locked
RODC Authentication not working RRS feed

  • Question

  • I have 2 RODC domain controllers configured in a site but I see no computer or users are authenticating against the RODC's.

    I checked the Allowed RODC password replication Group and it has all the PC's in that site and a handful of user accounts. I even checked the Accounts whose passwords are stored on this Read-only Domain controller and it shows me all the computer objects and the user objects.

    However, when I login to any machine in that site it authenticates against the RW DC from another site.

    I checked echo %logonserver% and Set L and each time it shows me a RW DC and not the RODC.

    Can anyone tell me why the users or client machines are not authenticating with the RODC?

    Thanks

    starchaser


    Wednesday, October 14, 2015 8:59 PM

Answers

  • So you have multiple (2) RODCs in the same site.
     
    When you place multiple RODCs in the same site, you should note that 1) They don’t replicate out to each other, 2) The cached/replicated passwords are part of #1, meaning RODC1 has user password cached doesn't mean RODC2 also has the same password. If the user contacts RODC2 (this is not controllable) for authentication, auth will be forwarded to a RWDC.
     
    So, I would suggest you whether both RODCs have cached the passwords of your testing user account, then try again.
     
    I'd recommend to take a look at this TechNet article for some best practices and considerations for placing several RODCs in the same site:
     
    https://technet.microsoft.com/en-us/library/ee522995%28v=ws.10%29.aspx
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, October 15, 2015 5:49 AM

All replies

  • In AD Sites and services did you move the subnets over to the RODC's?

    Did you create a RODC account?

    1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action.
    3. Click Pre-create Read-only Domain Controller account, as shown in the following figure.

    Wednesday, October 14, 2015 9:33 PM
  • Thanks for your reply. After doing some further testing I notice that if I login to a Windows 2012 machine then the computer object and user both authenticate against the RODC. I confirmed this by running the following commands- Set L nltest /server:<machine name> /sc_query:<domain name> However, I login to windows 2008 machine, only computer object authenticates to the RODC but not the user object. The user authenticates to a RW DC. The RODC are assigned to the subnet in AD site and services. Any thoughts?
    Wednesday, October 14, 2015 9:56 PM
  • Are the client computer and the user account both added to the AllowedRODCPasswordReplication Group?

    By default, the RODC will not authenticate any user or computer logons - it will foward them unless the user or computer account is added to that allowed policy group.

    There is more info here:

    http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx

    Thursday, October 15, 2015 12:58 AM
  • So you have multiple (2) RODCs in the same site.
     
    When you place multiple RODCs in the same site, you should note that 1) They don’t replicate out to each other, 2) The cached/replicated passwords are part of #1, meaning RODC1 has user password cached doesn't mean RODC2 also has the same password. If the user contacts RODC2 (this is not controllable) for authentication, auth will be forwarded to a RWDC.
     
    So, I would suggest you whether both RODCs have cached the passwords of your testing user account, then try again.
     
    I'd recommend to take a look at this TechNet article for some best practices and considerations for placing several RODCs in the same site:
     
    https://technet.microsoft.com/en-us/library/ee522995%28v=ws.10%29.aspx
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, October 15, 2015 5:49 AM
  • Hi,

    Have you try the below command for one of the test machine and user account provide the output of the command.

    Repadmin /rodcpwdrepl [DSA_LIST] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished name> <User2 Distinguished Name>…]

    Thursday, October 15, 2015 9:05 AM
  • Hi,

    Any updates on case which you have raised?

    Wednesday, October 21, 2015 10:41 AM
  • Can you provide your inputs so that other can refer it and we can close the case.
    Monday, October 26, 2015 8:27 AM
  • In AD Sites and services did you move the subnets over to the RODC's?

    Did you create a RODC account?

    1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action.
    3. Click Pre-create Read-only Domain Controller account, as shown in the following figure.

      Hi Do i have to do this before the RODC configured?

    Monday, February 10, 2020 11:56 AM