Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3067
  • Last Modified:

Domain login from DMZ to RODC

Hi Guys,

I have 3 network zones.
1. internal trusted network - This contains a RWDC (domain.com)
2. DMZ containing a RODC in domain.com
3. DMZ containing a domain member server of domain.com

During installation all ports were open between the zones to allow for domain replication etc...

However it has now been locked down and I'm unable to RDP to the Zone 3 with the members server.

I get the error message:
An authentication error has occurred.
The Local Security Authority cannot be connected

The firewall all look to be correct as far as http://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx states.

Zone 1 and Zone 2 seem fine communicating with each other.
The DNS settings of the RODC are that of the RWDC

Zone 3 can only communicate to zone 2.
The member server has dns settings of the rodc.

Is this possible?
Can the domain member use the rodc for login? Or does it absolutely require DNS to the RWDC as well? Isn't that kind of pointless to have the rodc if that's the case?


Cheers
0
lltc78
Asked:
lltc78
  • 2
  • 2
1 Solution
 
Tony MassaCommented:
Did you replicate the RDP user's password out to the RODC?  When a user tries to authenticate, the RODC will refer the authentication to a RWDC.  It's likely that the member server cannot access the RWDC for authentication.

You have to add the user to the Password Replication Group.

It is also possible that the user is a member of a group, like "Domain Admins", that is never allowed to replicate it's password to a RODC.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
By default, the Denied RODC Password Replication Group contains the following members:

    Enterprise Domain Controllers

    Enterprise Read-Only Domain Controllers

    Group Policy Creator Owners

    Domain Admins

    Cert Publishers

    Enterprise Admins

    Schema Admins

    Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

    Denied RODC Password Replication Group

    Account Operators

    Server Operators

    Backup Operators

    Administrators
0
 
lltc78Author Commented:
Thanks for your reply.
one of the users was a domain admin but the other isn't, and i added that user to the allowed users for password replication.

So does the member server need to communicate with the rwdc directly?
I thought it would just go to rodc and then rodc forwards to rwdc? That's how it all reads in every kb article i have read.

If the client needs direct communication to rwdc, what is the purpose of rodc?
0
 
Tony MassaCommented:
Check to ensure the member server and RODC are in the same AD site.

The member server only needs to communicate with the RWDC if the RODC doesn't have a local replica of the user's password.

You can check to see if the user's password has replicated
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_View_CredsOnRODC

Here you can check to see who has attempted to authenticate to the RODC
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_ViewAuthTo
I think this means that you should review the Security log on the RODC.
0
 
SandeshdubeyCommented:
It seems that you have not cached the users/computer on RODC which is causing the issue.http://www.frickelsoft.net/blog/?p=232 http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx

You also need to ensure correct dns setting is configured on RODC as this it should point to its private IP (not loopback address 127.0.01) as the preffered DNS server and writable DNS server's IP in a hub location should be the alternate DNS servers in tcp/ip property of NIC.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Ensure required port are open for AD communication.

Active Directory Firewall Ports requirement for RODC.
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Also check the required for RDP is enable for RDP to work.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx
0
 
lltc78Author Commented:
It looks like the problem has been resolved.
The RODC's weren't registering themselves in DNS for some reason, I haven't figured out why but either way I manually created the records and now replication is occurring.

Also, the member servers can now logon as well. It seems to have been a firewall issue between the Web server and RODC's. The high dynamic RPC ports weren't open. Once the network team allowed those ports, logons were successful.

Cheers
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now