locked
Trust & RODC RRS feed

  • Question

  • Hi All,

    The customer has two domains Domain A and Domain B.All the Domain controllers for DOMAIN A are in Site A and all the domain controllers for Domain B are in Site B. They have deployed a new RODC for Domain A in site B .RODC can access all domain controllers in its domain(Domain A). Domain controllers in Domain B can talk to the RODC(Domain A). Domain controllers in domain B cannot talk to any Writeable domain controller in Domain A (Setup and VPN Restrictions).

    IS it ok to setup an writeable Domain controller for Domain A in site B . Setup the external trust . Decomission it and deploy a RODC. Are there any other requirements for which a writeable to writeable Domain controller communication is required in future(RODC is available).

    Thanks & Best Regards,
    Naganathan.S

    Tuesday, July 2, 2013 4:05 PM

Answers

All replies

  • No a RWDC is required on both sides (in both domains) to perform a cross-domain authentication. Please have a look at:
    How the cross-domain authentication process works with RODCs:
    http://technet.microsoft.com/en-us/library/cc754218(v=ws.10).aspx#BKMK_XDomAuthN

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Meinolf Weber Tuesday, July 2, 2013 6:04 PM
    • Marked as answer by 朱鸿文 Friday, July 5, 2013 5:05 AM
    Tuesday, July 2, 2013 5:37 PM
  • Didn't understand the solution. RODC definitely needs a RWDC to be deployed. TDO Passwords creation or Reset is always initated by a primary domain controller (PDC) emulator .PDC after initiating a Password Change would contact any Regular DC on Target Forest and will give the change. And Password changes thereafter every thirty days needs to go through this process. How does RODC help in the above scenario

    Thanks

    Tuesday, July 2, 2013 6:16 PM
  • Not sure I under stand your question, but I read that you wote " Are there any other requirements for which a writeable to writeable Domain controller communication is required in future" and the answer to that question is - Yes you always need direct communication between RW DCs in both domains for cross-domain authetnication to work.

    If that is not your question, please clearify what you are asking?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Marked as answer by 朱鸿文 Friday, July 5, 2013 5:05 AM
    Tuesday, July 2, 2013 6:20 PM
  • Thanks. You did answer my query

    Tuesday, July 2, 2013 6:31 PM