Authentification on Win2k8 r2 inter site

Discussion in 'Active Directory' started by atherus, Jan 13, 2010.



  1. How many DCs do you have?

    Do me a favor, and run the following, and post the results. Keep in mind,
    you must
    go into your _msdcs. and your testadservs.net zones properties, Zone
    transfers, and allow zone transfers for the commands to run. You can turn
    this off after you've completed the run

    c:\nslookup
    (hit enter and copy/paste results)

    While still in the command, then run:
    (hit enter and copy/paste results)

    Then run the following, please, and post the results.

    Note: the following scripts were obtained from
    Active Directory Sites and Subnets Scripting
    http://www.activxperts.com/activmonitor/windowsmanagement/scripts/activedirectory/sites



    Lists Active Directory sites.
    ==========
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strConfigurationNC = objRootDSE.Get("configurationNamingContext")

    strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC
    Set objSitesContainer = GetObject(strSitesContainer)
    objSitesContainer.Filter = Array("site")

    For Each objSite In objSitesContainer
    WScript.Echo "Name: " & objSite.Name
    Next
    ==========


    List All Domain Controllers
    ==========
    Returns a list of all the domain controllers in the fabrikam.com domain.

    Const ADS_SCOPE_SUBTREE = 2

    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCOmmand.ActiveConnection = objConnection

    objCommand.CommandText = _
    "Select distinguishedName from " & _
    "'LDAP://cn=Configuration,DC=fabrikam,DC=com' " _
    & "where objectClass='nTDSDSA'"
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

    Set objRecordSet = objCommand.Execute
    objRecordSet.MoveFirst

    Do Until objRecordSet.EOF
    Wscript.Echo "Computer Name: " & _
    objRecordSet.Fields("distinguishedName").Value
    objRecordSet.MoveNext
    Loop
    ==========

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 26, 2010
    #21
    1. Advertisements


  2. Thanks for posting this information.

    The "[UnKnown]" is caused by no PTR record for the DNS servers' IP address
    in the reverse zone, or no reverse zone.

    Otherwise, it actually looks clean from reading through it. You do have
    numerous sites and the DCs and netlogon service is registering everything.
    If I am missing any, it is because of the large number of DCs and I may be
    missing one or tow.

    It appears you have one domain called mydomain.local. Without me going
    through each and every DC to check in the output, are all DCs, GCs? In a
    single domain forest, it is recommended to make all DCs Global Catalogs.

    I assume on each DC that you have DNS set to point to itself as the first
    DNS address, and one of the DCs in it's own Site as the second entry. No
    need to add additional DNS servers. If not, that is the recommended
    configuration.

    Which site has the RODC that is giving you problems?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 26, 2010
    #22
    1. Advertisements

  3. This is my third request for the inspection of the log file below. Look
    into it and see if you can find your clients within the site that is
    failing. This should be run on a dc that is authenticating your out of site
    clients. This is how I troubleshoot this issue. Before attempting anything
    else I would like to know the results contained within.

    start notepad.exe C:\WINDOWS\Debug\Netlogon.log



    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 27, 2010
    #23
  4. Alright lets run diagnostics on your domain.

    If you don't have the support tools installed, install them from your server
    install disk.
    d:\support\tools\setup.exe

    Run dcdiag, netdiag and repadmin in verbose mode.
    -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
    -> netdiag.exe /v > c:\netdiag.log (On each dc)
    -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
    -> ntfrsutl ds your_dc_name > c:\sysvol.log
    -> dnslint /ad /s "ip address of your dc"

    **Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
    in the forest. If you have significant numbers of DC's this test could
    generate significant detail and take a long time. You also want to take into
    account slow links to dc's will also add to the testing time.

    If you download a gui script I wrote it should be simple to set and run
    (DCDiag and NetDiag). It also has the option to run individual tests without
    having to learn all the switch options. The details will be output in
    notepad text files that pop up automagically.

    The script is located on my website at
    http://www.pbbergs.com/windows/downloads.htm

    Just select both dcdiag and netdiag make sure verbose is set. (Leave the
    default settings for dcdiag as set when selected)

    When complete search for fail, error and warning messages.

