Hello, I 'm really in trouble. I deployed on windows 2008 r2 AD on my company. I create four sites. I installed one dc on every site with global catalog! See my schema : Milan ------ Site : Milan subnet : 192.168.10.0/24 DCmilan01 GC London ------- Site : London subnet : 192.168.20.0/24 DClondon01 GC Geneva ------- Site : Geneva (old default site) subnet : 192.168.30.0/24 DCgeneva01 GC All Operations masters is configured on this DC Berlin ------ Site : Berlin subnet : 192.168.30.0/24 DCberlin01 GC Every subnet work perfectly weel, AD replication works well also. But, I discover on my firewall that sometime users in Milan, London try to authenticated to Berlin or to Geneva DC! I don't understand this! If anybody could help me, it's will be very appreciate Julien Ithurbide --- news://freenews.netfront.net/ - complaints: ---
Hello atherus, Did you configure AD sites and services with all subnets and sites and add the DC to it's belonging site? Are the DCs in each site also DNS server and uses there site DNS as preferred and another site as secondary DNS? If not the DCLocator process will handle the DC where the authentication process goes to. http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1 Best regards Meinolf Weber
If a dc doesn't respond to a query (It is too busy) then the client will seek out other dc's. Once you have your sites defined you need to ensure all the subnets associated with the sites are defined within sites and services. I have seen many occurances where users miss this step. To check to see if you have all the sites properly defined you can look in the following log on each dc and see if there are sites which are reverting back to the default site. %systemroot%\Debug\Netlogon.log -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Howdie! Yeah, that is built-in functionality. It does not automatically re-cache it. You need a provisioning solution or a workflow in your password-reset-change process that builds that. A simply scheduled task should do the trick too - but I'd connect the pre-population of passwords to some human action so someone looks at it. What OS is on the machine you run that command from? Note that there *no* synchronization. Pre-populating passwords is a one-time action. There's no automation in place because you probably don't want that password be replicated to the RODC all over again until forever. A RODC is considered 'insecure' because of its purposes and the scenarios it runs in. It should only have passwords cached it really needs. Cheers, Florian
In order for a RODC to cache its passwords you have to instruct it to cache them, it won't automatically do it. http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
As long as the setting is set to allow (Not deny) yes you have it configured correctly. Did you review which users are currently being cached? This is available via the advanced button on the cached window. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
I don't think that is possible. The only two ways I know is propulate or the user actually logs on. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
On 15.01.2010 14:43:00, "Paul Bergson [MVP-DS]" wrote: Hello, Thanks for your anwser. In fact all my user log on the server! All my users had the allow cached option! All the users are in the same site of the RODC. All computer are configured by DHCP insatlled on the RODC. My DNS Configuration is setup first on the RODCand second to the central office. All users and computers are member of an allow group for password cached. Then after the first prepopulate option, how I can be sure that the rodc cache the password ? and if it don't cahe it what's can I do ?
I'm sorry I don't know of anyway to validate if a password was properly cached other than to visually inspect it. I wonder if there is a way with Powershell? I don't know though. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
If you are setting the password to be cached and it isn't doing it, something is wrong. So checking it shouldn't be neccesary if it working properly. I have only used RODC's in a test environment and I don't have an RODC in my lab right now. I am curious once a user changes their password and they successfully logon in your environment, does the password get re-cached? -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Ok, I just wasn't sure if you meant it wouldn't auto re-cache once the password was changed or it wouldn't cache at all, even after the user subsequently logged in. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
If the user attempts to authenticate with an RODC that had previous cached the password the cache should be updated with the new password. If authentication is a from another DC or different RODC then the old cache is not automagically updated. My understanding at least. I'll see if I can test in the lab latter.
That is the way I understand as well, but he is getting his users to log on with the new password hitting the RODC and it isn't updating. This sounds like some type of config issue but I can't possibly state that since I don't have a similar scenario to test at this time. One thing I just thought of, do you have your sites and services configured so that the rodc knows of other subnets? I wonder if the clients aren't hitting the RODC even though they are at the same physical location. Check the netlog on each dc, see if the clients at the remote site are reporting not defined in a site start notepad.exe C:\WINDOWS\Debug\Netlogon.log -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
That's what I'm unclear of - that the (target) RODC authentication was attempted in the first place. Then if caching was working normally anyway - like a non prepopulated user in the allow prp group getting the initial cache on first logon. Is it happening only to prepoulated users or any allow prp members.
From a command prompt on the client machine set logonserver -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
If you don't mind me jumping in here, I've been following the thread, and now that the topic came to Sites, and the workstation is selecting another DC and not the RODC, I am curious how many DCs are in the site where the client machine exists? Is there an RODC and a non-RODC in the same site? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
what did the netlogon.dbg file i pointed to earlier have to say about this client? Did you look on an autheticating dc? -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Paul, I would be curious of that, as well. If another DC is authenticating a client logon, and it's a DC (in this case the RODC), not in the client site, it's indicating something else is going on. Ace
Yeah I don't think it has anything to do with it being an RODC, but more likely an issue with Sites and Services, but I could be wrong. You going to Summit this year? -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
No, I can't swing it, unfortunately, as much as I do want to go. Finances, timing, family, etc. Now if it were closer, it would be a lot easier. I hope there are future functions locally that we can meet along with other fellow MVPs. Ace