none
logon server showing different branch WDC. RRS feed

  • Question

  • Hi Guys,

    Hope you are having great days..!

    my company is having total 5 branches.

    I Have 3 Writable domain controllers and 4 RODCs

    RODCs are in different branch offices we call it now as A,B,C,D..

    Whenever a user logon from Branch A, the %logonserver% is showing as WDC.

    Same happens with Branch B users thier %logonserver% showing as different branch WDC.

    My question is why user logon is showing different branch WDC, instead of local RODC ?

    I need my local RODC should show as %logonserver% but this is not happening in all branches. all the user logons are authenticating from WDCs.

    I have configured sites & subnets and moved my rodcs to their respective branch.created a site links.

    I observed that there is a group called allowed password replication group and denied passwod replication group.

    I dont know who added but all my RODCs are in denied password replication group as members.

    1. Do I need to remove the all RODCs from  that denied password replication group?

    2.Do I need to add all the users and computers of each branch to allowed password replication group ?

    3. In that case, I have 200-300 users for each branch. Do I need to add all the users & computers one by one to password replication policy of each RODC ? Any Idea ?

    4. Finally, does this Password replication policy really effect on %logonserver% ?

    I have used echo %logonserver% , SET L , nltest /dsgetdc...etc

    Site is showing correctly... but %logonserver%  is showing different branch WDC..

    I appreciate if some helps me on this.. I am scratching my head because of  this problem from many days..


    Ram



    • Edited by Topen Tech Saturday, December 7, 2019 6:21 PM
    Saturday, December 7, 2019 6:16 PM

Answers

  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, we can check the following two points:

    1. We need to ensure, all clients that need to use the RODC authentication in site A are included in the subnet to which site A belongs.
    The same as Site B, Site C and Site D.

    2. The passwords of all users logged in to the clients in site A need to be copied to the RODC in site A. The same as Site B, Site C and Site D.


    Here are the answers for our questions:

    Q1. Do I need to remove the all RODCs from  that denied password replication group?

    A1: Do we mean we see the Members tab of Denied RODC Replication Group Properties as below? If so, we do not need to remove all the groups, keep it, because it is the default settings, I think it does not matter with our question.




    Q2.Do I need to add all the users and computers of each branch to allowed password replication group ?
    A2: If it is a RODC in Site A, we can open this RODC Properties ->Password Replication Policy tab, add the computer accounts belongs to Site A and the users accounts that will Logon the Site'A Computers.

    The same operations we will do on RODC in Site B, Site C and Site D.




    Q3. In that case, I have 200-300 users for each branch. Do I need to add all the users & computers one by one to password replication policy of each RODC ? Any Idea ?

    A3: See A2.


    Q4. Finally, does this Password replication policy really effect on %logonserver% ?

    A4: Yes.

    For more information we can refer to the following article.
    Lesson 3: Configuring Read-Only Domain Controllers
    https://www.microsoftpressstore.com/articles/article.aspx?p=2224364&seqNum=4



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 1:11 AM
    Monday, December 9, 2019 7:04 AM
    Moderator
  • Hi,

    You can create a powershell script and run it through scheduled task. Below a example;

    Get-ADcomputer -SearchBase 'OU=Servers,DC=Home' -filter *| % {Add-ADGroupMember 'GroupName' -Members $_.DistinguishedName }

    If you have many users located on branch sites , you should to convert the RODC to R/W DC , to simplify the authentication process. 


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 1:10 AM
    Monday, December 9, 2019 8:35 PM
  • Dear Thameur,

    Get-ADuser -SearchBase 'OU=India,DC=study,DC=com' -filter *| % {Add-ADGroupMember 'New_Group' -Members $_.DistinguishedName }

    If I run this script in power shell, it automatically adding all OU=India users to Security group called 'New_Group'

    But Unfortunately when i created a new user in OU=India, Its not replicating to Security group called 'New_Group'

    I have to run the above script again to update the newly created OU users to add New_Group.

    Is there any script that automate the process when i create the user in OU it should also automatically replicate to security group.

