locked
Branch domain users cannot authenticated against the Head Office DC when branch RODC is down RRS feed

  • Question

  • Hi,

    I am facing 1 issue in my Windows Server 2012 AD DS Infrastructure.

    I have 2 read+write DCs in head office and signle RODC setup in branch offices.

    Branch offices are connected to head office via VPN links.

    When the RODC at branch office is down the branch office domain users cannot authenticate from the head office DCs.

    I have the require domain controller authentication to unlock workstation group policy setting On so they cannot login if the RODC is down!

    DHCP DNS server settings provided to domain clients are ==> Primary DNS: local branch RODC, Secondary DNS: Head office PDC.

    Sites and Services are configured properly for each site.

    Any assistance on the above mentioned issue would be more than great!

    Thanks in advance.

    Friday, September 4, 2015 10:37 AM

Answers

  • Actually it is an infrastructure design issue.

    The DHCP server if the branch office is on the RODC server.

    If the RODC server is down and then you power on a client computer then there is no DHCP server to provide IP address to the client and also DNS IPs.

    Hence the client cannot communicate with the Head Office DC to authenticate.

    If the client was already assign an IP address from the RODC DHCP service and then the RODC goes down, the client can communicate and authenticate from the Head Office DCs.

    Solution: I need to place a failover DHCP server for the branch office in case the RODC is down to get IP and DNS settings from the secondary DHCP server.

    • Marked as answer by kikkos Tuesday, September 8, 2015 10:52 AM
    Tuesday, September 8, 2015 10:52 AM

All replies

  • Hi,

    According to your description, my understanding is that branch office domain users cannot authenticate from the head office DCs once the RODC at branch office is down.

    You may consider of configuring 2 RODCs for work load balance and fault tolerance.

    You may reference link below for detailed information:
    https://technet.microsoft.com/en-us/library/ee522995(v=ws.10).aspx#bkmk_placingtowrodcsinabranchoffice

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 8, 2015 7:51 AM
  • Actually it is an infrastructure design issue.

    The DHCP server if the branch office is on the RODC server.

    If the RODC server is down and then you power on a client computer then there is no DHCP server to provide IP address to the client and also DNS IPs.

    Hence the client cannot communicate with the Head Office DC to authenticate.

    If the client was already assign an IP address from the RODC DHCP service and then the RODC goes down, the client can communicate and authenticate from the Head Office DCs.

    Solution: I need to place a failover DHCP server for the branch office in case the RODC is down to get IP and DNS settings from the secondary DHCP server.

    • Marked as answer by kikkos Tuesday, September 8, 2015 10:52 AM
    Tuesday, September 8, 2015 10:52 AM