Authentification on Win2k8 r2 inter site

How many DCs do you have?

Do me a favor, and run the following, and post the results. Keep in mind,
you must
go into your _msdcs. and your testadservs.net zones properties, Zone
transfers, and allow zone transfers for the commands to run. You can turn
this off after you've completed the run

c:\nslookup

(hit enter and copy/paste results)

While still in the command, then run:

(hit enter and copy/paste results)

Then run the following, please, and post the results.

Note: the following scripts were obtained from
Active Directory Sites and Subnets Scripting
http://www.activxperts.com/activmonitor/windowsmanagement/scripts/activedirectory/sites



Lists Active Directory sites.
==========
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")

strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC
Set objSitesContainer = GetObject(strSitesContainer)
objSitesContainer.Filter = Array("site")

For Each objSite In objSitesContainer
WScript.Echo "Name: " & objSite.Name
Next
==========


List All Domain Controllers
==========
Returns a list of all the domain controllers in the fabrikam.com domain.

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection

objCommand.CommandText = _
"Select distinguishedName from " & _
"'LDAP://cn=Configuration,DC=fabrikam,DC=com' " _
& "where objectClass='nTDSDSA'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
Wscript.Echo "Computer Name: " & _
objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
==========

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

 

Thanks for posting this information.

The "[UnKnown]" is caused by no PTR record for the DNS servers' IP address
in the reverse zone, or no reverse zone.

Otherwise, it actually looks clean from reading through it. You do have
numerous sites and the DCs and netlogon service is registering everything.
If I am missing any, it is because of the large number of DCs and I may be
missing one or tow.

It appears you have one domain called mydomain.local. Without me going
through each and every DC to check in the output, are all DCs, GCs? In a
single domain forest, it is recommended to make all DCs Global Catalogs.

I assume on each DC that you have DNS set to point to itself as the first
DNS address, and one of the DCs in it's own Site as the second entry. No
need to add additional DNS servers. If not, that is the recommended
configuration.

Which site has the RODC that is giving you problems?

Ace

 

This is my third request for the inspection of the log file below. Look
into it and see if you can find your clients within the site that is
failing. This should be run on a dc that is authenticating your out of site
clients. This is how I troubleshoot this issue. Before attempting anything
else I would like to know the results contained within.

start notepad.exe C:\WINDOWS\Debug\Netlogon.log



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Alright lets run diagnostics on your domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds your_dc_name > c:\sysvol.log
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Juien,

You are saying you only have one domain, correct? If so, ALLL domain
controllers should be GCs, as I stated in my previous post.

More info on this:
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

And run those tools for Paul to help with a diagnosis.

Ace

 

Good to hear you figured it out. However, curious, why wasn't a site link
created between the two sites in the first place?

Did you by chance also disable the ability to let AD (KCC and ISTG) allow to
create automatic links?

Ace

 

I'm not sure of what your rodc name is and I only see snips of the logs so
I'm unclear if all these errors are related to your RODC. The DSA object
could be worriesome and wonder that the best thing might be to demote and
promote your rodc.

Is this an option? If so, then demote and once complete run another set of
diagnostics and check to see if the errors have cleaned up. If not note
these as opposed to before the demotion.

As far as netDiag is concerned you can extract it from the 2003 support
tools. I don't believe there are any issues with the 2003 tools for 2008
but I'll see if I can find out. It won't hurt anything since it is a
reporting tool. I just would like to know if the RODC has a trust
established with the rest of your domain.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

I'm glad to hear things are working. As for pwd caching, I believe you have
quite a few responses regarding this from eariler in the thread. Basically
you set cacing with the Password Replication Policy. Keep in mind, if a user
wants to change his password, or has to change (due to password expiration),
the client machine must still contact a writeable DC.

Administering the Password Replication Policy:
http://technet.microsoft.com/en-us/library/cc754646(WS.10).aspx

Without my digging through the multiple postings in this thread (there are
just too many), I'm providing a few links below to read up on.


Password Replication Policy Administration, May 14, 2009 ... When you
prepopulate the RODC password cache, you trigger the RODC to ... ... To
prepopulate the password cache for an RODC by using Active ... ... make sure
that the user in question is a member of Allowed RODC Password Replication
Group (and is not a member - directly or indirectly - of the Denied RODC
Password Replication Group... ... Right click on the RODC account in ADUC.
Go to Policy replication tab and add the group or users which you want cash
in RODC and give prmission as Allow...
http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx

Password Replication PolicyMay 1, 2009, ... The Password Replication Policy
acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password. ...
http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx

Ask the Directory Services Team : Understanding “Read Only Domain ...Jan 18,
2008 ... Another really cool feature is the “Prepopulate the password cache
for an RODC” button. This button (pictured) allows an administrator to ...
http://blogs.technet.com/askds/arch...ad-only-domain-controller-authentication.aspx

Password Question On RODC7 posts - 3 authors - Last post: Dec 4, 2009
As far as I know, there is not password cache in RODC. ... The RODC has the
password cache for Bob. One day RODC requests Bob to change the ...
http://social.technet.microsoft.com...e/thread/b70f29c0-28ae-45e4-9e7e-dd9a466d8791

Credential Caching on a Windows Server 2008 RODC
http://mcpmag.com/articles/2008/12/01/credential-caching-on-a-windows-server-2008-rodc.aspx

RODC Filtered Attribute Set, Credential Caching, and the Authentication
Process with an RODC
http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx

AD DS: Read-Only Domain Controllers, August 26, 2009, A read-only domain
controller (RODC) is a new type of domain controller in the Windows Server®
2008 operating system. With an RODC, organizations can easily deploy a
domain controller in locations where physical security cannot be guaranteed.
An RODC hosts read-only partitions of the Active Directory database...
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

I hope that helps.

Ace

 

Sounds like you have done a great job, congratulations!

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Congrats on cleaning it up. Please do post back your results.

Ace

 

Very good to hear!

It seems either the firewall strategy may have caused it, or not allowing
auto-bridge to do it's job connecting all sites.

Glad to hear it was resolved.

Ace