Avatar of David
 asked on

Remote office Domain Controller

We have a server 2012 environment. 1 DC on each site (2 sites in total). Connected together by site to site VPN (meraki firewalls)

The 2nd site is a read only domain controller.

If and when the VPN link is done users at the second site often struggle to login. Am i missing something? Shouldnt the DC on site be able to allow them to login?

Have i forgot to configure something?

Active DirectoryWindows Server 2012DNS

Avatar of undefined
Last Comment
Trenton Knew

8/22/2022 - Mon

You have to tell active directory which accounts/passwords are allowed to be stored on the read-only domain controller.  You can also pre-populate the passwords....

Trenton Knew

Why make it read only though?  I'm guessing you only want replication to occur in a single direction?  is the RoDC at a different location because you don't allow cached logons if the link to the Primary Directory server is down?  I guess this doesn't really answer your question, just curious about why you are configured as you are.

Its a server ive inherited, but I have the same question. Im in the senario "If its not broke dont fix it senario".

I am happy with the replication being in one direction i just want the other site to still be able to login if the VPN goes down.

Thanks so far, i have allowed the remote office group to be stored on the RoDC, do i also need to add a group from the remote office computers?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Trenton Knew

but if cached logins are not disabled, the only case where people can't log in if the link is down, is in the case of logging onto a workstation someone hasn't previously logged into, or in cases where they haven't logged in for months.  I would think if the link is down, access to network resources would be kind of nerfed by the link being down anyway.  Unless there is file replication across the WAN for file shares, I can't see the point of the RoDC in the first place.  Again... sorry, I'm not really helping... again, just curious discussion.

are you saying by turning on cache credentials the users will still struggle to login if the VPN link is down?
The users of the remote office main network resources are on the RoDC anyway so they can carry on.

Do i need to add the computer group for the remote office to the Password replication policy?

I guess setting the DC to be a RoDC it is more secure in the long run.
Trenton Knew

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

I kind of agree with you, if i had set this up i would probably prefer the 2nd Dc to be standard.

The one issue the users noticed was some who use sage 200 which is uses the logged on users credentials (SSO) came up with a message (attached)ScreenHunter_04-Apr.-12-20.08.jpg
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Trenton Knew

That brings into question which iteration of Sage200 is being used, the online, or on premesis?  Sage is attempting to use NTLM authentication to log users into the system.  The question becomes, does the sage server software authenticate against the primary DC only? or is it actually aware of and able to contact both DC's (read only or not)

sage 200 is on premises. But would you know how i would find out which DC it is contacting? Or is this a test it and see question?
Trenton Knew

Unfortunately configuration of NTLM authentication for Sage200 is beyond the scope of my current technical know-how
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck