PramoIT
asked on
cant use cached domain credentials when logging on through rdp
Hi,
We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.
Here's the problem:
We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.
Any suggestions on how to resolve this are very welcome.
Regards,
We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.
Here's the problem:
We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.
Any suggestions on how to resolve this are very welcome.
Regards,
Have you signed on to the member server at least once before with the same account?
ASKER
Yes, i did mutliple times. Through rdp.
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation
The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.
Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx
Mahesh.
The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.
Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx
Mahesh.
You need to add the Global Catalog role to the member server which will then get a replica of users, groups, and permissions: https://technet.microsoft.com/en-us/library/cc755257(v=ws.11).aspx
And: https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/19056-users-can-t-log-into-child-dc-if-root-forest-dc-is-down
And: https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/19056-users-can-t-log-into-child-dc-if-root-forest-dc-is-down
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
ASKER
Hi Mahesh,
Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?
Regards.
Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?
Regards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Mahesh,
I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.
Regards,
Mohamed
I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.
Regards,
Mohamed
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.