Solved

Domain login from DMZ to RODC

Posted on 2013-11-27
5
2,624 Views
Last Modified: 2013-12-02
Hi Guys,

I have 3 network zones.
1. internal trusted network - This contains a RWDC (domain.com)
2. DMZ containing a RODC in domain.com
3. DMZ containing a domain member server of domain.com

During installation all ports were open between the zones to allow for domain replication etc...

However it has now been locked down and I'm unable to RDP to the Zone 3 with the members server.

I get the error message:
An authentication error has occurred.
The Local Security Authority cannot be connected

The firewall all look to be correct as far as http://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx states.

Zone 1 and Zone 2 seem fine communicating with each other.
The DNS settings of the RODC are that of the RWDC

Zone 3 can only communicate to zone 2.
The member server has dns settings of the rodc.

Is this possible?
Can the domain member use the rodc for login? Or does it absolutely require DNS to the RWDC as well? Isn't that kind of pointless to have the rodc if that's the case?


Cheers
0
Comment
Question by:lltc78
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682719
Did you replicate the RDP user's password out to the RODC?  When a user tries to authenticate, the RODC will refer the authentication to a RWDC.  It's likely that the member server cannot access the RWDC for authentication.

You have to add the user to the Password Replication Group.

It is also possible that the user is a member of a group, like "Domain Admins", that is never allowed to replicate it's password to a RODC.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
By default, the Denied RODC Password Replication Group contains the following members:

    Enterprise Domain Controllers

    Enterprise Read-Only Domain Controllers

    Group Policy Creator Owners

    Domain Admins

    Cert Publishers

    Enterprise Admins

    Schema Admins

    Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

    Denied RODC Password Replication Group

    Account Operators

    Server Operators

    Backup Operators

    Administrators
0
 

Author Comment

by:lltc78
ID: 39682750
Thanks for your reply.
one of the users was a domain admin but the other isn't, and i added that user to the allowed users for password replication.

So does the member server need to communicate with the rwdc directly?
I thought it would just go to rodc and then rodc forwards to rwdc? That's how it all reads in every kb article i have read.

If the client needs direct communication to rwdc, what is the purpose of rodc?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682754
Check to ensure the member server and RODC are in the same AD site.

The member server only needs to communicate with the RWDC if the RODC doesn't have a local replica of the user's password.

You can check to see if the user's password has replicated
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_View_CredsOnRODC

Here you can check to see who has attempted to authenticate to the RODC
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_ViewAuthTo
I think this means that you should review the Security log on the RODC.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39683243
It seems that you have not cached the users/computer on RODC which is causing the issue.http://www.frickelsoft.net/blog/?p=232 http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx

You also need to ensure correct dns setting is configured on RODC as this it should point to its private IP (not loopback address 127.0.01) as the preffered DNS server and writable DNS server's IP in a hub location should be the alternate DNS servers in tcp/ip property of NIC.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Ensure required port are open for AD communication.

Active Directory Firewall Ports requirement for RODC.
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Also check the required for RDP is enable for RDP to work.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx
0
 

Author Closing Comment

by:lltc78
ID: 39691047
It looks like the problem has been resolved.
The RODC's weren't registering themselves in DNS for some reason, I haven't figured out why but either way I manually created the records and now replication is occurring.

Also, the member servers can now logon as well. It seems to have been a firewall issue between the Web server and RODC's. The high dynamic RPC ports weren't open. Once the network team allowed those ports, logons were successful.

Cheers
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now