Share via

RODC local authentication not working when domain controller was down

Anonymous
2024-09-29T03:33:54+00:00

Hi,

There was a planned power outage at a site which hosted the domain controller. The other site has a read only domain controller.

When the domain controller went down, the computers at the remote site were unable to authenticate and log in.

I've added the read only domain controller role to the other site and don't understand why the local users were unable to authenticate.

I didn't have the inter-site data transfer. Was this the cause?

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-09-30T02:56:06+00:00

    Hi Sin Ngo,

    Thank you for posting in the Microsoft Community Forums.

    Enable credential caching: If possible, you can enable credential caching on the RODC so that the RODC can still authenticate users when a writable domain controller is unavailable. Note, however, that this may increase security risks.

    Ensure data synchronization: Even though there is no data transfer between sites, it should be ensured that changes made on the writable domain controller are synchronized to the RODC as soon as possible. This may need to be done by other means (e.g., manual synchronization or use of third-party tools).

    Check network connectivity: Ensure that the network connection between the remote site and the RODC is stable and reliable.

    Check RODC configuration: Ensure that the RODC is configured correctly, especially as it relates to authentication.

    Consider an alternate solution: If the RODC is unable to meet the authentication requirements, consider using an alternate solution, such as a VPN connection to the site where the writable domain controller is located or using another authentication mechanism.

    Best regards

    Neuvi

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-02T12:59:01+00:00

    Hi Neuvi,

    Thanks for your input. I've created a group policy filtering only on the RODC for the cache credentials.

    I've added the users to the "Allowed RODC Password Replication Group". When I went to test it by prepopulating the password to the RODC, I get the error "account must first be added to the Allowed list for this read only domain controller. Let me know if you have any ideas on the cause.

    0 comments