Perimeter Network to RODC - no logon servers available using IPSEC tunnel RRS feed

  • Question

  • Hi to all

    I have problem with RODC and Perimeter Network.

    Here is my situation

    I've got Network that has two (2) Writable Domain Controllers based on Windows 2008 R2

    I'd created second routable network that has one Read-Only Domain Controller .

    Between the networks there is a firewall configured only for DNS TCP/UDP traffic and UDP 500 (IKE) . I'd created IPSEC Tunnel Between WRDC and RODC using Windows Firewall with Advanced Settings .

    All of the domains and server in both networks are working fine (replication,SMB, network time, DNS etc)

    After that I wanted to create another perimeter network with only one server that will be connected to my corporate domain . So again with Windows Firewall and UDP IPSEC Tunneling I created connection from my third network to my RODC . The third network is routable and it address space is

    Again : I can ping RODC from the third network , and using Office domain Join I added Windows 2008 R2 Server to the Corporate domain.(pre-created account is replicated to RODC)

    When I reboot the server I can't login with my domain credentials . IPSEC tunnel to RODC is working fine from to RODC and RODC to WRDC .

    I've created AD Site Links and Subnets to point RODC but again nothing is working. If I join Servers to RODC Network they are working fine and authenticate correctly . The only problem is that i can't authenticate to RODC from the 3rd network .

    Any ideas ?

    BTW : IPSEC tunnel is configured for now with Pre-Shared Keys . No one should connect directly to WRDC . Every server(s) should be in separate network with limited open Firewall port

    I can provide some diagram for better understanding my situation

    Thursday, August 23, 2012 2:20 PM

All replies

  • Wow that was easy :)

    I had to add registry key to point AD Site and now everything is perfect

    That was the guide for RODC and Perimeter Networks


    The registry key

    Navigate to: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

  • In the right pane, create a new String Value titled SiteName and for the Value Name type the name of the site in which the client computer resides.

Thursday, August 23, 2012 2:58 PM