LDAP requests getting adressed to RWDC, insteat of RODC

emikroDE 21 Reputation points
2023-12-06T15:23:35.3333333+00:00

Hi.

Environment:

  • I got 2 RWDC and 1 RODC
  • The RODC is on his own site and subnet
  • Specific subnets are associated to the RODC
    • Clients are in different subnets
  • Clients correctly addressing Port 53 DNS to RODC

Problem:

  • Network identification on clients dont work as expected -> Private instead of Domain
  • The clients should address their requests to the RODC
    • 'Netsh trace' while booting shows: Clients spamming UDP 389 CLDAP to RWDCs
      • not one single request to RODC
  • Our gateway (hardware-firewall) blocks UDP 389 from the site / subnet to the RWDCs - As intended

I tried several things now to fix that problem, o.a.:

  • Editing SRV-Records (increased weight for RODC on his site)
    • btw. the default is added automaticly again to the changed ones
  • Added SRV-Record "_ldap _udp" for _dc _msdcs on RODC site
  • Checked the site-configuration
  • more

Should the clients not address their authentification requets to over the RODC to the RWDC?
I thought the SRV-Records may cause the problem, because all have default values (prio+weigth). Either I made the settings wrong or there is an other reason.

Could there be an other DNS problem?

Thanks for help, MS Learn Community!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,565 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,807 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 35,096 Reputation points
    2023-12-06T16:23:22.4566667+00:00

    Hi @emikroDE

    Please chcek if the user password is cached on RODC. If it's not the case RODC will forward the user authentication request to RWDC.

    You can get more details about authentication through RODC in this article: Understanding “Read Only Domain Controller” authentication


    Please don't forget to accept helpful answer


  2. Ian Xue 38,936 Reputation points Microsoft Vendor
    2023-12-07T09:09:16.7233333+00:00

    Hello,

    Regarding the authentcation for RODC, you can refer to the discussion here: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-8220-read-only-domain-controller-8221/ba-p/395031. Whether the RODC can authenticate a user is decided by whether the user's password has been cached. You can check the password replication status in your environment following the document.

    To understnand the traffic you capture during boot, UDP 389 to RWDC, you should understand DC locater in AD first: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/how-domain-controllers-are-located. I think you should have idea on this as you mentioend you have updated the SRV record in AD. The basic point is that the DC locator should always take site information at the first place. The locator process can be told clearly by the netsh trace you captured filtering with DNS protocol. You can tell which SRV is queried and responded from the trace. And, please note that when you do the capture, try to clear DNS cache first to ensure an entire flow of the locator.

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.