Answered by:
GPO, RDOC and DMZ - Getting the DMZ Server to use the RDOC first

-
Hi,
So in order to lessen the risk to having a RWDC in a DMZ, I setup an RODC in a Shared Services DMZ. The RODC is able to resolve DNS, has the GPO in its sysvol and can communicate correctly with the RWDC on the LAN. (I checked using PortQry).
Now, for the servers in the Application DMZ, the servers first try to get the GPO from the RWDC on the LAN. But they do not have access to it. After a LONG while it gets them from the RODC. What did I miss in the configuration so that the servers in the Application DMZ directly ask the RODC and forgo the RWDC completely.
In the event log, I get:
* GP - Event ID 1055
* GP - success
And for user logons:
* GP - Event ID 1053
* GP - success
Running a gpresult /R tells me that it was able to get the policies from the RODC.
The server account are allowed to be replicated to the RODC as well as some specific user accounts
The issue here is that logging in the servers takes forever and sometimes I even get booted back to the username / password screen.
Thanks,
Olivier
Note:
Network looks kind of like this: LAN <-> Shared Services DMZ <-> Application DMZ
Question
Answers
-
Hi all,
So, after much misery, following the steps in the blog were not enough. I had to additionally do the following on the member server:
* drop the firewall. Weirdly enough, even if the adapter was showing domain.local it actually was thinking it was on a public network apparently. Dropping it and then doing just a single update or nltest /dsgetsite or nltest /dclist:domain.local and everything got back working
Found the tip about the member server firewall being the issue from:
Thanks for the help
- Marked as answer by O.Ragain Friday, September 25, 2015 2:25 PM
All replies
-
-
-
-
-
> the site on its own. Doing a gpupdate also fails saying that I lack> connectivity to a DC.Hm - which OS version are they running? If 2003, I remember you'drequire an update for RODC support... And which site do they believethey belong to? ("nltest /dsgetsite" will tell you :-))
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-: -
Hey,
Everything is running 2012 R2.
The RODC and the Application DMZ are on the same AD Site. (Though different subnets linked to the same site)
The server is on the wrong site, it seems it ain't getting the site update because it 'can't' reach a DC. But it is able to reach the RODC. The RODC is also part of the name servers for the domain.
Am gonna try something :)
Olivier
Edit:
Even when I put the server on the same subnet as the RODC, the GP fail because of lack of connectivity to a DC....
Edit 2:
If I put the server on the same subnet as a RWDC, then put it back on the RODC subnet, I get Event ID 1053 and 1055 again :) Even though I can ping the domain name and it resolved to the RODC.
- Edited by O.Ragain Monday, September 21, 2015 4:46 PM
-
So, from more research, I guess the issue is the same as:
https://support.microsoft.com/en-us/kb/977510
Except the fix does not seem to work :( Issue is also seen here:
I ll keep playing with the DNS records I guess.
-
> So, from more research, I guess the issue is the same as:Agree - matches your setup and issue...> I ll keep playing with the DNS records I guess.Keep us updated if things start working or fail differently :)
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-: -
Hi,
After applying the registry fix. (I guess it took a bit more time to propagate for it to work properly)
If I am on a different DMZ subnet as the RODC, I still get 1053 and 1055. Logon times are impossible. I even get booted back to the locked screen. I have to shut the network to be able to login.
If I am on the same subnet as the RODC. It works now and the Application server detects the site correctly as well as the fact it is on a domain network.
I think I am just going to forgo RODC for now, can't spend that much time trying to make it work. It seemed like a great functionality but man it seems to be a pain to get to work correctly.
If anyone can think of what step I forgot so that it works from another DMZ subnet, let me know :)
Regards,
Olivier
Edit:
If I move live the machine from the RODC DMZ to its final DMZ, gpupdate and everything works fine. It is after reboot that everything fails. Logon time, gpupdate, etc...
- Edited by O.Ragain Tuesday, September 22, 2015 2:57 PM
-
Would anyone by any chance know exactly what the following entails for firewall rules:
"If the firewall rules however were to allow the client to talk to at least one RWDC, the client would get redirected to the RODC once the RWDC determines that the client is in the RODC’s site (both should at this point be in the non-compliant network)."
From:
If it means opening all the usual firewall ports I don't really see a point in doing it though. Might as well make the RODC a RWDC.
Regards,
-
Hi all,
So, after much misery, following the steps in the blog were not enough. I had to additionally do the following on the member server:
* drop the firewall. Weirdly enough, even if the adapter was showing domain.local it actually was thinking it was on a public network apparently. Dropping it and then doing just a single update or nltest /dsgetsite or nltest /dclist:domain.local and everything got back working
Found the tip about the member server firewall being the issue from:
Thanks for the help
- Marked as answer by O.Ragain Friday, September 25, 2015 2:25 PM