Thanks for the reply.

            I manage to find out that Zone Transfers were not correct and I fixed that now when the clients login, both DC and RODC have events of authentication, however still with DC down the authentication doesn't work.

            I will try a different site in the AD.

            Comment

            Working...
            X