Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Kerberos Constrained Delegation (KCB) and Read Only DCs (RODC)

Beantwortet Kerberos Constrained Delegation (KCB) and Read Only DCs (RODC)

  • Mittwoch, 6. Februar 2013 22:42
     
     
    Anmelden
    0

    gday all,

    We have configured a RODC in our DMZ as per the Microsoft Whitepaper.

    http://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx 

    We have a TMG server in our DMZ that is joined to the domain and communicating to the RODC for authentication.

    We have issues when attempting to request a kerberos ticket via KCB. 

    There is a Cisco Firewall between the DMZ and our internal network, and the TMG server is configured in single nic mode.

    Looking through the logs on the Cisco firewall, it seems the TMG server is attempting to perform LDAP and kerberos to internal RWDCs.

    Opening up traffic from the TMG server to one internal RWDC allows the kerberos ticket to be issued. 

    This is not how we would like it to work however, we want the TMG server to query the RODC in the DMZ for the kerberos ticket, as per the authentication guide 

    http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC

    Checking on the RODC and the SPN is visible.

    My initial thoughts are that the DMZ is still resolving our domain to the internal writable DCs.

    I have configured the DNS server on the RODC as per this guide to support generic DNS queries.

    http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx 

    I'm not sure if i set RegisterSiteSpecificDnsRecordsOnly to 1 or 0 and if i need to create a DNS record for kerberos lookups?

    Any help would be greatly appreciated.

    Cheers

    Chris

     

Alle Antworten

  • Freitag, 8. Februar 2013 02:21
    Moderator
     
     
    Anmelden
    0

    Hi Chris,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     
     
  • Freitag, 8. Februar 2013 07:50
     
     Beantwortet
    Anmelden
    0

    Hi,

    If it is set to FALSE (0), then RODC will try to register all types of DNS records including non-site specific records. so we may need to set it to 0.

    http://support.microsoft.com/kb/977510

    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • Mittwoch, 13. Februar 2013 05:22
     
     
    Anmelden
    0

    Thanks Kevin, any chance a tech has had a chance to respond?

    Thanks Jason, I will give it a go. I don't want to give the RODC write access to DNS however.

     
  • Mittwoch, 20. Februar 2013 10:57
     
     
    Anmelden
    0

    Hi,

    any update? Please feel free to let me know. 

    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.