1

We had an environment with multiple 2008 R2 DC:s in our internal LAN and a 2008 R2 RoDC:s in our DMZ.

We set up 2008 R2 servers in our DMZ and joined them to the domain using DJOIN.

Everything working fine, but then we started to set up 2012 R2 servers in our DMZ. DJOIN succesfully joins the 2012 R2 servers to the domain, but we cannot logon using any domain user on them. During logon it says "other user" and then says "There are currently no logon servers available to service the logon request"

We have set up a 2012 R2 RoDC in the DMZ but the problem still persists.

We found a temporary workaround to solve the issue and that is to open for communication from the new 2012 R2 servers to the primary domain controller in the internal network and then successfully logon as a domain user on the 2012 R2 Server. After that the communication can be blocked again and other users can logon to the 2012 R2 server in the DMZ with their domain users.

We opened for full access (TCP/IP) to the primary domain controller, it may work to open a few ports to any domain controller aswell.

Since this temporary workaround is not a good solution we want to be able to find the cause why the 2012 R2 servers does not want to talk to any of the the RoDC:s (one 2008 R2 and one 2012 R2) without first talking to a DC in the internal network

Since the 2012 R2 servers cannot find the RoDC:s in the DMZ I guess this is a DNS issue But what has changed betwen 2008 R2 and 2012 R2 ? I have searched and talked to our consultants but they have no clue what could be the cause

Please help

  • Sounds like a dns problem. Does your RODC include DNS? If so, is it pointing to it self (not loop back address) as the primary DNS server? – Sarge Jun 10 '14 at 13:34

1 Answers1

1

The client computer is not able to discover what AD site it is in. When you open up the firewall to a read-write DC, the computer is then able to discover what AD site it is in, and the problem goes away. To avoid having to open up access to a read-write DC, you'll have to tell the computer up front what AD site it's in.

Answer:

  1. Navigate to: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
  2. In the right pane, create a new String Value titled SiteName and for the Value Name type the name of the site in which the client computer resides.
  3. Close the registry editor and restart the client computer to have registry changes take effect.

Here is where I found the answer: http://social.technet.microsoft.com/forums/windowsserver/en-US/968e5f0f-8dda-4e57-b37f-8d858d568225/perimeter-network-to-rodc-no-logon-servers-available-using-ipsec-tunnel

Here is the official Microsoft reference material. The reg key is mentioned in steps 6-8 in the "To run the join script on the client computer" section. http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx

Scott
  • 11
  • 1