1

I have successfully setup a Router on a Stick and have two subnets:

  1. 10.0/16
  2. 10.1/16

My Router's sub interfaces are set to 10.0.0.1 and 10.1.0.1, respectively.

My primary domain controller, running Windows Server 2008, is located at 10.0.0.3. My Read-Only domain controller, also running Win 2008, is located at 10.1.0.3.

Additionally, I have 3 workstations (Windows XP) on this lab network. 1 workstation is on the 10.0/16 network, and two of them are on the 10.1/16 network.

I also have two sites in this Active Directory forest, and the site is paired with the subnet and the domain controller. I have a Group for each site, and have different users added to different groups, and have ensured that the group assigned to the 10.1/16 network passwords are "allowed" to be cached by the RODC.

My Goal: To replicate the 10.1/16 site's users (and eventually, folders, files, etc...) to the Read-Only DC on 10.1.0.3, so that the RODC handles user authentication if the primary DC becomes unavailable.

I'm currently able to authenticate all workstations to the Primary Domain Controller without a problem. I have also verified that my 10.1/16 users' accounts have been cached on the RODC at 10.1.0.3.

However, when I unplug the Primary Domain Controller from the network, and then try to login to a workstation on the 10.1 network as a user that has never authenticated to that particular PC (but whose accounts ARE cached on the RODC), the login fails because the Domain is Not Available.

Obviously I haven't met my goal, and I'm trying to figure out why. Any leads or suggestions?

Community
  • 1
David W
  • 3,453
  • 5
  • 36
  • 62
  • I'm assuming that the clients need to be pointing to the RODC for DNS. Is that the case? – joeqwerty Oct 31 '12 at 16:38
  • 1
    10.1.0.3 (the RODC) is providing DHCP, but I don't have it providing DNS right now. 10.0.0.3 is providing DNS... maybe that's the problem. – David W Oct 31 '12 at 17:32

2 Answers2

6

In addition to what @joeqwerty says about DNS, you also need to cache the computer accounts on the RODC in addition to the user accounts.

Computers log in as well and will be unavailable to unless they are explicitly allowed to on an RODC.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Excellent point. I didn't architect our AD network, but this makes complete sense. I'll focus on getting this implemented and tested, and then come back to the RODC authentication / replication tests. – David W Oct 31 '12 at 18:00
5

In oder to locate the RODC the clients need to be using a DNS server that they can reach and that can resolve the SRV records for the domain. If the clients are using the down server for DNS then they're not going to be able to reach the DNS server and find those SRV records. You should set the RODC as primary DNS and the main office DC as secondary DNS on the RODC office clients.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172