    Please Help..Thank you


    Ram

    Hi,

    The only process to add automatically new user , is to use a scheduled task to run the script many time per day  for example .


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 6:14 PM
    Tuesday, December 10, 2019 5:23 PM

All replies

    1. why don't you move one and try it?
    2. same thing move one to try

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, December 8, 2019 12:10 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, we can check the following two points:

    1. We need to ensure, all clients that need to use the RODC authentication in site A are included in the subnet to which site A belongs.
    The same as Site B, Site C and Site D.

    2. The passwords of all users logged in to the clients in site A need to be copied to the RODC in site A. The same as Site B, Site C and Site D.


    Here are the answers for our questions:

    Q1. Do I need to remove the all RODCs from  that denied password replication group?

    A1: Do we mean we see the Members tab of Denied RODC Replication Group Properties as below? If so, we do not need to remove all the groups, keep it, because it is the default settings, I think it does not matter with our question.




    Q2.Do I need to add all the users and computers of each branch to allowed password replication group ?
    A2: If it is a RODC in Site A, we can open this RODC Properties ->Password Replication Policy tab, add the computer accounts belongs to Site A and the users accounts that will Logon the Site'A Computers.

    The same operations we will do on RODC in Site B, Site C and Site D.




    Q3. In that case, I have 200-300 users for each branch. Do I need to add all the users & computers one by one to password replication policy of each RODC ? Any Idea ?

    A3: See A2.


    Q4. Finally, does this Password replication policy really effect on %logonserver% ?

    A4: Yes.

    For more information we can refer to the following article.
    Lesson 3: Configuring Read-Only Domain Controllers
    https://www.microsoftpressstore.com/articles/article.aspx?p=2224364&seqNum=4



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 1:11 AM
    Monday, December 9, 2019 7:04 AM
    Moderator
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, we can check the following two points:

    1. We need to ensure, all clients that need to use the RODC authentication in site A are included in the subnet to which site A belongs.
    The same as Site B, Site C and Site D.

    2. The passwords of all users logged in to the clients in site A need to be copied to the RODC in site A. The same as Site B, Site C and Site D.


    Here are the answers for our questions:

    Q1. Do I need to remove the all RODCs from  that denied password replication group?

    A1: Do we mean we see the Members tab of Denied RODC Replication Group Properties as below? If so, we do not need to remove all the groups, keep it, because it is the default settings, I think it does not matter with our question.




    Q2.Do I need to add all the users and computers of each branch to allowed password replication group ?
    A2: If it is a RODC in Site A, we can open this RODC Properties ->Password Replication Policy tab, add the computer accounts belongs to Site A and the users accounts that will Logon the Site'A Computers.

    The same operations we will do on RODC in Site B, Site C and Site D.




    Q3. In that case, I have 200-300 users for each branch. Do I need to add all the users & computers one by one to password replication policy of each RODC ? Any Idea ?

    A3: See A2.


    Q4. Finally, does this Password replication policy really effect on %logonserver% ?

    A4: Yes.

    For more information we can refer to the following article.
    Lesson 3: Configuring Read-Only Domain Controllers
    https://www.microsoftpressstore.com/articles/article.aspx?p=2224364&seqNum=4



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Dear Daisy, Thank you for your time and i really appreciate the way you explained very neatly.

    But 

    Q3. In that case, I have 200-300 users for each branch. Do I need to add all the users & computers one by one to password replication policy of each RODC ? Any Idea ?

    As i said i have 200 users for each branch.

    I have created OU's for separately.

    I have OU called India.

    In that OU, i have divided into two SUB OU's called  HYD and DEL - each ou consist of 100 members 

    I have OU called INDIALaptops - 200 computers.

    same other branches also follows this scenario

    So, Its hard to add one by one manually.

    what i was thinking is " Is there any feature that adds all particular OU users into particular group.

    so that, I can add that group to password replication policy so that all members in that group can store their passwords in RODC.

    is it possible through powershell script or any otherway please guide me.

    Thank you so much for your prompt response.


