Jump to content
RESET Forums (homeservershow.com)

RODC Failure


Recommended Posts

Hi all,




I am going absolutely crazy try to configure RODC that will authenticate the clients after credential caching has been done so that the authentication is done on the RODC.


This what I am doing, can some one please tell me what I'm doing wrong.


1.I configure the clients to get an IP from the DC DHCP and join the clients to the DC. (TESTED AND WORKING)

2.Then I configure the RODC on the DC for Password Retention Policy and set up the RODC Server as a new Server VM. (TESTED AND WORKING, IMAGES ATTACHED)

3.Then I change the RODC primary DNS IP to itself ( and the alternate DNS as the DC IP (AS MENTIONED ON MICROSOFT WEBSITE).

4.Then I point the clients to use the RODC as the primary DNS IP and the DC as the alternate DNS IP (this only works until the clients are not rebooted, once the clients are rebooted the clients lose their assigned ip by the DC DHCP and after that even if I reconnect the clients to the domain from the start they are not issued an IP by the DHCP until the DHCP is restarted)

5.Then I turn off the DC and test the clients to authenticate by the RODC, the clients login but then the network is unknown and not Domain Network. At this point I have checked that the clients IP is something other than what the DHCP has given them it is probably because of changing the primary DNS of clients to RODC IP.


As you can see in the attachments the W10, W8 and W7 computers and MAdmin, M1 and M2 clients are allowed in the Password Retention Policy yet the authentication happens only at the DC, am I missing some step.


Could some one kindly please let me know where I am doing wrong.


Thank You Very Much





Edited by TryllZ
Link to comment
Share on other sites

Did you promote RODC to the primary DC or global catalog?


Also, what are you trying to do, exactly.



Thanks for the reply.


Yes I have promoted the RODC as a Primary DC and it is also the Global Catalog by default when promoting, I never unchecked that option.


This is what I'm trying to do, I'm trying to get the clients to authenticate at the RODC after having the Password Replication Policy & Password caching set, everything works fine as long as the clients Primary DNS IP points to the PDC and NOT the RODC, even when I have the PDC and RODC working the clients authenticate only through the PDC and never through the RODC, I found this through the Events Viewer in both the PDC and RODC, when the clients are able to authenticate through the PDC there is a logon event but when the PDC is off there is not event in RODC (to test that the clients authenticate at the RODC I disable the network of the PDC) the clients can login to their PCs but the network shows as Unknown Private Network.


I'm not able to understand what is wrong here, I have done the replication through Sites in both the PDC and RODC as well, no error there either.



Edited by TryllZ
Link to comment
Share on other sites

I have managed to find that Zone Transfers were incorrect and after fixing that I can see Logon events in both DC and RODC however with DC down the authentication still does not happen at the RODC.

Edited by TryllZ
Link to comment
Share on other sites

  • 3 weeks later...

From what I recall you need at least one writeable domain controller online along with the RODC. Reason being that a write may be needed should a logging in users password have expired and they need to change it. Without a writeable DC that is not possible so the user will never get logged in. The RODC is used purely as a cache for the main AD, yes it can authenticate users as well but it also needs access to a writeable DC somewhere.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...