1

I have a really strange scenario...We have a server within a DMZ, which uses an RODC (Read-Only Domain Controller) for user authentication. The users are in a trusted 3rd domain, something like this:

DMZserver -> RODC -> InternalDC -> TrustedDC -> User

This is all to allow us to RDP/login to the DMZserver. It works currently for an older Windows 2008R2 server, but when we attempt to use these new servers (setup basically identically (same network subnet, same firewall rules, validated communication with the RODC, etc) it WILL NOT authenticate or communicate with the InternalDC's through the RODC.

I've looked at the replication and joined/rejoined the DMZServer to the internal domain several different times and ways. However I continue to get a netlogin issue, it won't connect to the RODC for DNS, Time Settings, login authentication, etc...

Its maddening, and I'm at a loss, so I'm hoping someone can give me some guidance or pointers on how I can gather some more information on this.

I have reviewed the question at Windows Server 2012 R2 Standard located in our DMZ has problems with connection to RoDC

However the solution presented there with the sitename does not solve my issue and has been tested multiple times.

Any help would be appreciated!

Community
  • 1
Falcones
  • 73
  • 5
  • In all the cases of the I've seen its because something wants a regular DC and something blocks the referral passed from the RODC. – Jim B Jan 22 '16 at 02:08
  • Also, for a test, add a brand new 2008 dc to your dmz, and see if the second 2k8 server will auth. – Jim B Jan 22 '16 at 02:10
  • A new piece of the puzzle was discovered late yesterday. I've validated that the DMZServer allows users from the InternalDC (internal domain) to login (provided they have rights when the DMZserver has the group or user added to local admin). So these users can login, but the DMZserver acts as though its not connected to the domain at all through the RODC. – Falcones Jan 22 '16 at 16:29
  • I should point out this is a Windows 2012R2 DMZServer, with a Windows 2008 R2 RODC and domain environment. With the existing servers that are functional, they are all 2008 servers, that work fine with the RODC model. – Falcones Jan 22 '16 at 16:35
  • Is is solely for RDP authentication to have an RODC? – Jim B Jan 22 '16 at 17:26
  • No, the DMZserver is an application server that will function with web services. However we access it from a specialized/secured management RDP server. The weird part is that this exact setup works with 2008... we have a duplicate of the 2012 server working right along side it. – Falcones Jan 22 '16 at 22:34
  • Mostly out of curiosity, is that app supported with RODCs (I have yet to did one). If another 2012 I the same subnet works, check the firewall rules and see if it has access to the sitebehind. – Jim B Jan 25 '16 at 07:29
  • So at this point we don't have another 2012 server joined in the same way as this server is. We have a functional 2008, but this was part of an overall application upgrade. The application is quite honestly irrelevant to the discussion, this seems to be entirely a Windows-based issue with domain communication through an RODC with Windows 2012 R2 – Falcones Jan 25 '16 at 16:59
  • "we have a duplicate of the 2012 server working right along side it." what did this mean then? If you do a network trace are you seeing the referral to a RWDC? is the computer added to the pwrp? – Jim B Jan 25 '16 at 21:13
  • I should hav ebeen more clear. We have a duplicate 2008 server (same application, same network, same firewall rules, same config) running along side this same 2012 server. The 2012 server attempts to contact the RODC, then immediately moves on to the TrustedDC's (picks a series of them and reaches out to internal production networks). – Falcones Jan 26 '16 at 20:28
  • So it sounds like you are getting the referral to the sitebehind, failing then getting the full DClist. is the computer in the PWRP? – Jim B Jan 26 '16 at 22:29

1 Answers1

1

So we seem to have discovered a workaround for the issue at hand. So we pre-populated and replicated the account details and passwords from the Internal Read/Write domain controller to our ReadOnlyDomainController (RODC) within the DMZ sites. Once we had replicated/cached the computer details over to the RODC, this allowed the computer account (windows 2012 R2) servers to communicate properly.

We are still investigating with Microsoft, but hopefully this will help others that maybe having similar odd behaviours with RODC systems in DMZ designs.

Please let me know if you have further questions around this issue, and I'll be happy to provide additional information.

Falcones
  • 73
  • 5