Clients authenticating with incorrect server (RODC)

Posted on 2011-10-27
Medium Priority
Last Modified: 2012-08-13
Hi All,

Here's the scenario. I have 3x DCs. 1x PDC, 1x BDC and 1x RODC. The RODC lives on a remote site and services half a dozen PCs.

I am getting 5723 events logged on our RODC(with limited credentials) for accounts that should be serviced on our main site, so it got me wondering why these machines are crawling through a limited DSL VPN when they should be serviced locally.

I also log which servers are servicing logon requests on our main site. This is split between the PDC and BDC.

Any ideas what logic (if any) the client machines are using to find the best available PC and how I can stop local machines trying to authenticate with a DC which doesnt store it's credentials.

I am running a simple domain on SBS2008 with no trusts relationships.

Sorry if the answer is obvious!!?

Thanks in advance.

Question by:noooodlez
  • 2
  • 2

Accepted Solution

bill_lynch earned 700 total points
ID: 37037748
Go into AD Sites and Services.  Ensure that all of your network subnets are in there and are associated with the correct site.
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 300 total points
ID: 37037794
Like bill said most of the time not having your AD sites setup properly the clients will search AD for a DC then go for the first one that responds. You need to have sites setup. Second you need to make sure clients are pointing to their local DNS server this helps the client to determine what DC to use as well

Author Comment

ID: 37043742
Makes perfect sense. Stupid me for missing that!!
Have only recently set up the 2nd site and never configured sites and services.

I have now set my subnets and sites up. All looks simple enough (nothing has died yet anyway!!). Will monitor now and see how we get on.

Question. I have set the replication schedule to the remote site as once per day (instead of once per hour). I can always force changes through. How much data will this replication be sending through my 512k vpn? I assume it is reasonable intelligent and will only send differential changes to applicable accounts?

LVL 59

Expert Comment

by:Darius Ghassem
ID: 37044482
Not much data at all but I would do it at least once every four hours.

Author Closing Comment

ID: 37237759
Cheers guys. Now sorted!

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question