Solved

Users can't authenticate through a new RODC

Posted on 2013-06-11
1
760 Views
Last Modified: 2013-11-08
We’ve set up a Read Only Domain Controller (Windows Server 2008r2) in a secondary location. We’ve followed Microsofts RODC Step-by-Step guide (http://technet.microsoft.com/en-us/library/cc754629%28v=ws.10%29.aspx) as far as I can see, but still no users is authenticating through the new server. All users on the secondary location still uses DC's from main location to authenticate.

The user accounts for the people working on this site are cached on the RODC.

First thing I noticed was that the NETLOGON share on the RODC was missing. Did as Microsoft KB 947022 suggested, but that didn’t help.

Dcdiag /v gives the following result:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine RODCSERVER, is a Directory Server. 
   Home Server = RODCSERVER

   * Connecting to directory service on server RODCSERVER.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=domain,CN=Sites,CN=Configuration,DC=domain,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=ADSRV01,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=ADSRV03,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   Server is an RODC
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 4 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: SecondarySite\RODCSERVER

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... RODCSERVER passed test Connectivity



Doing primary tests

   
   Testing server: SecondarySite\RODCSERVER

      Starting test: Advertising

         The DC RODCSERVER is advertising itself as a DC and having a DS.
         The DC RODCSERVER is advertising as an LDAP server
         The DC RODCSERVER is not advertising as having a writeable directory because it is an RODC 
         The DC RODCSERVER is advertising as a Key Distribution Center
         The DC RODCSERVER is advertising as a time server
         The DS RODCSERVER is advertising as a GC.
         ......................... RODCSERVER passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 08/07/2012   08:16:05

            Event String:

            The File Replication Service is having trouble enabling replication from ADSRV03 to RODCSERVER for c:\windows\sysvol\domain using the DNS name ADSRV03.domain.local. FRS will keep retrying. 

             Following are some of the reasons you would see this warning. 

             

             [1] FRS can not correctly resolve the DNS name ADSRV03.domain.local from this computer. 

             [2] FRS is not running on ADSRV03.domain.local. 

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         ......................... RODCSERVER passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         Skip the test because the server is running FRS.

         ......................... RODCSERVER passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... RODCSERVER passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... RODCSERVER passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=ADSRV02,CN=Servers,CN=OFFICE,CN=Sites,CN=Configuration,DC=domain,DC=local
         ......................... RODCSERVER passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC RODCSERVER on DC RODCSERVER.
         * SPN found :LDAP/RODCSERVER.domain.local/domain.local
         * SPN found :LDAP/RODCSERVER.domain.local
         * SPN found :LDAP/RODCSERVER
         * SPN found :LDAP/RODCSERVER.domain.local/domain
         * SPN found :LDAP/0acbec41-f9ff-436a-8e72-e33904f3df28._msdcs.domain.local
         * SPN found :HOST/RODCSERVER.domain.local/domain.local
         * SPN found :HOST/RODCSERVER.domain.local
         * SPN found :HOST/RODCSERVER
         * SPN found :HOST/RODCSERVER.domain.local/domain
         * SPN found :GC/RODCSERVER.domain.local/domain.local
         ......................... RODCSERVER passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC RODCSERVER.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=domain,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=domain,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=domain,DC=local
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=domain,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=domain,DC=local
            (Domain,Version 3)
         ......................... RODCSERVER passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\RODCSERVER\netlogon)

         [RODCSERVER] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... RODCSERVER failed test NetLogons

      Starting test: ObjectsReplicated

         RODCSERVER is in domain DC=domain,DC=local
         Checking for CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local in domain DC=domain,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local in domain CN=Configuration,DC=domain,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... RODCSERVER passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=domain,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=domain,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=domain,DC=local
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=domain,DC=local
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=domain,DC=local
               Latency information for 10 entries in the vector were ignored.
                  10 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... RODCSERVER passed test Replications

      Test skipped for RODC: RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... RODCSERVER passed test Services

      Starting test: SystemLog

         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... RODCSERVER passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local and backlink on

         CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local

          are correct. 
         The system object reference (serverReferenceBL)

         CN=RODCSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local

         and backlink on

         CN=NTDS Settings,CN=RODCSERVER,CN=Servers,CN=SecondarySite,CN=Sites,CN=Configuration,DC=domain,DC=local

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=RODCSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local

         and backlink on CN=RODCSERVER,OU=Domain Controllers,DC=domain,DC=local

         are correct. 
         ......................... RODCSERVER passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : domain

      Starting test: CheckSDRefDom

         ......................... domain passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... domain passed test CrossRefValidation

   
   Running enterprise tests on : domain.local

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\RODCSERVER.domain.local

         Locator Flags: 0xe00028fc
         PDC Name: \\ADSRV02.domain.local
         Locator Flags: 0xe00011fd
         Time Server Name: \\RODCSERVER.domain.local
         Locator Flags: 0xe00028fc
         Preferred Time Server Name: \\RODCSERVER.domain.local
         Locator Flags: 0xe00028fc
         KDC Name: \\RODCSERVER.domain.local
         Locator Flags: 0xe00028fc
         ......................... domain.local passed test LocatorCheck

      Starting test: Intersite

         Skipping site domain, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site OFFICE, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site SecondarySite, this site is outside the scope provided

         by the command line arguments provided. 
         ......................... domain.local passed test Intersite

Open in new window


I’m not an expert on AD and DC’s so please do not rule out rookie mistakes :)

Anybody got any ideas on what the problem might be?

Best regards, cafejava
0
Comment
Question by:Tomasz Czyz
1 Comment
 
LVL 5

Accepted Solution

by:
megaman5 earned 500 total points
Comment Utility
Did you run /domainprep?

http://clintboessen.blogspot.com/2010/11/can-rodc-be-gc.html

Also, did you setup separate sites, with subdomains?  You would include the RODC in its local site with its local subdomain, and it should be tried first.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm . Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps a…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now