none
Complex question involving Parent/Child domains, RODCs and slow logons RRS feed

  • Question

  • The environment is a bit complex, but nothing over the top.  2008R2 with a domain of domain.corp.  The child domain is dmz.domain.corp.  I will do my best to explain the environment the best I can. This is a pretty specific problem that I have been researching and testing for some time.

    The domain.corp domain has domain controllers on the network 10.1.1.x.  DC01 and DC02 at 10.1.1.1 and 10.1.1.2.  The child domain dmz.domain.corp has domain controllers on that same network.  DMZ-DC01 and DMZ-DC02 at 10.1.1.50 and 10.1.1.51.  Everything at this level is fine.  Communication is working as expected.

    We have several DMZ VLANs with various servers.  All the servers in these DMZs are part of dmz.domain.corp.  In one of the DMZs we have Read Only Domain Controllers that have the proper firewall rules to speak back to the domain controllers for dmz.domain.corp on the internal 10.1.1.x network.  The RODCs are called RODC-DC01 and RODC-DC02.  This network is 10.1.50.x.  The servers are 10.1.50.1 and 10.1.50.2.  

    One of the other VLANs is 10.1.100.x and it contains webservers and has the firewall rules allowing servers in 10.1.100.x to talk to 10.1.50.1 and 50.2 for DNS, AD, all the stuff Microsoft says you need to talk to a Domain Controller.  There is NO communication from the 10.1.100.x network into the internal 10.1.1.x network.  The goal is to have the server from the DMZ talk to the RODC also in the DMZ.  The RODC in the DMZ will then talk to the RWDC on the internal network.  Thus segmenting and securing the traffic as best we can.

    I am fairly confident that all ports and DC related communication is working properly.  AD sites and services is setup properly.  No errors in dcdiags, etc.  The issue happens when a user from domain.corp logs into a server on of the segmented VLANs like webserver1.dmz.domain.corp.  The logon is 4-10 minutes long.  Using Network Monitor and firewall logs I was able to watch the conversations and determined that when a user from the parent domain, domain.corp logs into webserver.dmz.domain.corp it attempts to talk back to the parent domain controllers at 10.1.1.1 or 10.1.1.2 and I see Group Policy errors on webserver.dmz.domain.corp stating:

    The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).


    This makes sense as webserver.dmz.ftfcu.corp needs to validate the user and do its thing.  So my question is, if we want to login in using parent domain credentials do we have a design flaw and need to allow access from the DMZs into the internal network, or is there a scenario where we can tell it to not process Group Policys, drive mappings, etc to help speed up the login process.

     

     

     

     

     


    • Edited by Joey_ftfcu Wednesday, October 23, 2013 4:28 PM
    Wednesday, October 23, 2013 4:28 PM

Answers