Hi,
If someone could help me plz understand why an app server talks to a R/W DC in a different site rather than a RODC in its own site.
Forest A - Server 2008 R2 Forest and Domain Funct Level. Forest Root and child domain is Separate Root.
Forest B - Server 2008 R2 Forest and Domain Funct Level. Forest Root and domain are all one.
Firewalls open to/from R/W DCs in each Forest. Outgoing Trust from Forest B to Forest A. RODC is in Forest B and on same subnet as R/W DCS in Forest A. The same site name is used in both Forests/Domains. On DCs in Forest B with Domain Local groups, I can successfully add Forest A Root and Child domain groups and users to its membership.
When an App server in Forest B tries to add a group from Forest A to its local admin group, I see in the trace the App server first talks to the R/W DC in Forest B, then does an LDAP lookup on the RODC in Forest A and is successful. So far, so good.....reading the RODC from Forest A which is what we want and what we continue to want. Then next we see the App server talks to the R/W DC in Forest B, then makes an LDAP query to the PDC of the child domain in Forest A which fails cause the firewalls are closed from the App server in Forest B to the R/W DCs in Forest A.
Why does the App server not continue to query/read from Forest A's RODC and now starts to query the R/W DC of the child domain in Forest A?
Thanks for your help! SdeDot