    Ram

    Monday, December 9, 2019 6:23 PM
  • Hi,

    You can create a powershell script and run it through scheduled task. Below a example;

    Get-ADcomputer -SearchBase 'OU=Servers,DC=Home' -filter *| % {Add-ADGroupMember 'GroupName' -Members $_.DistinguishedName }

    If you have many users located on branch sites , you should to convert the RODC to R/W DC , to simplify the authentication process. 


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 1:10 AM
    Monday, December 9, 2019 8:35 PM
  • Hi,

    You can create a powershell script and run it through scheduled task. Below a example;

    Get-ADcomputer -SearchBase 'OU=Servers,DC=Home' -filter *| % {Add-ADGroupMember 'GroupName' -Members $_.DistinguishedName }

    If you have many users located on branch sites , you should to convert the RODC to R/W DC , to simplify the authentication process. 


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Dear Thameour,

    Greetings...!!

    I have tried your suggestions but unfortunately its not working and throwing the error...

    PS C:\Windows\system32> Get-ADcomputer -SearchBase 'OU=India,DC=Demo,DC=study,DC=com' -filter *| % {Add-ADGroupMember 'gp001' -Members $_.DistinguishedName }
    Get-ADcomputer : Directory object not found
    At line:1 char:1
    + Get-ADcomputer -SearchBase 'OU=India,DC=Demo,DC=study,DC=com' -filter ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-ADComputer], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

    PS C:\Windows\system32>

    My DC name : Demo.study.com

    OU name : India

    group name = gp001

    location of the group created = Users

    Note : OU contains only users at present no computers

    Can you please let me know where i did wrong in this script.

    Thanks for your time.


    Ram


    • Edited by Topen Tech Tuesday, December 10, 2019 12:07 AM
    Tuesday, December 10, 2019 12:06 AM
  • dear thameur,

    the script is working in my test ad but its not working in my organization.

    do i need to add any CN for this script ?

    please find below error

    PS C:\Windows\system32> Get-ADuser -SearchBase 'OU=india,OU=Kk,DC=xx,DC=xxxx,DC=xx' -filter *| % {Add-ADGroupMember 'k-users' -Members $_.DistinguishedName }
    Get-ADuser : Directory object not found
    At line:1 char:1
    + Get-ADuser -SearchBase 'OU=india,OU=k,DC=xx,DC=xxxx,DC=xx' -filter  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-ADUser], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M ------------------------------------- where "k" is my sub OU. i have to add only sub OU group members is there any changes i have to be done ?


    Ram


    • Edited by Topen Tech Tuesday, December 10, 2019 1:39 AM
    Tuesday, December 10, 2019 1:36 AM
  • Hi,
    Thank you for your update. I am very glad that the problem has been resolved.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 10, 2019 8:10 AM
    Moderator
  • Dear Thameur,

    Get-ADuser -SearchBase 'OU=India,DC=study,DC=com' -filter *| % {Add-ADGroupMember 'New_Group' -Members $_.DistinguishedName }

    If I run this script in power shell, it automatically adding all OU=India users to Security group called 'New_Group'

    But Unfortunately when i created a new user in OU=India, Its not replicating to Security group called 'New_Group'

    I have to run the above script again to update the newly created OU users to add New_Group.

    Is there any script that automate the process when i create the user in OU it should also automatically replicate to security group.

    Please Help..Thank you


    Ram

    Tuesday, December 10, 2019 5:15 PM
  • Dear Thameur,

    Get-ADuser -SearchBase 'OU=India,DC=study,DC=com' -filter *| % {Add-ADGroupMember 'New_Group' -Members $_.DistinguishedName }

    If I run this script in power shell, it automatically adding all OU=India users to Security group called 'New_Group'

    But Unfortunately when i created a new user in OU=India, Its not replicating to Security group called 'New_Group'

    I have to run the above script again to update the newly created OU users to add New_Group.

    Is there any script that automate the process when i create the user in OU it should also automatically replicate to security group.

    Please Help..Thank you


    Ram

    Hi,

    The only process to add automatically new user , is to use a scheduled task to run the script many time per day  for example .


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by Topen Tech Tuesday, December 10, 2019 6:14 PM
    Tuesday, December 10, 2019 5:23 PM