Link to home
Start Free TrialLog in
Avatar of David
David

asked on

Remote office Domain Controller

We have a server 2012 environment. 1 DC on each site (2 sites in total). Connected together by site to site VPN (meraki firewalls)

The 2nd site is a read only domain controller.

If and when the VPN link is done users at the second site often struggle to login. Am i missing something? Shouldnt the DC on site be able to allow them to login?

Have i forgot to configure something?

Thanks
Avatar of asavener
asavener
Flag of United States of America image
You have to tell active directory which accounts/passwords are allowed to be stored on the read-only domain controller.  You can also pre-populate the passwords....

https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/
Avatar of Trenton Knew
Trenton Knew
Why make it read only though?  I'm guessing you only want replication to occur in a single direction?  is the RoDC at a different location because you don't allow cached logons if the link to the Primary Directory server is down?  I guess this doesn't really answer your question, just curious about why you are configured as you are.
Avatar of David
David

ASKER

Its a server ive inherited, but I have the same question. Im in the senario "If its not broke dont fix it senario".

I am happy with the replication being in one direction i just want the other site to still be able to login if the VPN goes down.

Thanks so far, i have allowed the remote office group to be stored on the RoDC, do i also need to add a group from the remote office computers?
Avatar of Trenton Knew
Trenton Knew
but if cached logins are not disabled, the only case where people can't log in if the link is down, is in the case of logging onto a workstation someone hasn't previously logged into, or in cases where they haven't logged in for months.  I would think if the link is down, access to network resources would be kind of nerfed by the link being down anyway.  Unless there is file replication across the WAN for file shares, I can't see the point of the RoDC in the first place.  Again... sorry, I'm not really helping... again, just curious discussion.
Avatar of David
David

ASKER

are you saying by turning on cache credentials the users will still struggle to login if the VPN link is down?
The users of the remote office main network resources are on the RoDC anyway so they can carry on.

Do i need to add the computer group for the remote office to the Password replication policy?

I guess setting the DC to be a RoDC it is more secure in the long run.
ASKER CERTIFIED SOLUTION
Avatar of Trenton Knew
Trenton Knew
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of David
David

ASKER

I kind of agree with you, if i had set this up i would probably prefer the 2nd Dc to be standard.

The one issue the users noticed was some who use sage 200 which is uses the logged on users credentials (SSO) came up with a message (attached)User generated image
Avatar of Trenton Knew
Trenton Knew
That brings into question which iteration of Sage200 is being used, the online, or on premesis?  Sage is attempting to use NTLM authentication to log users into the system.  The question becomes, does the sage server software authenticate against the primary DC only? or is it actually aware of and able to contact both DC's (read only or not)
Avatar of David
David

ASKER

sage 200 is on premises. But would you know how i would find out which DC it is contacting? Or is this a test it and see question?
Avatar of Trenton Knew
Trenton Knew
Unfortunately configuration of NTLM authentication for Sage200 is beyond the scope of my current technical know-how