Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RODC Replication Problem


  • Please log in to reply
17 replies to this topic

#1 TryllZ

TryllZ

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 22 September 2016 - 04:33 AM

Hi all,

 

I have spent the last 2 weeks trying to figure out what the problem is and I am not able to find out.

 

But first I wanted to know the purpose of an RODC. This is what I understand. RODC is suppose to reduce a branch authentication traffic to DC and authenticate locally, this is also the case if the DC is down. Please correct me if I'm wrong.

 

Now this is the issue.

 

I have a DC Server that has DHCP service installed and has failover replication configured to an RODC server. I have an RODC that has DHCP service installed that replicates from the DC server in case the DC DHCP is down. I have clients that authenticate from RODC when the Primary DNS IP for clients is set to point to RODC and I have set the Alternate DNS IP for clients to point to DC in case RODC is down. What happens is that if DC is down the clients authenticate from the RODC but when the RODC is down the clients DO NOT authenticate from the DC (I checked the event viewer Security for authentication in RODC a Kerberos Ticket is issued). Similar is the case if I switch clients IPs to point to DC rather than RODC the clients authenticate from DC and not from RODC if DC failed. I have set the Password Replication POlicy in the DC for the RODC.

 

What I want is for the clients to authenticate from the RODC and if RODC is down the from DC but this does NOT happen, what happens is that clients are able to login but the Network shows as Unknown Network.

 

I thought this has something to do with DNS so I started fresh without DNS, its the same issue. I feel I'm missing something, either my understanding is wrong or I'm missing some part from the clients end.

I have set the RODC to point to DC as Primary DNS and Alternate DNS as itself (not loopback), I have tried the other way around as well, not working.

 

Could someone take the time to explain what is it that I'm not understanding or doing wrong.

 

Thank You


Edited by TryllZ, 22 September 2016 - 04:35 AM.


BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 25 September 2016 - 03:40 PM

There are special considerations when installing DHCP on an RODC, because an RODC is "read only" so it can't create the DHCP Admin and User groups when you install that role. You have to create the appropriate DHCP users and groups on a read-write DC, and then ensure they are replicated to the RODC before installing the DHCP role on the RODC.

 

You should also check your network settings to make sure branch office traffic can reach the network where the DCs are located.



#3 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 25 September 2016 - 08:13 PM

Hi,

 

Thanks for the reply.

 

I find that the clients are already replicated on the RODC, my question concerns about the clients losing their domain network when the DC is down, how can I make them stay in the network with the PDC down, I thought that replicating scopes on the RODC will solve this problem but for some reason it doesn't.

 

Thanks


Edited by TryllZ, 25 September 2016 - 08:14 PM.


#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 26 September 2016 - 07:15 PM

If you are confident DHCP is working properly on the RODC, check the clients to make sure the DNS entries are correct, and that the clients can contact your DNS servers. It sounds like a networking issue -- the clients can't find the DC and that is why they are not showing up as being on the domain.



#5 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 26 September 2016 - 08:06 PM

I found this out, the clients don't redirect to the alternate DNS IP (as set in their local network properties) at all, not sure why though, I'm looking into it.

 

What I did was set up the clients to point to the RODC DNS IP as primary DNS and the alternate was the PDC IP but when the RODC is down the clients don't remain in the domain.


Edited by TryllZ, 26 September 2016 - 08:13 PM.


#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 27 September 2016 - 02:50 PM

That sounds like networking issue. Clients are losing their domain connection because they can't reach the DC. I don't know your exact setup; check your routers and make sure traffic from the branch office is reaching the network the DC is on.



#7 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 27 September 2016 - 08:26 PM

Hi again,

Just that my setup is not physical, it virtual, its in VMware, the clients lose connection as there is no dhcp to assign ip to them so they revert to automatic IP assignment by windows dhcp, I'm lookup as to which way its possible to keep clients in the domain network, sorry if I confused you.


Edited by TryllZ, 27 September 2016 - 09:43 PM.


#8 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:02:30 AM

Posted 28 September 2016 - 08:29 AM

Does it work if you assign a static IP and dns entries?

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#9 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 September 2016 - 08:52 AM

I never used Statis IP and I did not configure any DNS for testing purpose in this case.

 

I'm still trying to figure out if DNS has anything to do in this.



#10 sflatechguy

sflatechguy

  • BC Advisor
  • 2,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 28 September 2016 - 10:02 AM

Using static IP addresses would help in determining why the clients can't connect to the DC. You need to ensure that the subnet that the DC is on, and the subnet the RODC and branch office clients are on, can communicate with each other. It sounds like a routing issue in your virtual environment.

In any event, the IP addresses for all DCs and RODCs should be static addresses.



#11 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 September 2016 - 10:14 AM

I have configured Static IP for both DC and RODC, I was talking about the clients being on dynamic IP



#12 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:02:30 AM

Posted 28 September 2016 - 07:44 PM

We understand your trying to get the dynamic IP's working. If for example your primary DC and your RODC are on different subnet's/vlans you would need to add an IP helper address on the router for the second DHCP server, other wise the computers won't be able to find the new DHCP server. On my Hub and Spoke network I have 5 Satellite facilities with A primary DC at the main site and the Secondary at a satellite office. All sites are connected to the Primary Office and the Secondary Office via Site to site VPN using Cisco ASA 5505's. Each site has its own DCHP server either an ASA 5505 or the one of the two domain controller. Each PC is assigned a dns entry for both Domain controllers. If either DC goes down the other takes over. Since each site has its own DHCP server the computers always know where to get their IP address. If one site were too loose their DCHP server I could add

dhcprelay server (primary DC IP address) outside

dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60

 

Now when the ASA receives a DHCP discover packet It will relay it to the primary DHCP server instead of dropping the packet and the computer not receiving an IP.


Edited by Sneakycyber, 28 September 2016 - 07:45 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#13 TryllZ

TryllZ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 September 2016 - 08:54 PM

Thanks to everyone trying to help me out, appreciate your help.

 

Both the DC and RODC are on the same network in the virtual environment.

 

May I ask what are the DNS entries that are being added to the clients.

 

And also how did you manage to get both DC to connect to the clients, the only way of connection I understand is through the local network properties Primary and Alternate DNS IP address, which is where the problem occurs, the clients do not try the alternate DNS IP whatsoever.

 

Thank You Once Again.



#14 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:02:30 AM

Posted 28 September 2016 - 09:47 PM

You need to add a secondary zone to your dns see Here. Also Here.

Edited by Sneakycyber, 28 September 2016 - 09:49 PM.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#15 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:30 PM

Posted 28 September 2016 - 10:04 PM

Ok i have seen this happen before, remove the NIC on the virtual server and re-add it and then give it the same IP, Subnet and gateway and see if they hold connection then.

Also im assuming VMware? and IF so what version mate






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users