Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

Branch clients authenticated at the HQ instead of local RODC

December 6, 2013, 12:31 am
$
0
0

I know, I know, there are a lot of similar thread, but after a lot of searches and reading I decided to ask you.

So the problem is that our branch users are authenticated at the HQ (Writable DC’s). If I unplug the WAN cable in the branch office, then the users are successfully authenticated by the RODC in the branch office. After this „test”, the users are always authenticated by the RODC, however I don’t think this behaviour is by design. I mean, why do I have to cut the WAN connection to make the local RODC to authenticate the users in the branch. We would like to reduce the WAN traffic.

I read through a lot of the suggestions and articles and I even created a virtual lab (All servers are 2008 R2). During the setup I followed the following steps:

  1. Installed a Writable DC named DC1 (DNS + GC)
    1. IP: 192.168.100.10
    2. SM: 255.255.255.0
    3. GW: 192.168.100.1
    4. DNS: 192.168.100.10
  2. Renamed Default-First-Site to HQ
  3. Created subnet for HQ 192.168.100.0/24
  4. Created a new site named BRANCH
  5. Created a subnet for BRANCH 172.16.1.0/24
  6. Created a router (W2008R2 - RIP) to handle intersite traffic.
  7. Installed a RODC named RODC (DNS + GC) in the BRANCH site.
    1. IP: 172.16.1.10
    2. SM: 255.255.255.0
    3. GW: 172.16.1.1
    4. DNS1: 172.16.1.10
    5. DNS2: 192.168.100.10
  8. Installed a Client in the BRANCH site (W8)
    1. IP: 172.16.1.100
    2. SM: 255.255.255.0
    3. GW: 172.16.1.1
    4. DNS1: 172.16.1.10
    5. DNS2: 192.168.100.10
  9. The test users and the client computer’s account are members of the Allowed RODC Password Replication Group and I also prepopulated the passwords successfuly.

So after these settings when I login with the test user from CLIENT, and I run „set” the I saw that the logon server is DC1 in the HQ.

dsget site command’s output: „Branch”, so it knows where it is.

I think it should be a straight forward scenario. What else do I have to setup to make it work?

As I mentioned above, the RODC can authenticate the users if I disconnect the WAN cable, but without this interruption, none of the clients authenticates directly by the RODC.

Another interesting thing is that I created a new CNAME record on DC1 and it seems it doesn't synchronize the DNS with the RODC, because that CNAME record didn't show up on the RODC. However if I create a new user on DC1, then the user appears on RODC almost immediately.

 

Thanks for any hints.

Kind regards,

Dvijne


Search
Viewing all articles
Browse latest Browse all 31638
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>