Cannot log on to domain from RODC in perimeter network

"There are currently no logon servers available to service the logon request" when trying to log on to domain from member server via a RODC in perimeter/dmz network.

I can see SRV records in DNS for the RODC (in _msdcs and primary zone).
The member server is a member of "Allowed RODC Password Replication Group".
I added firewall rules on the RODC for the dynamic port range (49152-65535), TCP and UDP. But it didn't make a difference.
TCP/IPv4 dns settings for member server point to RODC as primary dns server. Assigned IP address is static. There's no dhcp in this dmz network.

nslookup's from member server list the RWDC's when looking for SRV or NS records. It's returning the closest RWDC for the "primary name server" when you look for SRV records.

I tried changing the RegisterSiteSpecificDnsRecordsOnly registry key on the RODC from 1 to 0, and granted write permissions to the RODC for the _msdcs and primary dns zones. I didn't wait long for replication of this change. It didn't work. Should I have waited longer?
Reference : http://blogs.technet.com/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx

I tried each of these changes one at a time. Is it possible a combination of the changes is required?
LVL 1
RhoSysAdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
can you check if member server account and user who logged on that is part of policy "allowed password replication" and if those accounts are listed under password populated accounts list

If not an dif there is communication problem between RODC and R/W DC, you can't login as your credentials are not cached on RODC and it wil not until connectivity between rodc and r/w DC is restored

check if you have any network port problems between rodc and r/w dc...
0
RhoSysAdminAuthor Commented:
Turned out the suggestion from http://blogs.technet.com/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx was the correct one. I changed the registry in the RODC's, granted the RODC's write permission to the appropriate forward lookup zones, and waited for the top of the hour for the new dns SRV records to populate.

At that point, I was all set. The firewall rules for the ephemeral ports were not required.

I did have to add the computer objects for the member servers to the "Allowed RODC Password Replication Group" group in ADUC.

I'm all set. It was "IT person - heal thy self!" this time around.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RhoSysAdminAuthor Commented:
Properly executing the suggestion in the blog was the correct answer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.