RODCs and non-Windows machines

  • 84 Views
  • Last Post 24 July 2017
SmitaCarneiro posted this 13 July 2017

We have a large number of RODCs that are located in separate sites across the state. Windows machines don’t have a problem, since they are site aware and connect to the DCs in their site.   But we’ve noticed a problem with Macs and Linux boxes. If they try to connect to a specific DC on campus everything is fine, but when they try to connect to the domain name they can timeout since they don’t know the difference between DCs and RODCs.   Is there something that can be configured in DNS for this? We don’t use AD integrated DNS, we use BlueCat.   Any pointers would be most welcome.   Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy www.itap.purdue.edu      

Order By: Standard | Newest | Votes
ZJORZ posted this 15 July 2017

Only RWDCs that register the domain wide records will register the domain fqdn record. RODCs do not register that
You are talking about time outs. Are there firewalls in place between sites with rodcs and the (central) site with rwdcs?




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

SmitaCarneiro posted this 18 July 2017

Jorge,

 

Yes there are firewalls at the sites. I don’t manage those, but know they are pretty locked down.

 

Thanks,

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

ZJORZ posted this 18 July 2017

If your clients are only allowed to access rodcs and not rwdcs, you will have issues with clients that use the domain fqdn. The domain fqdn points to all the rwdcs that have registered that record. Rodcs by default do not register the domain fqdn and you do not want to change that behavior either!




Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
E-Mail: jorge@xxxxxxxxxxxxxxxx
Tel.: +31-(0)6-26.26.62.80
(+++Sent from my mobile device +++)
(Apologies for any typos)

show

SmitaCarneiro posted this 18 July 2017

Jorge,

 

The clients at our off campus sites are allowed to access the rwdcs.

 

The issue I am seeing is this: on campus where we have our rwdcs located, when I do a nslookup for the domain name, I get back the IP addresses of all the rwdcs

as well as rodcs.

When I looked at the IP space for this domain on BlueCat, I see all the ldap, Kerberos….. records for the rwdcs, and only A records for the rodcs.

 

According to this link:



https://msdn.microsoft.com/en-us/library/cc223809.aspx

I should see more than just A records for the rodcs.

 

So here is what I do not understand

1: Why do I not see any records other than A for the rodcs.

2: Why when I do a nslookup for the domain name from my main site which only has rwdcs, do I get back all the rodcs too? I should get back only the rwdcs, but

I am getting back both.

 

Something is not quite right, and I’m not quite sure what.

 

Thanks,

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

ZJORZ posted this 19 July 2017

I do not know your configuration to be able to say why stuff is wrong. I just know the default behavior and how to change specific behavior as needed RODCs do not register the domain FQDN A DNS record. Only RWDCs do that You will have to look at GPO/reg settings applied to those RODCs to see if those have impacted their behavior Also look at:https://jorgequestforknowledge.wordpress.com/2011/09/11/service-srv-locator-records-registered-by-windows-domain-controllers/  Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

show

SmitaCarneiro posted this 24 July 2017

Jorge,

 

Thank you for the link you sent, that was very informative.

We met with the team that manages BlueCat and discovered that the correct records for the RODCs do exist. They do not show up in the UI however – some bug in

the interface.

They also cleaned up the corrupt FQDN DNS A record. We don’t know yet why that happened. There were security updates that happened recently to BlueCat and that

may have been what caused it. We don’t know for sure yet.

 

Thanks again,

 

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2



 

show

Close