locked
RODC: Authentication in different sites RRS feed

  • Question

  • Hi I am setting up a Domain environment with Windows Server 2008 as the only WRDC which is the Parent and 2003 Servers as the children RODC at a few branch offices. I would like persons to be able to travel from branch to branch (site to site) and still be able to logon and access resources located centrally.

    Can I do this in the RODC environment? How an where do I place these users?

    Wednesday, August 18, 2010 9:08 PM

Answers

  • In my case, I thought you were speaking about the DC hosting all the FSMO rules when you said parent DC.

    In your case, if you want to install a parent domain and child domains for each site, you should have at least an administrator of each domain. If you want that users still logon if they go to other branch offices, you should configure trust relashionships between domains.

    This is an article about how to configure trust relationships:

    http://docs.hp.com/en/B8725-90103/ch05s05.html

    If you will install a single domain then trust relationships are not needed.

    Best regards.

    Thursday, August 19, 2010 2:34 PM
  • Howdie!
     
    On 19.08.2010 16:17, Jermaine G wrote:
    > Its one autonomous structure. ie. lets say the parent or HUB site WRDC
    > is ABC.com the children or spoke sites are Branch1.ABC.com and
    > Branch2.ABC.com.
     
    So that means you have different domains for each site, correct? The hub
    is abc.com whereas the branch offices have different domains in place,
    like branch1.abc.com, branch2.abc.com?
     
    > So you are saying that if a user belongs to RODC container
    > (Branch1.ABC.com) that user can travel to Branch2.ABC.com which is a
    > different site or the Parent ABC.com and be authenticated as long as the
    > RODC can contact the parent correct?
     
    If you deployed a RODC for the branch1.abc.com domain in a site of the
    branch2.abc.com "scope" that user could authenticate there, yes. But I'm
    not quite sure why you'd need a RODC then if every site is its own domain.
     
    Cheers,
    Florian
     
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Friday, August 20, 2010 1:04 PM

All replies

  • A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system.  An RODC provides the ability to easily deploy a domain controller that hosts a read-only replica of the domain database/partition.  The Read-Only Domain Controller (RODC) is primarily targeted towards branch offices or edge sites, where physical security cannot be guaranteed.

    In your case if you've got a single domain and a domain controller in each branch and your Active Directory Replication is OK, then your users will not have problems to logon when they change the site. If there is branch offices  which are connected to the site where you've got your parent DC and there is no DCs in these branch offices, users will still logon but there may be a latency. It is for that it is recommanded by Microsoft to have a DC at each branch office.

    You can do this with the use of RODC environment in the branch offices.

    Best regards.

    Wednesday, August 18, 2010 10:01 PM
  • Howdie!
     
    On 18.08.2010 23:08, Jermaine G wrote:
    > Hi I am setting up a Domain environment with Windows Server 2008 as the
    > only WRDC which is the Parent and 2003 Servers as the children RODC at a
    > few branch offices. I would like persons to be able to travel from
    > branch to branch (site to site) and still be able to logon and access
    > resources located centrally.
     
    So what exactly do you mean by "Parent" and "Children"? Are those DCs
    responsible for the same domain? If so, they're equal, no one's parent
    or child. Or are we talking about different domains here?
     
    Traveling users are not a problem with RODCs. For resources in a hub
    site and users in the branch, there obviously needs to be connectivity
    between the sites -- but that should work pretty well. If you have a set
    of users that roam between different locations, think about
    pre-populating their credentials to the RODCs in question, just to make
    sure they can log on even if WAN connectivity is down.
     
    > Can I do this in the RODC environment? How an where do I place these users?
     
    They just have to be in Active Directory - no special OU needed. Make
    them a member of the "Allowed for Password Replication Group" so that a
    RODC is allowed to cache the credentials.
     
    Cheers,
    Florian
     
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Thursday, August 19, 2010 6:05 AM
  • Thanks for your assistance.

    "So what exactly do you mean by "Parent" and "Children"? Are those DCs

    responsible for the same domain? If so, they're equal, no one's parent
    or child. Or are we talking about different domains here?"

    Its one autonomous structure. ie. lets say the parent or HUB site WRDC is ABC.com the children or spoke sites are Branch1.ABC.com and Branch2.ABC.com.

    So you are saying that if a user belongs to RODC container (Branch1.ABC.com) that user can travel to Branch2.ABC.com which is a different site or the Parent ABC.com and be authenticated as long as the RODC can contact the parent correct?

     

    Thursday, August 19, 2010 2:17 PM
  • In my case, I thought you were speaking about the DC hosting all the FSMO rules when you said parent DC.

    In your case, if you want to install a parent domain and child domains for each site, you should have at least an administrator of each domain. If you want that users still logon if they go to other branch offices, you should configure trust relashionships between domains.

    This is an article about how to configure trust relationships:

    http://docs.hp.com/en/B8725-90103/ch05s05.html

    If you will install a single domain then trust relationships are not needed.

    Best regards.

    Thursday, August 19, 2010 2:34 PM
  • Howdie!
     
    On 19.08.2010 16:17, Jermaine G wrote:
    > Its one autonomous structure. ie. lets say the parent or HUB site WRDC
    > is ABC.com the children or spoke sites are Branch1.ABC.com and
    > Branch2.ABC.com.
     
    So that means you have different domains for each site, correct? The hub
    is abc.com whereas the branch offices have different domains in place,
    like branch1.abc.com, branch2.abc.com?
     
    > So you are saying that if a user belongs to RODC container
    > (Branch1.ABC.com) that user can travel to Branch2.ABC.com which is a
    > different site or the Parent ABC.com and be authenticated as long as the
    > RODC can contact the parent correct?
     
    If you deployed a RODC for the branch1.abc.com domain in a site of the
    branch2.abc.com "scope" that user could authenticate there, yes. But I'm
    not quite sure why you'd need a RODC then if every site is its own domain.
     
    Cheers,
    Florian
     
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Friday, August 20, 2010 1:04 PM
  • I have decided to change the design to just use one domain and join  the other RODCs as an additional RODC Domain i think that should solve the issue. Currently I am building a test environment for this.

    I have however encountered another issue when promoting the Windows 2003 RODC see below.

    "operation failed because: the active directory installation wizard was unable to convert the computer account TST-RODC to a domain controller. A directory service error occurred"

    I will put this as another post.

    Thanks guys for your assistance.

    Monday, August 23, 2010 3:46 PM