Tomasz Czyz
asked on
Users can't authenticate through a new RODC
We’ve set up a Read Only Domain Controller (Windows Server 2008r2) in a secondary location. We’ve followed Microsofts RODC Step-by-Step guide (http://technet.microsoft.com/en-us/library/cc754629%28v=ws.10%29.aspx) as far as I can see, but still no users is authenticating through the new server. All users on the secondary location still uses DC's from main location to authenticate.
The user accounts for the people working on this site are cached on the RODC.
First thing I noticed was that the NETLOGON share on the RODC was missing. Did as Microsoft KB 947022 suggested, but that didn’t help.
Dcdiag /v gives the following result:
I’m not an expert on AD and DC’s so please do not rule out rookie mistakes :)
Anybody got any ideas on what the problem might be?
Best regards, cafejava
The user accounts for the people working on this site are cached on the RODC.
First thing I noticed was that the NETLOGON share on the RODC was missing. Did as Microsoft KB 947022 suggested, but that didn’t help.
Dcdiag /v gives the following result:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine RODCSERVER, is a Directory Server.
Home Server = RODCSERVER
* Connecting to directory service on server RODCSERVER.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=domain,CN=Sites,CN=Configuration,DC=domain,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=ADSRV01,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=ADSRV03,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
Server is an RODC
All the info for the server collected
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: SecondarySite\RODCSERVER
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... RODCSERVER passed test Connectivity
Doing primary tests
Testing server: SecondarySite\RODCSERVER
Starting test: Advertising
The DC RODCSERVER is advertising itself as a DC and having a DS.
The DC RODCSERVER is advertising as an LDAP server
The DC RODCSERVER is not advertising as having a writeable directory because it is an RODC
The DC RODCSERVER is advertising as a Key Distribution Center
The DC RODCSERVER is advertising as a time server
The DS RODCSERVER is advertising as a GC.
......................... RODCSERVER passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034C4
Time Generated: 08/07/2012 08:16:05
Event String:
The File Replication Service is having trouble enabling replication from ADSRV03 to RODCSERVER for c:\windows\sysvol\domain using the DNS name ADSRV03.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name ADSRV03.domain.local from this computer.
[2] FRS is not running on ADSRV03.domain.local.
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... RODCSERVER passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... RODCSERVER passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... RODCSERVER passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... RODCSERVER passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
Role Domain Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
Role PDC Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
Role Rid Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
......................... RODCSERVER passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC RODCSERVER on DC RODCSERVER.
* SPN found :LDAP/RODCSERVER.domain.local/domain.local
* SPN found :LDAP/RODCSERVER.domain.local
* SPN found :LDAP/RODCSERVER
* SPN found :LDAP/RODCSERVER.domain.local/domain
* SPN found :LDAP/0acbec41-f9ff-436a-8e72-e33904f3df28._msdcs.domain.local
* SPN found :HOST/RODCSERVER.domain.local/domain.local
* SPN found :HOST/RODCSERVER.domain.local
* SPN found :HOST/RODCSERVER
* SPN found :HOST/RODCSERVER.domain.local/domain
* SPN found :GC/RODCSERVER.domain.local/domain.local
......................... RODCSERVER passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC RODCSERVER.
* Security Permissions Check for
DC=ForestDnsZones,DC=domain,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=domain,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domain,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=local
(Domain,Version 3)
......................... RODCSERVER passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\RODCSERVER\netlogon)
[RODCSERVER] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... RODCSERVER failed test NetLogons
Starting test: ObjectsReplicated
RODCSERVER is in domain DC=domain,DC=local
Checking for CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local in domain DC=domain,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local in domain CN=Configuration,DC=domain,DC=local on 1 servers
Object is up-to-date on all servers.
......................... RODCSERVER passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domain,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domain,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domain,DC=local
Latency information for 10 entries in the vector were ignored.
10 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domain,DC=local
Latency information for 10 entries in the vector were ignored.
10 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=domain,DC=local
Latency information for 10 entries in the vector were ignored.
10 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... RODCSERVER passed test Replications
Test skipped for RODC: RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... RODCSERVER passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... RODCSERVER passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local and backlink on
CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=RODCSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local
and backlink on
CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=RODCSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local
and backlink on CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local
are correct.
......................... RODCSERVER passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\RODCSERVER.domain.local
Locator Flags: 0xe00028fc
PDC Name: \\ADSRV02.domain.local
Locator Flags: 0xe00011fd
Time Server Name: \\RODCSERVER.domain.local
Locator Flags: 0xe00028fc
Preferred Time Server Name: \\RODCSERVER.domain.local
Locator Flags: 0xe00028fc
KDC Name: \\RODCSERVER.domain.local
Locator Flags: 0xe00028fc
......................... domain.local passed test LocatorCheck
Starting test: Intersite
Skipping site domain, this site is outside the scope provided by the
command line arguments provided.
Skipping site OFFICE, this site is outside the scope provided by the
command line arguments provided.
Skipping site SecondarySite, this site is outside the scope provided
by the command line arguments provided.
......................... domain.local passed test Intersite
I’m not an expert on AD and DC’s so please do not rule out rookie mistakes :)
Anybody got any ideas on what the problem might be?
Best regards, cafejava
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.