Remote office Domain Controller

We have a server 2012 environment. 1 DC on each site (2 sites in total). Connected together by site to site VPN (meraki firewalls)

The 2nd site is a read only domain controller.

If and when the VPN link is done users at the second site often struggle to login. Am i missing something? Shouldnt the DC on site be able to allow them to login?

Have i forgot to configure something?

Thanks
DavidAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
You have to tell active directory which accounts/passwords are allowed to be stored on the read-only domain controller.  You can also pre-populate the passwords....

https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/
Trenton KnewOwner / Computer WhispererCommented:
Why make it read only though?  I'm guessing you only want replication to occur in a single direction?  is the RoDC at a different location because you don't allow cached logons if the link to the Primary Directory server is down?  I guess this doesn't really answer your question, just curious about why you are configured as you are.
DavidAuthor Commented:
Its a server ive inherited, but I have the same question. Im in the senario "If its not broke dont fix it senario".

I am happy with the replication being in one direction i just want the other site to still be able to login if the VPN goes down.

Thanks so far, i have allowed the remote office group to be stored on the RoDC, do i also need to add a group from the remote office computers?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Trenton KnewOwner / Computer WhispererCommented:
but if cached logins are not disabled, the only case where people can't log in if the link is down, is in the case of logging onto a workstation someone hasn't previously logged into, or in cases where they haven't logged in for months.  I would think if the link is down, access to network resources would be kind of nerfed by the link being down anyway.  Unless there is file replication across the WAN for file shares, I can't see the point of the RoDC in the first place.  Again... sorry, I'm not really helping... again, just curious discussion.
DavidAuthor Commented:
are you saying by turning on cache credentials the users will still struggle to login if the VPN link is down?
The users of the remote office main network resources are on the RoDC anyway so they can carry on.

Do i need to add the computer group for the remote office to the Password replication policy?

I guess setting the DC to be a RoDC it is more secure in the long run.
Trenton KnewOwner / Computer WhispererCommented:
Erm, unless cached logons are disabled in your environment via group policy, (this is a per workstation setting), your users should be able to still log into a workstation for which they have previously logged in, even if a domain controller is unavailable to process the logon request.  So in essence, the logon might take a few seconds longer as the computer attempts to contact the Directory Server, but the server being unavailable shouldn't prevent users from logging on, unless it was their first time, in which case, they would see a "No logon servers are available" message.

All that said... I think having redundancy is important as well... but that would be an argument for your second DC to NOT be read only, in my opinion.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DavidAuthor Commented:
I kind of agree with you, if i had set this up i would probably prefer the 2nd Dc to be standard.

The one issue the users noticed was some who use sage 200 which is uses the logged on users credentials (SSO) came up with a message (attached)ScreenHunter_04-Apr.-12-20.08.jpg
Trenton KnewOwner / Computer WhispererCommented:
That brings into question which iteration of Sage200 is being used, the online, or on premesis?  Sage is attempting to use NTLM authentication to log users into the system.  The question becomes, does the sage server software authenticate against the primary DC only? or is it actually aware of and able to contact both DC's (read only or not)
DavidAuthor Commented:
sage 200 is on premises. But would you know how i would find out which DC it is contacting? Or is this a test it and see question?
Trenton KnewOwner / Computer WhispererCommented:
Unfortunately configuration of NTLM authentication for Sage200 is beyond the scope of my current technical know-how
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.