Maybe something here.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/rodc-replicates-passwords-grant-incorrect-permissions
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have a guest VLAN that we're using to posture clients with Cisco ISE before allowing on production VLAN. We setup a RODC to allow the end user to authenticate on our domain and allow the posturing to begin. The RODC is in it's own site in AD sites and services with the guest VLAN subnets attached to that site. The issue we have is the workstation is not using the RODC and I'm unable to authenticate (get a password failure at login) when on the guest VLAN. DHCP for guest VLAN is using RODC as DNS server which is working. Environment below:
4 RWDC VMs server 2019 - 2 in datacenter x, 2 in datacenter y
1 RODC VM server 2019 in datacenter x. DNS role installed. Read only GC
RODC and 2 RWDC on same subnet.
Diagnostics:
nslookup domain.local doesn't show RODC, only 4 RWDCs. Confirmed A and PTR record for RODC.
SRV records for RODC only found in _sites, not in _tcp for _msdcs dc and gc. Assuming that's normal based on this https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136...
This feels like a DNS issue but want to confirm that nslookup for domain should show RODC. Issue may be RWDC and RODC being on the same subnet? What am I missing..
Thanks for the help.
Maybe something here.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/rodc-replicates-passwords-grant-incorrect-permissions
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
Might check the security logs on both ends for clues.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--