Directing workstations to Read Only DC

Nick Gilbert 1 Reputation point
2021-11-04T15:17:32.353+00:00

We have a guest VLAN that we're using to posture clients with Cisco ISE before allowing on production VLAN. We setup a RODC to allow the end user to authenticate on our domain and allow the posturing to begin. The RODC is in it's own site in AD sites and services with the guest VLAN subnets attached to that site. The issue we have is the workstation is not using the RODC and I'm unable to authenticate (get a password failure at login) when on the guest VLAN. DHCP for guest VLAN is using RODC as DNS server which is working. Environment below:

4 RWDC VMs server 2019 - 2 in datacenter x, 2 in datacenter y
1 RODC VM server 2019 in datacenter x. DNS role installed. Read only GC
RODC and 2 RWDC on same subnet.

Diagnostics:
nslookup domain.local doesn't show RODC, only 4 RWDCs. Confirmed A and PTR record for RODC.
SRV records for RODC only found in _sites, not in _tcp for _msdcs dc and gc. Assuming that's normal based on this https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136...

This feels like a DNS issue but want to confirm that nslookup for domain should show RODC. Issue may be RWDC and RODC being on the same subnet? What am I missing..

Thanks for the help.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,125 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2021-11-04T15:28:31.61+00:00

    Maybe something here.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/rodc-replicates-passwords-grant-incorrect-permissions

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  2. Dave Patrick 426.1K Reputation points MVP
    2021-11-04T17:15:31.677+00:00

    Might check the security logs on both ends for clues.

    --please don't forget to upvote and Accept as answer if the reply is helpful--