question

NickGilbert-8326 avatar image
0 Votes"
NickGilbert-8326 asked DSPatrick commented

Directing workstations to Read Only DC

We have a guest VLAN that we're using to posture clients with Cisco ISE before allowing on production VLAN. We setup a RODC to allow the end user to authenticate on our domain and allow the posturing to begin. The RODC is in it's own site in AD sites and services with the guest VLAN subnets attached to that site. The issue we have is the workstation is not using the RODC and I'm unable to authenticate (get a password failure at login) when on the guest VLAN. DHCP for guest VLAN is using RODC as DNS server which is working. Environment below:

4 RWDC VMs server 2019 - 2 in datacenter x, 2 in datacenter y
1 RODC VM server 2019 in datacenter x. DNS role installed. Read only GC
RODC and 2 RWDC on same subnet.

Diagnostics:
nslookup domain.local doesn't show RODC, only 4 RWDCs. Confirmed A and PTR record for RODC.
SRV records for RODC only found in _sites, not in _tcp for _msdcs dc and gc. Assuming that's normal based on this https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136...

This feels like a DNS issue but want to confirm that nslookup for domain should show RODC. Issue may be RWDC and RODC being on the same subnet? What am I missing..

Thanks for the help.

windows-serverwindows-active-directorywindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered NickGilbert-8326 commented

Maybe something here.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/rodc-replicates-passwords-grant-incorrect-permissions

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Don't think that's the issue but thank you.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

Might check the security logs on both ends for clues.

--please don't forget to upvote and Accept as answer if the reply is helpful--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·