Clients are not using RODC at the branch

Hi
We have a lab environment that we use to test 2008 server.We had an 2003
native mode forest.There is a single domain.We have 3 sites each containing
DCs on them.On the site that represents a branch office we installed an RODC.
We run adprep /rodcprep and complete the installation using DCPROMO.The
nearest site to the site hosting RODC only has an 2003 DC and there is also a
2008 R2 writeable DC at the our head office site.The replication is working
fine.The RODC can receive updates from 2008DC by passing 2003DC containing
site.But recently we find out that our XP and Vista clients are not
authenticating from RODC.Which is the main purpose of placing a DC to that
site.There is nothing in events about this.What is wrong.

Any advice would be great.
Thanks in advance

Hello Akara

There is a feature called Automatic Site Coverage , which helps windows
clients to locate a domain controller in the nearest available site.This is
achived by DCs which attempt to register their SRV resource records depending
on the availabilty of a DC in a remote site.These SRV records belong to sites
that contain no DC for the domain of which they are a member.
Windows Server 2003 DCs are not aware of RODCs by nature. So they register
themselves to RODC containing sites assuming that there is no DC at that
site.You have to teach 2003 DC what a RODC is.In your scenario , your 2003 DC
registered itself to that remote site so the clients may not authenticate as
expected with the local RODC.
The best solution is to install RODC compatibility pack on Windows Server
2003 DC
You may find this technet article useful to work around this issue
http://technet.microsoft.com/en-us/l...22(WS.10).aspx

Have a nice day

Best Regards
Baris DOGAN
MCT ,CCNA, MCSE 2K/2K3 + Security


"Akara" wrote:

> Hi
> We have a lab environment that we use to test 2008 server.We had an 2003
> native mode forest.There is a single domain.We have 3 sites each containing
> DCs on them.On the site that represents a branch office we installed an RODC.
> We run adprep /rodcprep and complete the installation using DCPROMO.The
> nearest site to the site hosting RODC only has an 2003 DC and there is also a
> 2008 R2 writeable DC at the our head office site.The replication is working
> fine.The RODC can receive updates from 2008DC by passing 2003DC containing
> site.But recently we find out that our XP and Vista clients are not
> authenticating from RODC.Which is the main purpose of placing a DC to that
> site.There is nothing in events about this.What is wrong.
>
> Any advice would be great.
> Thanks in advance

Hi Baris

Thanks alot for your help.

"Baris DOGAN" wrote:

> Hello Akara
>
> There is a feature called Automatic Site Coverage , which helps windows
> clients to locate a domain controller in the nearest available site.This is
> achived by DCs which attempt to register their SRV resource records depending
> on the availabilty of a DC in a remote site.These SRV records belong to sites
> that contain no DC for the domain of which they are a member.
> Windows Server 2003 DCs are not aware of RODCs by nature. So they register
> themselves to RODC containing sites assuming that there is no DC at that
> site.You have to teach 2003 DC what a RODC is.In your scenario , your 2003 DC
> registered itself to that remote site so the clients may not authenticate as
> expected with the local RODC.
> The best solution is to install RODC compatibility pack on Windows Server
> 2003 DC
> You may find this technet article useful to work around this issue
> http://technet.microsoft.com/en-us/l...22(WS.10).aspx
>
> Have a nice day
>
> Best Regards
> Baris DOGAN
> MCT ,CCNA, MCSE 2K/2K3 + Security
>
>
> "Akara" wrote:
>
> > Hi
> > We have a lab environment that we use to test 2008 server.We had an 2003
> > native mode forest.There is a single domain.We have 3 sites each containing
> > DCs on them.On the site that represents a branch office we installed an RODC.
> > We run adprep /rodcprep and complete the installation using DCPROMO.The
> > nearest site to the site hosting RODC only has an 2003 DC and there is also a
> > 2008 R2 writeable DC at the our head office site.The replication is working
> > fine.The RODC can receive updates from 2008DC by passing 2003DC containing
> > site.But recently we find out that our XP and Vista clients are not
> > authenticating from RODC.Which is the main purpose of placing a DC to that
> > site.There is nothing in events about this.What is wrong.
> >
> > Any advice would be great.
> > Thanks in advance

