Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain login from DMZ to RODC

Posted on 2013-11-27
5
Medium Priority
?
2,972 Views
Last Modified: 2013-12-02
Hi Guys,

I have 3 network zones.
1. internal trusted network - This contains a RWDC (domain.com)
2. DMZ containing a RODC in domain.com
3. DMZ containing a domain member server of domain.com

During installation all ports were open between the zones to allow for domain replication etc...

However it has now been locked down and I'm unable to RDP to the Zone 3 with the members server.

I get the error message:
An authentication error has occurred.
The Local Security Authority cannot be connected

The firewall all look to be correct as far as http://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx states.

Zone 1 and Zone 2 seem fine communicating with each other.
The DNS settings of the RODC are that of the RWDC

Zone 3 can only communicate to zone 2.
The member server has dns settings of the rodc.

Is this possible?
Can the domain member use the rodc for login? Or does it absolutely require DNS to the RWDC as well? Isn't that kind of pointless to have the rodc if that's the case?


Cheers
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682719
Did you replicate the RDP user's password out to the RODC?  When a user tries to authenticate, the RODC will refer the authentication to a RWDC.  It's likely that the member server cannot access the RWDC for authentication.

You have to add the user to the Password Replication Group.

It is also possible that the user is a member of a group, like "Domain Admins", that is never allowed to replicate it's password to a RODC.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
By default, the Denied RODC Password Replication Group contains the following members:

    Enterprise Domain Controllers

    Enterprise Read-Only Domain Controllers

    Group Policy Creator Owners

    Domain Admins

    Cert Publishers

    Enterprise Admins

    Schema Admins

    Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

    Denied RODC Password Replication Group

    Account Operators

    Server Operators

    Backup Operators

    Administrators
0
 

Author Comment

by:lltc78
ID: 39682750
Thanks for your reply.
one of the users was a domain admin but the other isn't, and i added that user to the allowed users for password replication.

So does the member server need to communicate with the rwdc directly?
I thought it would just go to rodc and then rodc forwards to rwdc? That's how it all reads in every kb article i have read.

If the client needs direct communication to rwdc, what is the purpose of rodc?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39682754
Check to ensure the member server and RODC are in the same AD site.

The member server only needs to communicate with the RWDC if the RODC doesn't have a local replica of the user's password.

You can check to see if the user's password has replicated
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_View_CredsOnRODC

Here you can check to see who has attempted to authenticate to the RODC
http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_ViewAuthTo
I think this means that you should review the Security log on the RODC.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 39683243
It seems that you have not cached the users/computer on RODC which is causing the issue.http://www.frickelsoft.net/blog/?p=232 http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx

You also need to ensure correct dns setting is configured on RODC as this it should point to its private IP (not loopback address 127.0.01) as the preffered DNS server and writable DNS server's IP in a hub location should be the alternate DNS servers in tcp/ip property of NIC.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Ensure required port are open for AD communication.

Active Directory Firewall Ports requirement for RODC.
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Also check the required for RDP is enable for RDP to work.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx
0
 

Author Closing Comment

by:lltc78
ID: 39691047
It looks like the problem has been resolved.
The RODC's weren't registering themselves in DNS for some reason, I haven't figured out why but either way I manually created the records and now replication is occurring.

Also, the member servers can now logon as well. It seems to have been a firewall issue between the Web server and RODC's. The high dynamic RPC ports weren't open. Once the network team allowed those ports, logons were successful.

Cheers
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question