Solved

Domain login from DMZ to RODC

Posted on 2013-11-27
5
2,786 Views
Last Modified: 2013-12-02
Hi Guys,

I have 3 network zones.
1. internal trusted network - This contains a RWDC (domain.com)
2. DMZ containing a RODC in domain.com
3. DMZ containing a domain member server of domain.com

During installation all ports were open between the zones to allow for domain replication etc...

However it has now been locked down and I'm unable to RDP to the Zone 3 with the members server.

I get the error message:
An authentication error has occurred.
The Local Security Authority cannot be connected

The firewall all look to be correct as far as http://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx states.

Zone 1 and Zone 2 seem fine communicating with each other.
The DNS settings of the RODC are that of the RWDC

Zone 3 can only communicate to zone 2.
The member server has dns settings of the rodc.

Is this possible?
Can the domain member use the rodc for login? Or does it absolutely require DNS to the RWDC as well? Isn't that kind of pointless to have the rodc if that's the case?


Cheers
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682719
Did you replicate the RDP user's password out to the RODC?  When a user tries to authenticate, the RODC will refer the authentication to a RWDC.  It's likely that the member server cannot access the RWDC for authentication.

You have to add the user to the Password Replication Group.

It is also possible that the user is a member of a group, like "Domain Admins", that is never allowed to replicate it's password to a RODC.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
By default, the Denied RODC Password Replication Group contains the following members:

    Enterprise Domain Controllers

    Enterprise Read-Only Domain Controllers

    Group Policy Creator Owners

    Domain Admins

    Cert Publishers

    Enterprise Admins

    Schema Admins

    Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

    Denied RODC Password Replication Group

    Account Operators

    Server Operators

    Backup Operators

    Administrators
0
 

Author Comment

by:lltc78
ID: 39682750
Thanks for your reply.
one of the users was a domain admin but the other isn't, and i added that user to the allowed users for password replication.

So does the member server need to communicate with the rwdc directly?
I thought it would just go to rodc and then rodc forwards to rwdc? That's how it all reads in every kb article i have read.

If the client needs direct communication to rwdc, what is the purpose of rodc?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682754
Check to ensure the member server and RODC are in the same AD site.

The member server only needs to communicate with the RWDC if the RODC doesn't have a local replica of the user's password.

You can check to see if the user's password has replicated
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_View_CredsOnRODC

Here you can check to see who has attempted to authenticate to the RODC
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_ViewAuthTo
I think this means that you should review the Security log on the RODC.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39683243
It seems that you have not cached the users/computer on RODC which is causing the issue.http://www.frickelsoft.net/blog/?p=232 http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx

You also need to ensure correct dns setting is configured on RODC as this it should point to its private IP (not loopback address 127.0.01) as the preffered DNS server and writable DNS server's IP in a hub location should be the alternate DNS servers in tcp/ip property of NIC.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Ensure required port are open for AD communication.

Active Directory Firewall Ports requirement for RODC.
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Also check the required for RDP is enable for RDP to work.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx
0
 

Author Closing Comment

by:lltc78
ID: 39691047
It looks like the problem has been resolved.
The RODC's weren't registering themselves in DNS for some reason, I haven't figured out why but either way I manually created the records and now replication is occurring.

Also, the member servers can now logon as well. It seems to have been a firewall issue between the Web server and RODC's. The high dynamic RPC ports weren't open. Once the network team allowed those ports, logons were successful.

Cheers
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question