Hello Akara,

In addition to Baris Dogan informations please make sur eto configure AD
sites and services according to the physical layout with the subnets/sites
in use.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Baris
>
> Thanks alot for your help.
>
> "Baris DOGAN" wrote:
>
>> Hello Akara
>>
>> There is a feature called Automatic Site Coverage , which helps
>> windows
>> clients to locate a domain controller in the nearest available
>> site.This is
>> achived by DCs which attempt to register their SRV resource records
>> depending
>> on the availabilty of a DC in a remote site.These SRV records belong
>> to sites
>> that contain no DC for the domain of which they are a member.
>> Windows Server 2003 DCs are not aware of RODCs by nature. So they
>> register
>> themselves to RODC containing sites assuming that there is no DC at
>> that
>> site.You have to teach 2003 DC what a RODC is.In your scenario , your
>> 2003 DC
>> registered itself to that remote site so the clients may not
>> authenticate as
>> expected with the local RODC.
>> The best solution is to install RODC compatibility pack on Windows
>> Server
>> 2003 DC
>> You may find this technet article useful to work around this issue
>> http://technet.microsoft.com/en-us/l...22(WS.10).aspx
>> Have a nice day
>>
>> Best Regards
>> Baris DOGAN
>> MCT ,CCNA, MCSE 2K/2K3 + Security
>> "Akara" wrote:
>>
>>> Hi
>>> We have a lab environment that we use to test 2008 server.We had an
>>> 2003
>>> native mode forest.There is a single domain.We have 3 sites each
>>> containing
>>> DCs on them.On the site that represents a branch office we installed
>>> an RODC.
>>> We run adprep /rodcprep and complete the installation using
>>> DCPROMO.The
>>> nearest site to the site hosting RODC only has an 2003 DC and there
>>> is also a
>>> 2008 R2 writeable DC at the our head office site.The replication is
>>> working
>>> fine.The RODC can receive updates from 2008DC by passing 2003DC
>>> containing
>>> site.But recently we find out that our XP and Vista clients are not
>>> authenticating from RODC.Which is the main purpose of placing a DC
>>> to that
>>> site.There is nothing in events about this.What is wrong.
>>> Any advice would be great.
>>> Thanks in advanc

Howdie!

On 18.04.2010 08:16, Akara wrote:
> We have a lab environment that we use to test 2008 server.We had an 2003
> native mode forest.There is a single domain.We have 3 sites each containing
> DCs on them.On the site that represents a branch office we installed an RODC.
> We run adprep /rodcprep and complete the installation using DCPROMO.The
> nearest site to the site hosting RODC only has an 2003 DC and there is also a
> 2008 R2 writeable DC at the our head office site.The replication is working
> fine.The RODC can receive updates from 2008DC by passing 2003DC containing
> site.But recently we find out that our XP and Vista clients are not
> authenticating from RODC.Which is the main purpose of placing a DC to that
> site.There is nothing in events about this.What is wrong.

So I'd check the following here:
(1) Is Sites&Services configured correctly? Are clients supposed to to
connect to the RODC in its site? (nltest will give you a good info on this)
(2) Is the RODC supposed to cache credentials for test users? Did you
configure the PRP (user AND computer accounts!?) accordingly?
(3) have you checked network traffic (use a auditing/sniffer tool) to
see what's going on?

Cheers,
Florian

The Best practices for Sites and Services amy also help.

http://technet.microsoft.com/en-us/l...68(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Akara" <> wrote in message
news:A24F2F23-F1FC-4663-980D-...
> Hi
> We have a lab environment that we use to test 2008 server.We had an 2003
> native mode forest.There is a single domain.We have 3 sites each
> containing
> DCs on them.On the site that represents a branch office we installed an
> RODC.
> We run adprep /rodcprep and complete the installation using DCPROMO.The
> nearest site to the site hosting RODC only has an 2003 DC and there is
> also a
> 2008 R2 writeable DC at the our head office site.The replication is
> working
> fine.The RODC can receive updates from 2008DC by passing 2003DC containing
> site.But recently we find out that our XP and Vista clients are not
> authenticating from RODC.Which is the main purpose of placing a DC to that
> site.There is nothing in events about this.What is wrong.
>
> Any advice would be great.
> Thanks in advance