RODCs and non-Windows machines

  • 14 Views
  • Last Post 4 days ago
SmitaCarneiro posted this 2 weeks ago

We have a large number of RODCs that are located in separate sites across the state. Windows machines don’t have a problem, since they are site aware and connect to the DCs in their site.   But we’ve noticed a problem with Macs and Linux boxes. If they try to connect to a specific DC on campus everything is fine, but when they try to connect to the domain name they can timeout since they don’t know the difference between DCs and RODCs.   Is there something that can be configured in DNS for this? We don’t use AD integrated DNS, we use BlueCat.   Any pointers would be most welcome.   Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy www.itap.purdue.edu      

Order By: Standard | Newest | Votes
ZJORZ posted this 2 weeks ago

Only RWDCs that register the domain wide records will register the domain fqdn record. RODCs do not register that
You are talking about time outs. Are there firewalls in place between sites with rodcs and the (central) site with rwdcs?




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

SmitaCarneiro posted this 5 days ago

Jorge,

 

Yes there are firewalls at the sites. I don’t manage those, but know they are pretty locked down.

 

Thanks,

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

ZJORZ posted this 5 days ago

If your clients are only allowed to access rodcs and not rwdcs, you will have issues with clients that use the domain fqdn. The domain fqdn points to all the rwdcs that have registered that record. Rodcs by default do not register the domain fqdn and you do not want to change that behavior either!




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

SmitaCarneiro posted this 5 days ago

Jorge,

 

The clients at our off campus sites are allowed to access the rwdcs.

 

The issue I am seeing is this: on campus where we have our rwdcs located, when I do a nslookup for the domain name, I get back the IP addresses of all the rwdcs

as well as rodcs.

When I looked at the IP space for this domain on BlueCat, I see all the ldap, Kerberos….. records for the rwdcs, and only A records for the rodcs.

 

According to this link:



https://msdn.microsoft.com/en-us/library/cc223809.aspx

I should see more than just A records for the rodcs.

 

So here is what I do not understand

1: Why do I not see any records other than A for the rodcs.

2: Why when I do a nslookup for the domain name from my main site which only has rwdcs, do I get back all the rodcs too? I should get back only the rwdcs, but

I am getting back both.

 

Something is not quite right, and I’m not quite sure what.

 

Thanks,

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

ZJORZ posted this 4 days ago

I do not know your configuration to be able to say why stuff is wrong. I just know the default behavior and how to change specific behavior as needed RODCs do not register the domain FQDN A DNS record. Only RWDCs do that You will have to look at GPO/reg settings applied to those RODCs to see if those have impacted their behavior Also look at:https://jorgequestforknowledge.wordpress.com/2011/09/11/service-srv-locator-records-registered-by-windows-domain-controllers/  Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

show

Close