    Description and download for dnslint
    http://support.microsoft.com/kb/321045

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 27, 2010
    #24



  5. Juien,

    You are saying you only have one domain, correct? If so, ALLL domain
    controllers should be GCs, as I stated in my previous post.

    More info on this:
    "If a single domain forest, you can have all DCs a GC. If multiple domains,
    it is recommended for a GC to not be on the FSMO IM Role, unless you make
    all DCs GCs"
    http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

    And run those tools for Paul to help with a diagnosis.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 27, 2010
    #25
  6. Good to hear you figured it out. However, curious, why wasn't a site link
    created between the two sites in the first place?

    Did you by chance also disable the ability to let AD (KCC and ISTG) allow to
    create automatic links?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 27, 2010
    #26
  7. I'm not sure of what your rodc name is and I only see snips of the logs so
    I'm unclear if all these errors are related to your RODC. The DSA object
    could be worriesome and wonder that the best thing might be to demote and
    promote your rodc.

    Is this an option? If so, then demote and once complete run another set of
    diagnostics and check to see if the errors have cleaned up. If not note
    these as opposed to before the demotion.

    As far as netDiag is concerned you can extract it from the 2003 support
    tools. I don't believe there are any issues with the 2003 tools for 2008
    but I'll see if I can find out. It won't hurt anything since it is a
    reporting tool. I just would like to know if the RODC has a trust
    established with the rest of your domain.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 28, 2010
    #27

  8. I'm glad to hear things are working. As for pwd caching, I believe you have
    quite a few responses regarding this from eariler in the thread. Basically
    you set cacing with the Password Replication Policy. Keep in mind, if a user
    wants to change his password, or has to change (due to password expiration),
    the client machine must still contact a writeable DC.

    Administering the Password Replication Policy:
    http://technet.microsoft.com/en-us/library/cc754646(WS.10).aspx

    Without my digging through the multiple postings in this thread (there are
    just too many), I'm providing a few links below to read up on.


    Password Replication Policy Administration, May 14, 2009 ... When you
    prepopulate the RODC password cache, you trigger the RODC to ... ... To
    prepopulate the password cache for an RODC by using Active ... ... make sure
    that the user in question is a member of Allowed RODC Password Replication
    Group (and is not a member - directly or indirectly - of the Denied RODC
    Password Replication Group... ... Right click on the RODC account in ADUC.
    Go to Policy replication tab and add the group or users which you want cash
    in RODC and give prmission as Allow...
    http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx

    Password Replication PolicyMay 1, 2009, ... The Password Replication Policy
    acts as an access control list (ACL). It determines if an RODC should be
    permitted to cache a password. ...
    http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx

    Ask the Directory Services Team : Understanding “Read Only Domain ...Jan 18,
    2008 ... Another really cool feature is the “Prepopulate the password cache
    for an RODC” button. This button (pictured) allows an administrator to ...
    http://blogs.technet.com/askds/arch...ad-only-domain-controller-authentication.aspx

    Password Question On RODC7 posts - 3 authors - Last post: Dec 4, 2009
    As far as I know, there is not password cache in RODC. ... The RODC has the
    password cache for Bob. One day RODC requests Bob to change the ...
    http://social.technet.microsoft.com...e/thread/b70f29c0-28ae-45e4-9e7e-dd9a466d8791

    Credential Caching on a Windows Server 2008 RODC
    http://mcpmag.com/articles/2008/12/01/credential-caching-on-a-windows-server-2008-rodc.aspx

    RODC Filtered Attribute Set, Credential Caching, and the Authentication
    Process with an RODC
    http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx

    AD DS: Read-Only Domain Controllers, August 26, 2009, A read-only domain
    controller (RODC) is a new type of domain controller in the Windows Server®
    2008 operating system. With an RODC, organizations can easily deploy a
    domain controller in locations where physical security cannot be guaranteed.
    An RODC hosts read-only partitions of the Active Directory database...
    http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

    I hope that helps.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 28, 2010
    #28
  9. Sounds like you have done a great job, congratulations!

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 28, 2010
    #29
  10. Congrats on cleaning it up. Please do post back your results.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 29, 2010
    #30
  11. Very good to hear!

    It seems either the firewall strategy may have caused it, or not allowing
    auto-bridge to do it's job connecting all sites.

    Glad to hear it was resolved.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 29, 2010
    #31
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.