Authentification on Win2k8 r2 inter site

Hello,

I 'm really in trouble. I deployed on windows 2008 r2 AD on my company.
I create four sites. I installed one dc on every site with global
catalog!

See my schema :

Milan
------
Site : Milan
subnet : 192.168.10.0/24
DCmilan01 GC

London
-------
Site : London
subnet : 192.168.20.0/24
DClondon01 GC

Geneva
-------
Site : Geneva (old default site)
subnet : 192.168.30.0/24
DCgeneva01 GC All Operations masters is configured on this DC

Berlin
------
Site : Berlin
subnet : 192.168.30.0/24
DCberlin01 GC

Every subnet work perfectly weel, AD replication works well also.

But, I discover on my firewall that sometime users in Milan, London try
to authenticated to Berlin or to Geneva DC!

I don't understand this! If anybody could help me, it's will be very
appreciate

Julien Ithurbide


--- news://freenews.netfront.net/ - complaints: ---

 

Hello atherus,

Did you configure AD sites and services with all subnets and sites and add
the DC to it's belonging site?

Are the DCs in each site also DNS server and uses there site DNS as preferred
and another site as secondary DNS? If not the DCLocator process will handle
the DC where the authentication process goes to.

http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1

Best regards

Meinolf Weber

 

If a dc doesn't respond to a query (It is too busy) then the client will
seek out other dc's. Once you have your sites defined you need to ensure
all the subnets associated with the sites are defined within sites and
services. I have seen many occurances where users miss this step.

To check to see if you have all the sites properly defined you can look in
the following log on each dc and see if there are sites which are reverting
back to the default site.
%systemroot%\Debug\Netlogon.log

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Howdie!

Yeah, that is built-in functionality. It does not automatically re-cache
it. You need a provisioning solution or a workflow in your
password-reset-change process that builds that. A simply scheduled task
should do the trick too - but I'd connect the pre-population of
passwords to some human action so someone looks at it.

What OS is on the machine you run that command from?

Note that there *no* synchronization. Pre-populating passwords is a
one-time action. There's no automation in place because you probably
don't want that password be replicated to the RODC all over again until
forever. A RODC is considered 'insecure' because of its purposes and the
scenarios it runs in. It should only have passwords cached it really needs.

Cheers,
Florian

 

In order for a RODC to cache its passwords you have to instruct it to cache
them, it won't automatically do it.
http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

As long as the setting is set to allow (Not deny) yes you have it configured
correctly. Did you review which users are currently being cached? This is
available via the advanced button on the cached window.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

I don't think that is possible. The only two ways I know is propulate or
the user actually logs on.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

On 15.01.2010 14:43:00, "Paul Bergson [MVP-DS]" wrote:
Hello,

Thanks for your anwser.

In fact all my user log on the server! All my users had the allow cached
option! All the users are in the same site of the RODC. All computer are
configured by DHCP insatlled on the RODC. My DNS Configuration is setup first
on the RODCand second to the central office. All users and computers are
member of an allow group for password cached.

Then after the first prepopulate option, how I can be sure that the rodc
cache the password ? and if it don't cahe it what's can I do ?

 

I'm sorry I don't know of anyway to validate if a password was properly
cached other than to visually inspect it. I wonder if there is a way with
Powershell? I don't know though.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

If you are setting the password to be cached and it isn't doing it,
something is wrong. So checking it shouldn't be neccesary if it working
properly. I have only used RODC's in a test environment and I don't have an
RODC in my lab right now.

I am curious once a user changes their password and they successfully logon
in your environment, does the password get re-cached?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Ok, I just wasn't sure if you meant it wouldn't auto re-cache once the
password was changed or it wouldn't cache at all, even after the user
subsequently logged in.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

If the user attempts to authenticate with an RODC that had previous cached
the password the cache should be updated with the new password. If
authentication is a from another DC or different RODC then the old cache is
not automagically updated.

My understanding at least. I'll see if I can test in the lab latter.

 

That is the way I understand as well, but he is getting his users to log on
with the new password hitting the RODC and it isn't updating. This sounds
like some type of config issue but I can't possibly state that since I don't
have a similar scenario to test at this time.

One thing I just thought of, do you have your sites and services configured
so that the rodc knows of other subnets? I wonder if the clients aren't
hitting the RODC even though they are at the same physical location.

Check the netlog on each dc, see if the clients at the remote site are
reporting not defined in a site
start notepad.exe C:\WINDOWS\Debug\Netlogon.log

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

That's what I'm unclear of - that the (target) RODC authentication was
attempted in the first place. Then if caching was working normally anyway -
like a non prepopulated user in the allow prp group getting the initial
cache on first logon. Is it happening only to prepoulated users or any allow
prp members.

 

From a command prompt on the client machine
set logonserver

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

If you don't mind me jumping in here, I've been following the thread, and
now that the topic came to Sites, and the workstation is selecting another
DC and not the RODC, I am curious how many DCs are in the site where the
client machine exists? Is there an RODC and a non-RODC in the same site?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

 

what did the netlogon.dbg file i pointed to earlier have to say about this
client? Did you look on an autheticating dc?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Paul,

I would be curious of that, as well. If another DC is authenticating a
client logon, and it's a DC (in this case the RODC), not in the client site,
it's indicating something else is going on.

Ace

 

Yeah I don't think it has anything to do with it being an RODC, but more
likely an issue with Sites and Services, but I could be wrong. You going to
Summit this year?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

No, I can't swing it, unfortunately, as much as I do want to go. Finances,
timing, family, etc. Now if it were closer, it would be a lot easier. I hope
there are future functions locally that we can meet along with other fellow
MVPs.

Ace