RODC and DC less AD sites

  • 104 Views
  • Last Post 18 August 2016
ahobbs posted this 17 August 2016

Hey all

I have a few AD sites created without a DC.

I would like these AD sites to use a 2012 R2 RODC from another site however the SRV records registered for these DC less AD sites are a 2012 RWDC.

How can I force configure these sites to use the 2012 R2 RODC for authentication?

Thanks
A

Sent from my iPhoneForum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
bdesmond posted this 17 August 2016

It's based on site link costs and so forth in terms of the automation for the records being registered. There is a registry value called SiteCoverage that you can tweak to force a DC to cover some specific sites: https://technet.microsoft.com/en-us/library/cc937924.aspx.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

show

ZJORZ posted this 17 August 2016

Hi,




By default, RODCs do not perform site coverage, while RWDCs do.




For RODCs to perform site coverage you would need to turn that on at the RODC. Remember that RODCs do not register SRV records. RODCs always request an RWDC to register any SRV on behalf of the RODC. Why? RODCs are untrusted and RWDCs are trusted.




If your empty site is linked to the RWDC site and the RODC site you in addition most likely would also need to make sure the site link cost between the empty site  and the RODC is cheaper (lower) than the site link cost between the empty site and the RWDC

site.




Another question. Why can't you extend the RODC site to also have the subnets of the empty site included? That would also achieve the same goal


Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail:

JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx



Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)

show

ahobbs posted this 18 August 2016

Thanks for taking the time to respond! 
My scenario is covered in this blog entry
https://blogs.technet.microsoft.com/askpfeplat/2013/05/05/how-domain-controllers-are-located-across-trusts/
I need to create AD sites in the trusting forest that have the same name as the site in the trusted forest.
But I deployed a RODC instead of a RWDC. 
From what you're saying I need to enable autosite coverage on the RODC. Do you know how you do this as I googled and I couldn't find the article 🙁🙈
Thanks
A


show

ZJORZ posted this 18 August 2016

Remember that when working with trusts RODC cannot process the requests individually. The reason for this is that RODCs do not have the trust secret and because of that they will always need to pass the request to a RWDC which does have the trust secret

(password)




To enable sitecoverage on an rodc see if the default value is set to disabled.




Do not forget that all this does depend on your site link ciat structure





Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail:

JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx



Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)

show

ahobbs posted this 18 August 2016

Thank you!
Regarding site links, do you mean I need to create site links between each empty site to RODC site and then assign a low cost value to it after enabling auto site coverage?


show

ZJORZ posted this 18 August 2016

This is how site coverage works in the order listed:

• nearest site with RWDCs to empty site

• when multiple sites exist with the same lowest site link cost, the site containing the most RWDCs is the one covering the empty site

• when multiple sites exist with the same lowest site link cost and also uave the exact same number of RWDCs, then the alphabetical order of the objectguid determines the leading site




Do you now understand the importance of the site link costa with regards to site coverage




It is impossible for me to determine the impact of changing site links and/or their associated costa



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail:

JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx



Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)

show

Close