Authentification on Win2k8 r2 inter site

Discussion in 'Active Directory' started by atherus, Jan 13, 2010.

  1. atherus

    atherus Guest

    Hello,

    I 'm really in trouble. I deployed on windows 2008 r2 AD on my company.
    I create four sites. I installed one dc on every site with global
    catalog!

    See my schema :

    Milan
    ------
    Site : Milan
    subnet : 192.168.10.0/24
    DCmilan01 GC

    London
    -------
    Site : London
    subnet : 192.168.20.0/24
    DClondon01 GC

    Geneva
    -------
    Site : Geneva (old default site)
    subnet : 192.168.30.0/24
    DCgeneva01 GC All Operations masters is configured on this DC

    Berlin
    ------
    Site : Berlin
    subnet : 192.168.30.0/24
    DCberlin01 GC

    Every subnet work perfectly weel, AD replication works well also.

    But, I discover on my firewall that sometime users in Milan, London try
    to authenticated to Berlin or to Geneva DC!

    I don't understand this! If anybody could help me, it's will be very
    appreciate

    Julien Ithurbide


    --- news://freenews.netfront.net/ - complaints: ---
     
    atherus, Jan 13, 2010
    #1
    1. Advertisements

  2. Hello atherus,

    Did you configure AD sites and services with all subnets and sites and add
    the DC to it's belonging site?

    Are the DCs in each site also DNS server and uses there site DNS as preferred
    and another site as secondary DNS? If not the DCLocator process will handle
    the DC where the authentication process goes to.

    http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 13, 2010
    #2
    1. Advertisements

  3. If a dc doesn't respond to a query (It is too busy) then the client will
    seek out other dc's. Once you have your sites defined you need to ensure
    all the subnets associated with the sites are defined within sites and
    services. I have seen many occurances where users miss this step.

    To check to see if you have all the sites properly defined you can look in
    the following log on each dc and see if there are sites which are reverting
    back to the default site.
    %systemroot%\Debug\Netlogon.log

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 13, 2010
    #3
  4. Howdie!

    Yeah, that is built-in functionality. It does not automatically re-cache
    it. You need a provisioning solution or a workflow in your
    password-reset-change process that builds that. A simply scheduled task
    should do the trick too - but I'd connect the pre-population of
    passwords to some human action so someone looks at it.
    What OS is on the machine you run that command from?
    Note that there *no* synchronization. Pre-populating passwords is a
    one-time action. There's no automation in place because you probably
    don't want that password be replicated to the RODC all over again until
    forever. A RODC is considered 'insecure' because of its purposes and the
    scenarios it runs in. It should only have passwords cached it really needs.

    Cheers,
    Florian
     
    Florian Frommherz [MVP], Jan 14, 2010
    #4
  5. In order for a RODC to cache its passwords you have to instruct it to cache
    them, it won't automatically do it.
    http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 14, 2010
    #5
  6. As long as the setting is set to allow (Not deny) yes you have it configured
    correctly. Did you review which users are currently being cached? This is
    available via the advanced button on the cached window.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 14, 2010
    #6
  7. I don't think that is possible. The only two ways I know is propulate or
    the user actually logs on.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 15, 2010
    #7
  8. atherus

    jithurbide Guest

    On 15.01.2010 14:43:00, "Paul Bergson [MVP-DS]" wrote:
    Hello,

    Thanks for your anwser.

    In fact all my user log on the server! All my users had the allow cached
    option! All the users are in the same site of the RODC. All computer are
    configured by DHCP insatlled on the RODC. My DNS Configuration is setup first
    on the RODCand second to the central office. All users and computers are
    member of an allow group for password cached.

    Then after the first prepopulate option, how I can be sure that the rodc
    cache the password ? and if it don't cahe it what's can I do ?
     
    jithurbide, Jan 18, 2010
    #8
  9. I'm sorry I don't know of anyway to validate if a password was properly
    cached other than to visually inspect it. I wonder if there is a way with
    Powershell? I don't know though.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

     
    Paul Bergson [MVP-DS], Jan 19, 2010
    #9
  10. If you are setting the password to be cached and it isn't doing it,
    something is wrong. So checking it shouldn't be neccesary if it working
    properly. I have only used RODC's in a test environment and I don't have an
    RODC in my lab right now.

    I am curious once a user changes their password and they successfully logon
    in your environment, does the password get re-cached?

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 22, 2010
    #10
  11. Ok, I just wasn't sure if you meant it wouldn't auto re-cache once the
    password was changed or it wouldn't cache at all, even after the user
    subsequently logged in.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 22, 2010
    #11
  12. atherus

    kj [SBS MVP] Guest

    If the user attempts to authenticate with an RODC that had previous cached
    the password the cache should be updated with the new password. If
    authentication is a from another DC or different RODC then the old cache is
    not automagically updated.

    My understanding at least. I'll see if I can test in the lab latter.
     
    kj [SBS MVP], Jan 22, 2010
    #12
  13. That is the way I understand as well, but he is getting his users to log on
    with the new password hitting the RODC and it isn't updating. This sounds
    like some type of config issue but I can't possibly state that since I don't
    have a similar scenario to test at this time.

    One thing I just thought of, do you have your sites and services configured
    so that the rodc knows of other subnets? I wonder if the clients aren't
    hitting the RODC even though they are at the same physical location.

    Check the netlog on each dc, see if the clients at the remote site are
    reporting not defined in a site
    start notepad.exe C:\WINDOWS\Debug\Netlogon.log

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 22, 2010
    #13
  14. atherus

    kj [SBS MVP] Guest

    That's what I'm unclear of - that the (target) RODC authentication was
    attempted in the first place. Then if caching was working normally anyway -
    like a non prepopulated user in the allow prp group getting the initial
    cache on first logon. Is it happening only to prepoulated users or any allow
    prp members.

     
    kj [SBS MVP], Jan 22, 2010
    #14
  15. From a command prompt on the client machine
    set logonserver

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

     
    Paul Bergson [MVP-DS], Jan 25, 2010
    #15


  16. If you don't mind me jumping in here, I've been following the thread, and
    now that the topic came to Sites, and the workstation is selecting another
    DC and not the RODC, I am curious how many DCs are in the site where the
    client machine exists? Is there an RODC and a non-RODC in the same site?


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 25, 2010
    #16
  17. what did the netlogon.dbg file i pointed to earlier have to say about this
    client? Did you look on an autheticating dc?

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

     
    Paul Bergson [MVP-DS], Jan 25, 2010
    #17

  18. Paul,

    I would be curious of that, as well. If another DC is authenticating a
    client logon, and it's a DC (in this case the RODC), not in the client site,
    it's indicating something else is going on.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 26, 2010
    #18
  19. Yeah I don't think it has anything to do with it being an RODC, but more
    likely an issue with Sites and Services, but I could be wrong. You going to
    Summit this year?

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 26, 2010
    #19
  20. No, I can't swing it, unfortunately, as much as I do want to go. Finances,
    timing, family, etc. Now if it were closer, it would be a lot easier. I hope
    there are future functions locally that we can meet along with other fellow
    MVPs.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 26, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.