locked
RODC Authenticate users for my localy office RRS feed

  • Question

  • I have one RODC  on my Branch office, and use Allowed RODC Password replication Group for remote users.

    But :( by command

    "Repadmin /prp view RODCSERVER auth2" i can see that his still just authenticate / (not store passwords) others users in domain.

    Why???

    Why locally users not use fast nearest Active Directory controller?

    What i must tune up in AD, DNS?

    Thanks for advise.

    Thursday, January 15, 2009 2:59 PM

Answers

  • Hi,

    Sorry for the misunderstanding.

    This issue may be caused by incorrect Site Information in your Domain. Generally, client will try to find and authenticate with DC in the same Site. DCs will use the IP address to distinguish Sites.

    Open Active Directory Sites and Services, double-click Default-First-Site-Name->Servers, are all DCs listed in this site? If so, please try to create a new Site and subnet for the RODC DC.

    http://technet.microsoft.com/en-us/library/cc781496.aspx

    After that, please check DNS server-> _Sites to make sure RODC was in remote site.

    After that, please try to test again.

    If the issue persists, please help to collect the following log files.

    The MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist you with fault isolation.

    A . Please download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en)

    Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

    B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

    C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

    D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Mervyn Zhang Tuesday, January 20, 2009 7:58 AM
    • Marked as answer by Mervyn Zhang Wednesday, January 21, 2009 10:10 AM
    Tuesday, January 20, 2009 7:54 AM

All replies

  • is there in AD DNS must be 

    _kerberos._tcp.dc._msdcs.X = RODCserver ?

    Thursday, January 15, 2009 3:54 PM
  • HI,

    For the RODC to locally authenticate the credentials of any account, those credentials must already be cached on the RODC.

    To cache the password on a specific RODC:

    open Active Directory Users and Computers, click Domain Controllers, right-click the RODC account object, click Properties, and then click the Password Replication Policy tab. Click Advanced, and then click Prepopulate Passwords.

    After that, please try to test again.

    Thanks.

    Friday, January 16, 2009 11:57 AM
  • No exacly users is not in "Password Replication Policy" and never must be in this group.

    The problem is that the branch RODC for branch office who is connectet via VPN, try to authorise users from locally ofice.

    Then he forwarders auth. question to local Writable Domain Controller and send reply to users.

    RODC and Writable AD is in different networks, but they was reflected in DNS.

    The question is WHY some users and computers try to send auth. request to RODC not to Writable DC?

    How i must known from DNS, which AD controller is appropriate to authenticate users for local office?

    Thx.
    Monday, January 19, 2009 1:33 PM
  • Hi,

    Sorry for the misunderstanding.

    This issue may be caused by incorrect Site Information in your Domain. Generally, client will try to find and authenticate with DC in the same Site. DCs will use the IP address to distinguish Sites.

    Open Active Directory Sites and Services, double-click Default-First-Site-Name->Servers, are all DCs listed in this site? If so, please try to create a new Site and subnet for the RODC DC.

    http://technet.microsoft.com/en-us/library/cc781496.aspx

    After that, please check DNS server-> _Sites to make sure RODC was in remote site.

    After that, please try to test again.

    If the issue persists, please help to collect the following log files.

    The MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist you with fault isolation.

    A . Please download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en)

    Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

    B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

    C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

    D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Mervyn Zhang Tuesday, January 20, 2009 7:58 AM
    • Marked as answer by Mervyn Zhang Wednesday, January 21, 2009 10:10 AM
    Tuesday, January 20, 2009 7:54 AM
  • Mervyn Zhang - You a Greate Man!!!

    Have full skills to manage Directory Service.

    Thanks for the comprehensive answer.  That help me!!!
    I create new subnet 192.168.2.0/24 and new Site "BranchOffice", just linked to this subnet. Finaly move branch RODC server to this site. Thats is all. Wery simple :)

    Thank you!!!!
    Wednesday, January 21, 2009 8:08 AM