Clients authenticating with incorrect server (RODC)

Posted on 2011-10-27
Last Modified: 2012-08-13
Hi All,

Here's the scenario. I have 3x DCs. 1x PDC, 1x BDC and 1x RODC. The RODC lives on a remote site and services half a dozen PCs.

I am getting 5723 events logged on our RODC(with limited credentials) for accounts that should be serviced on our main site, so it got me wondering why these machines are crawling through a limited DSL VPN when they should be serviced locally.

I also log which servers are servicing logon requests on our main site. This is split between the PDC and BDC.

Any ideas what logic (if any) the client machines are using to find the best available PC and how I can stop local machines trying to authenticate with a DC which doesnt store it's credentials.

I am running a simple domain on SBS2008 with no trusts relationships.

Sorry if the answer is obvious!!?

Thanks in advance.

Question by:noooodlez
    LVL 9

    Accepted Solution

    Go into AD Sites and Services.  Ensure that all of your network subnets are in there and are associated with the correct site.
    LVL 59

    Assisted Solution

    by:Darius Ghassem
    Like bill said most of the time not having your AD sites setup properly the clients will search AD for a DC then go for the first one that responds. You need to have sites setup. Second you need to make sure clients are pointing to their local DNS server this helps the client to determine what DC to use as well

    Author Comment

    Makes perfect sense. Stupid me for missing that!!
    Have only recently set up the 2nd site and never configured sites and services.

    I have now set my subnets and sites up. All looks simple enough (nothing has died yet anyway!!). Will monitor now and see how we get on.

    Question. I have set the replication schedule to the remote site as once per day (instead of once per hour). I can always force changes through. How much data will this replication be sending through my 512k vpn? I assume it is reasonable intelligent and will only send differential changes to applicable accounts?

    LVL 59

    Expert Comment

    by:Darius Ghassem
    Not much data at all but I would do it at least once every four hours.

    Author Closing Comment

    Cheers guys. Now sorted!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now