none
GPO, RDOC and DMZ - Getting the DMZ Server to use the RDOC first

    Question

  • Hi,

    So in order to lessen the risk to having a RWDC in a DMZ, I setup an RODC in a Shared Services DMZ. The RODC is able to resolve DNS, has the GPO in its sysvol and can communicate correctly with the RWDC on the LAN. (I checked using PortQry).

    Now, for the servers in the Application DMZ, the servers first try to get the GPO from the RWDC on the LAN. But they do not have access to it. After a LONG while it gets them from the RODC. What did I miss in the configuration so that the servers in the Application DMZ directly ask the RODC and forgo the RWDC completely.

    In the event log, I get:

    * GP - Event ID 1055

    * GP - success

    And for user logons:

    * GP - Event ID 1053

    * GP - success

    Running a gpresult /R tells me that it was able to get the policies from the RODC.

    The server account are allowed to be replicated to the RODC as well as some specific user accounts

    The issue here is that logging in the servers takes forever and sometimes I even get booted back to the username / password screen.

    Thanks,

    Olivier

    Note:

    Network looks kind of like this: LAN <-> Shared Services DMZ <-> Application DMZ

    Monday, September 21, 2015 2:24 PM

Answers

  • Hi all,

    So, after much misery, following the steps in the blog were not enough. I had to additionally do the following on the member server:

    * drop the firewall. Weirdly enough, even if the adapter was showing domain.local it actually was thinking it was on a public network apparently. Dropping it and then doing just a single update or nltest /dsgetsite or nltest /dclist:domain.local and everything got back working

    Found the tip about the member server firewall being the issue from:

    http://serverfault.com/questions/521752/active-directory-member-servers-cannot-locate-domain-controller

    Thanks for the help

    • Marked as answer by O.Ragain Friday, September 25, 2015 2:25 PM
    Friday, September 25, 2015 2:25 PM

All replies

  • Does the DMZ have a different subnet? If so you should configure a different site so that the dc locator process causes DMZ servers to go to the rodc.


    SingleHop: A leader in Managed Azure
    Monday, September 21, 2015 2:32 PM
  • Did you try to create an appropriate site in AD Site and Services with DMZ subnet(s), then add your RODC(s) in that zone servers group?
    Monday, September 21, 2015 2:37 PM
  • I'll try that. It is on a different subnet.

    lso as an additional information, I am unable to set the spn. I get an invalid SPN host or could not find account.

    I think it is related.

    I'll let you know the result once the site has been setup.

    Monday, September 21, 2015 2:50 PM
  • So, login and boot are way faster, like pretty much instant. However the application server does not detect the RODC anymore and does not find the site on its own. Doing a gpupdate also fails saying that I lack connectivity to a DC.

    Thanks

    Monday, September 21, 2015 3:22 PM
  • > the site on its own. Doing a gpupdate also fails saying that I lack
    > connectivity to a DC.
     
    Hm - which OS version are they running? If 2003, I remember you'd
    require an update for RODC support... And which site do they believe
    they belong to? ("nltest /dsgetsite" will tell you :-))
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 21, 2015 3:58 PM
  • Hey,

    Everything is running 2012 R2.

    The RODC and the Application DMZ are on the same AD Site. (Though different subnets linked to the same site)

    The server is on the wrong site, it seems it ain't getting the site update because it 'can't' reach a DC. But it is able to reach the RODC. The RODC is also part of the name servers for the domain.

    Am gonna try something :)

    Olivier

    Edit:

    Even when I put the server on the same subnet as the RODC, the GP fail because of lack of connectivity to a DC....

    Edit 2:

    If I put the server on the same subnet as a RWDC, then put it back on the RODC subnet, I get Event ID 1053 and 1055 again :) Even though I can ping the domain name and it resolved to the RODC.


    • Edited by O.Ragain Monday, September 21, 2015 4:46 PM
    Monday, September 21, 2015 4:37 PM
  • So, from more research, I guess the issue is the same as:

    https://support.microsoft.com/en-us/kb/977510

    Except the fix does not seem to work :( Issue is also seen here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/2d4e2260-c440-4db8-879e-dff3024b8b59/rodc-in-dmz-member-server-authentication

    I ll keep playing with the DNS records I guess.

    Monday, September 21, 2015 8:01 PM
  • > So, from more research, I guess the issue is the same as:
     
    Agree - matches your setup and issue...
     
    > I ll keep playing with the DNS records I guess.
     
    Keep us updated if things start working or fail differently :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, September 22, 2015 9:57 AM
  • Hi,

    After applying the registry fix. (I guess it took a bit more time to propagate for it to work properly)

    If I am on a different DMZ subnet as the RODC, I still get 1053 and 1055. Logon times are impossible. I even get booted back to the locked screen. I have to shut the network to be able to login.

    If I am on the same subnet as the RODC. It works now and the Application server detects the site correctly as well as the fact it is on a domain network.

    I think I am just going to forgo RODC for now, can't spend that much time trying to make it work. It seemed like a great functionality but man it seems to be a pain to get to work correctly.

    If anyone can think of what step I forgot so that it works from another DMZ subnet, let me know :)

    Regards,

    Olivier

    Edit:

    If I move live the machine from the RODC DMZ to its final DMZ, gpupdate and everything works fine. It is after reboot that everything fails. Logon time, gpupdate, etc...


    • Edited by O.Ragain Tuesday, September 22, 2015 2:57 PM
    Tuesday, September 22, 2015 2:44 PM
  • Would anyone by any chance know exactly what the following entails for firewall rules:

    "If the firewall rules however were to allow the client to talk to at least one RWDC, the client would get redirected to the RODC once the RWDC determines that the client is in the RODC’s site (both should at this point be in the non-compliant network)."

    From:

    http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx

    If it means opening all the usual firewall ports I don't really see a point in doing it though. Might as well make the RODC a RWDC.

    Regards,

    Tuesday, September 22, 2015 3:02 PM
  • Hi all,

    So, after much misery, following the steps in the blog were not enough. I had to additionally do the following on the member server:

    * drop the firewall. Weirdly enough, even if the adapter was showing domain.local it actually was thinking it was on a public network apparently. Dropping it and then doing just a single update or nltest /dsgetsite or nltest /dclist:domain.local and everything got back working

    Found the tip about the member server firewall being the issue from:

    http://serverfault.com/questions/521752/active-directory-member-servers-cannot-locate-domain-controller

    Thanks for the help

    • Marked as answer by O.Ragain Friday, September 25, 2015 2:25 PM
    Friday, September 25, 2015 2:25 PM