Search This Blog

Tuesday, 22 January 2013

Active Directory - Problems with users at sites that have a Read Only Domain Controller

If you have problems with users at a Branch Office site that has a Read Only Domain Controller (RODC) such as no metwork drives, failed logons, no resources, then you may have a problem with replicating computer account passwords to the RODC.

Branch Office DC


I had been having issues with a Branch Site where users were stating that they could not access resources on the network, logins failed and generally it was hit and miss for them if they could access resources. I started by looking at the Domain Controller at the site, this was a Windows 2008 R2 RODC. In the event logs I found this error Event ID 5805 NETLOGON, the computer account was failin gto authenticate in the domain, the most likley cause the coomputer account password had not been replicated to the RODC and so the authentication attempt failed.

Client PC


Back on the Client PC I was getting the Event ID 5721 NETLOGON that the computer account failed to connect a session to the domain controller because no computer account could be found in the domain. I knew there was a computer account in the domain so this made me think, is it the Read Only aspect that is the issue here.

Client PC


On the Client PC again I had further event log errors that suggested authentication problems with the Domain Controller so I started to look at fixing these errors.

Read Only Domain Controllers and Replication of Passwords


Well it turns out that if you have a RODC then you need to allow replication of the computer account passwords from the Write Domain Controller to the Read Only Domain Controller and this is explained in this Technet Article here

What you need to do is create a Domain Local Security Group on your Write Domain Controller and then add to this Group the computer accounts for the RODC Site.

Security Group


Here you can see I have created a Domain Local Security Group called RODC and I have added to this the Computer Accounts for the workstations in my RODC Site. What I will do know is nest this Group into a fixed Domain Group that allows replication of account passwords to occur to a RODC.

Allowed RODC Password Replication Group


In Active Directory is a Security Group called Allowed RODC Password Replication Group, this is a Group specifically allowed the permissions to replicate account passwords to a RODC and update them on that DC. So in reality making it not Read Only for the Account Passwords butmaking sure that when you join a computer to the domain the password assigned to the computer account is replicated to the RODC.

Nest Groups


Now if we have all out RODC Site computers in the Security Group RODC then we now nest this group in the Allowed RODC Password Repication Group, this allows the permissions of this group to be inherited by all the computer accounts in our RODC group.


Once this is done you can use the CMD to force a replication of the Computer Account Passwords to the RODC Site, this is expained in the Tech Net article but consists of the following.

repadmin /rodcpwdrepl RODCName RWDCNAME CN=ComputerAccount, CN=Computers, DC=Domain, DC=com

When this completes the replication of the Computer Account password for the workstation in the RODC Site is replicated and when you start the computer you no longer have authentication issues with the RODC.