RODC logon
-
Thursday, March 22, 2012 5:45 AM
Hi,
I am unable to login directly to RODC when Link to HQ down. What should i do. Do i need to add domainadmin to grp "Allow RODC Replication Group" in future.
Thank you
jaie
All Replies
-
Thursday, March 22, 2012 6:05 AM
To accomplish above you need to cache the credentials in RODC. By default when user tries to authenticate against RODC , it will forward the request to your RWDC and then it will authenticate the user ( If creadentials are not cached in RODC). In your scenario i think users creadentials are not cached in RODC , hence this you are encoutring this.
Go through below links,
Understanding RODC Authentication
Password replication policy in RODC.
http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Proposed As Answer by Meinolf WeberMVP Thursday, March 22, 2012 7:48 AM
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Tuesday, March 27, 2012 6:27 AM
-
Thursday, March 22, 2012 7:41 AM
Thank for your reply,
By default domain admin in "denied RODC Replication Group". Can we simple remove it from this group?
Thank you.
jaie
-
Thursday, March 22, 2012 7:52 AM
Hello,
PRP must be configured for user and computers that should be able to logon via an RODC, make sure it is also GC and DNS server for the site and that clients are configurd to use it.
For security reasons domain admins are NOT in the allowed PRP, use instead the administrator configured for the RODC to do maintenance tasks. This is not allowed to modify AD.
Modifications do from the RWDC in the main site.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Proposed As Answer by AwinishMVP, Moderator Thursday, March 22, 2012 8:34 AM
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Tuesday, March 27, 2012 6:27 AM
-
Thursday, March 22, 2012 8:33 AMModerator
Only caching the credential will not work when WAN link is down, you need to cache machine account too to have secure channel with RODC else it will establish secure channel with RWDC even though you have RODC in the local client side.
I agree with Meinolf, Domain admin should not be login to the RODC for the security reasons. You should be making use of ARS(Admin role separation) to delegate RODC administration w/o using domain admin groups.
All About (RODC)Read Only Domain Controllers
http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Thursday, March 22, 2012 8:37 AM
Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
http://support.microsoft.com/kb/944043/en-us
Known Issues for Deploying RODCs
http://technet.microsoft.com/en-us/library/cc725669%28v=ws.10%29.aspx#BKMK_ClientOS
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
-
Friday, March 23, 2012 3:00 AMModerator
Hi Jaie,
I agree with Meinolf too. It is not safe if we add Domain Admin to the "Allow RODC Replication Group" group.
Normally we should use remote management tools to administer an RODC.
RODC Administration
http://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspxI hope the article can be useful to you.
Regards
Kevin
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Tuesday, March 27, 2012 6:27 AM
.png)
