Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #1 
So I have a production and UAT environment with RODC in both.
Securing traffic with an IPsec GPO in both.

Production appears to be fine.
UAT has 1 2008 RODC working and a new 2012R2 that I had to join to the domain while connected to the LAN then move to the DMZ. But the computer account has expired and we can no longer log into the RODC.

So how does someone check that the RODC is working other than a LDAP query?
Why or how do I check the GPO is configured correctly?
I'm not too keen on installing Netmon onto the RODC servers but I'm getting close.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #2 
Wow,, we "tried that"...  From what I have read its better to have it all 2012 R2 across the board or you will have issues...

Same sort of issues with Replication  We disable the firewall then it would start again.

Good Luck!

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #3 
Trying to get to all 2012 in UAT.
But would like to get 1 2012 working all the time before I expire the one working RODC



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #4 
And why do sometimes I have to declare the domain full name (bongo.local) and on other occasions just the netbios domain name (bongo)


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 199
Reply with quote  #5 
So I get why you hate RODC. These are difficult animals to handle. Why are you using them in the first place? Insecure branch offices?

> UAT has 1 2008 RODC working and a new 2012R2 that I had to join to the domain while connected to the LAN then move to the DMZ. But the computer account has expired and we can no longer log into the RODC.

Computer accounts don't expire. If the computer cannot log on to the domain with the RODC I can think of two obvious reasons:
- replication is not working. To check on the RODC, verify eventlog and run repadmin /showrepl
- you forgot to add a password replication policy for both the user account and the computer account of your new 2012R2 machine.

> And why do sometimes I have to declare the domain full name (bongo.local) and on other occasions just the netbios domain name (bongo)

Nameresolution problem, perhaps. Did you configure the 2012R2 client to use the RODC DNS, and is this DNS server forwarding properly? Don't forget that the 2012 R2 clients needs access to a RWDC for DNS dynamic updates. The RODC cannot do those.

That, or

> Securing traffic with an IPsec GPO in both

fancy, but tricky... seen loads of problems with this. It's pretty hard to get this right.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #6 
Thanks Williem.

The RODC's are in the DMZ offering services to authourised applications and services.
And yes, this would be considered unsecure, they are in the open on a very fat pipe.

The reason I said the account had expired was after I ran
dsquery computer -inactive 4
The DC computer account was listed.

I can't log into the RODC, it say no logon servers available.
Tried with the NIC's disconnected, tried with the RODC in the DMZ and also in a LAN open to the DC's.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 199
Reply with quote  #7 
> The DC computer account was listed.

RODCs are different. The log on to themselves and replicate nothing out. That includes timestamps. So this means nothing.

> I can't log into the RODC, it say no logon servers available.

Start here. And just to be clear, this is the new 2012 R2 RODC?

- Did you verify it can talk to an RWDC? IPSEC in the way ...?
- are you sure DCPROMO succeeded and finished?
- if it doesn't come back to life, reboot it into safe mode and see what is wrong.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #8 
Quote:
Originally Posted by wkasdo


....
> Securing traffic with an IPsec GPO in both

fancy, but tricky... seen loads of problems with this. It's pretty hard to get this right.


They had it, it worked in prod, but there were issues in UAT.
Could be what we are hitting.


For others reading this Willem is helping and advising me offline and I'll put my notes here when finished.

Joe



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #9 
So, with some help and direction from Willem I think I'm moving forward with the issue.

I did not want to install Netmon/ Wireshark/ Port Query onto a RODC in and internet facing DMZ or on the internal DC's but needed a solution that could help.

So this helped a lot, to assist in identifying what was and was not connecting.
The powershell command Test-NetConnection
It can ping, but also query a port, so I ended up using a command similar to this to query from DC to RODC and vise versa


Test-NetConnection 172.16.240.172
  This will ping an IP/ FQDN/ netbios name

Test-NetConnection -port 3389 172.16.240.172
Test-NetConnection -port 3389 -ComputerName WIN-9Q80KMNVOMI.bongo.local
 These will ping and check the declared port, in this case 3389

Test-NetConnection -port 3389 -ComputerName WIN-9Q80KMNVOMI -InformationLevel Detailed
 This will give a details output.
 The first output, the firewall is on, so no ping, but the port still is tested.
 The second output, the fireewal lwas disabled, so both ping and port test are both true

Code:

PS D:\scripts> Test-NetConnection -port 3389 -ComputerName WIN-9Q80KMNVOMI -InformationLevel Detailed
WARNING: Ping to WIN-9Q80KMNVOMI failed -- Status: TimedOut

ComputerName             : WIN-9Q80KMNVOMI
RemoteAddress            : fe80::d843:9d4d:e796:d7dc%13
RemotePort               : 3389
AllNameResolutionResults : 172.16.241.20
                           192.168.1.101
                           fe80::d843:9d4d:e796:d7dc
MatchingIPsecRules       : 
NetworkIsolationContext  : Private Network
InterfaceAlias           : LAN
SourceAddress            : fe80::989a:592c:4876:b69b%13
NetRoute (NextHop)       : ::
PingSucceeded            : False
PingReplyDetails (RTT)   : 0 ms
TcpTestSucceeded         : True


PS D:\Scrips> Test-NetConnection -port 3389 -ComputerName WIN-9Q80KMNVOMI -InformationLevel Detailed

ComputerName             : WIN-9Q80KMNVOMI
RemoteAddress            : fe80::d843:9d4d:e796:d7dc%13
RemotePort               : 3389
AllNameResolutionResults : 172.16.241.20
                           192.168.1.101
                           fe80::d843:9d4d:e796:d7dc
MatchingIPsecRules       : 
NetworkIsolationContext  : Private Network
InterfaceAlias           : LAN
SourceAddress            : fe80::989a:592c:4876:b69b%13
NetRoute (NextHop)       : ::
PingSucceeded            : True
PingReplyDetails (RTT)   : 1 ms
TcpTestSucceeded         : True


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #10 
OK, so my learnings.
You need to enable your account that you manage the server with to password replicate to the server.
IPSec is bad and good.
  Put the RODC in an OU in the domain controllers OU. Apply the IPSec GPO to the OU.
  Move the RODC to the OU after your it all working.
  Remember that the IPSec rules may have some clear communication with some servers. Have that documented somewhere.
  The powershell command Test-NetConnection helps, but will not give you an answer, just like Netmon when IPSec blocks the server talking to DNS.
  In this case on the offending server you may not see a reply in Netmon on that server with the DNS query and response - you will see the server query Root     Hints.
RODC are quite secure if trying to set them up is anything to go by.



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.