0

I have a Windwos 2012 R2 Read-Only Domain Controller in a remote site. Although I suppose everything is configured correctly, it keeps thinking that it is on a public network. I have checked the related question Domain Controller thinks its on a Public Network but it did not help me.

  • unplugged and reconnected the cable - no success
  • restarted NLA service - nosuccess
  • disabled IPv6 (and restarted NLA again) - no success
  • tried IPCONFIG /RENEW - no success (the ip is fixed anyway)
  • rebooted - no success

There are two NICs physically, but one is deactivated. The other has a fixed address 10.0.50.3/24, gateway 10.0.50.1, ip connectivity to the main site is functional. The network 10.0.50.0/24 exists in AD Sites and Services (also when checking this from the RODC itself) and is assigned to the correct site.

Unless I learn yet another idea here, I am close to assuming that thgis is a design flaw of the concept of RODC and that I ought to promote (rather: reinstall the role) that box to a RWDC ...

Community
  • 1
Hagen von Eitzen
  • 824
  • 3
  • 17
  • 43
  • Can you ping the default gateway? Does it answer when pinged? – Massimo Sep 15 '15 at 11:58
  • Look at: http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx and http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx – iPath Sep 15 '15 at 16:32
  • @Massimo Yes, fine (after all the working connection to the hub site runs over it) – Hagen von Eitzen Sep 15 '15 at 19:46
  • @HagenvonEitzen this is not so obvious; some routers will happily route traffic but will not respond to ping requests; if this happens on the default gateway, Windows will have *lots* of troubles identifying which network it's connected to. – Massimo Sep 15 '15 at 19:48
  • 1
    @Massimo Agreed. Not responding to ping might be considered a security feature. (Which casts some doubts on making pingability a requirement; if I were responsible, I'd replace a ping test with an arp test) – Hagen von Eitzen Sep 15 '15 at 19:54

1 Answers1

0

Running dcdiag revealed that there were problems with the MachineAccount test (all SNA records failed). Running dcdiag /fix fixed this (at least enough to almost instantly trigger correct network discovery as "domain" instead of "public").

Hagen von Eitzen
  • 824
  • 3
  • 17
  • 43