Cannot log on to domain from RODC in perimeter network

"There are currently no logon servers available to service the logon request" when trying to log on to domain from member server via a RODC in perimeter/dmz network.

I can see SRV records in DNS for the RODC (in _msdcs and primary zone).
The member server is a member of "Allowed RODC Password Replication Group".
I added firewall rules on the RODC for the dynamic port range (49152-65535), TCP and UDP. But it didn't make a difference.
TCP/IPv4 dns settings for member server point to RODC as primary dns server. Assigned IP address is static. There's no dhcp in this dmz network.

nslookup's from member server list the RWDC's when looking for SRV or NS records. It's returning the closest RWDC for the "primary name server" when you look for SRV records.

I tried changing the RegisterSiteSpecificDnsRecordsOnly registry key on the RODC from 1 to 0, and granted write permissions to the RODC for the _msdcs and primary dns zones. I didn't wait long for replication of this change. It didn't work. Should I have waited longer?
Reference : http://blogs.technet.com/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx

I tried each of these changes one at a time. Is it possible a combination of the changes is required?
RhoSysAdminAsked:
Who is Participating?
 
RhoSysAdminConnect With a Mentor Author Commented:
Turned out the suggestion from http://blogs.technet.com/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx was the correct one. I changed the registry in the RODC's, granted the RODC's write permission to the appropriate forward lookup zones, and waited for the top of the hour for the new dns SRV records to populate.

At that point, I was all set. The firewall rules for the ephemeral ports were not required.

I did have to add the computer objects for the member servers to the "Allowed RODC Password Replication Group" group in ADUC.

I'm all set. It was "IT person - heal thy self!" this time around.
0
 
MaheshArchitectCommented:
can you check if member server account and user who logged on that is part of policy "allowed password replication" and if those accounts are listed under password populated accounts list

If not an dif there is communication problem between RODC and R/W DC, you can't login as your credentials are not cached on RODC and it wil not until connectivity between rodc and r/w DC is restored

check if you have any network port problems between rodc and r/w dc...
0
 
RhoSysAdminAuthor Commented:
Properly executing the suggestion in the blog was the correct answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.