Remote office Domain Controller

David
David used Ask the Experts™
on
We have a server 2012 environment. 1 DC on each site (2 sites in total). Connected together by site to site VPN (meraki firewalls)

The 2nd site is a read only domain controller.

If and when the VPN link is done users at the second site often struggle to login. Am i missing something? Shouldnt the DC on site be able to allow them to login?

Have i forgot to configure something?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You have to tell active directory which accounts/passwords are allowed to be stored on the read-only domain controller.  You can also pre-populate the passwords....

https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/
Trenton KnewOwner / Computer Whisperer

Commented:
Why make it read only though?  I'm guessing you only want replication to occur in a single direction?  is the RoDC at a different location because you don't allow cached logons if the link to the Primary Directory server is down?  I guess this doesn't really answer your question, just curious about why you are configured as you are.

Author

Commented:
Its a server ive inherited, but I have the same question. Im in the senario "If its not broke dont fix it senario".

I am happy with the replication being in one direction i just want the other site to still be able to login if the VPN goes down.

Thanks so far, i have allowed the remote office group to be stored on the RoDC, do i also need to add a group from the remote office computers?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Trenton KnewOwner / Computer Whisperer

Commented:
but if cached logins are not disabled, the only case where people can't log in if the link is down, is in the case of logging onto a workstation someone hasn't previously logged into, or in cases where they haven't logged in for months.  I would think if the link is down, access to network resources would be kind of nerfed by the link being down anyway.  Unless there is file replication across the WAN for file shares, I can't see the point of the RoDC in the first place.  Again... sorry, I'm not really helping... again, just curious discussion.

Author

Commented:
are you saying by turning on cache credentials the users will still struggle to login if the VPN link is down?
The users of the remote office main network resources are on the RoDC anyway so they can carry on.

Do i need to add the computer group for the remote office to the Password replication policy?

I guess setting the DC to be a RoDC it is more secure in the long run.
Owner / Computer Whisperer
Commented:
Erm, unless cached logons are disabled in your environment via group policy, (this is a per workstation setting), your users should be able to still log into a workstation for which they have previously logged in, even if a domain controller is unavailable to process the logon request.  So in essence, the logon might take a few seconds longer as the computer attempts to contact the Directory Server, but the server being unavailable shouldn't prevent users from logging on, unless it was their first time, in which case, they would see a "No logon servers are available" message.

All that said... I think having redundancy is important as well... but that would be an argument for your second DC to NOT be read only, in my opinion.

Author

Commented:
I kind of agree with you, if i had set this up i would probably prefer the 2nd Dc to be standard.

The one issue the users noticed was some who use sage 200 which is uses the logged on users credentials (SSO) came up with a message (attached)ScreenHunter_04-Apr.-12-20.08.jpg
Trenton KnewOwner / Computer Whisperer

Commented:
That brings into question which iteration of Sage200 is being used, the online, or on premesis?  Sage is attempting to use NTLM authentication to log users into the system.  The question becomes, does the sage server software authenticate against the primary DC only? or is it actually aware of and able to contact both DC's (read only or not)

Author

Commented:
sage 200 is on premises. But would you know how i would find out which DC it is contacting? Or is this a test it and see question?
Trenton KnewOwner / Computer Whisperer

Commented:
Unfortunately configuration of NTLM authentication for Sage200 is beyond the scope of my current technical know-how

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial