0

I've got an RODC in our local site and a PDC in our co-location facility. I run SET on any of the computers in our local site and they all say LOGONSERVER='PDC'. They should all be authenticating to the local RODC but they don't seem to want to.

I looked at the logs of the RODC and I get a few spaced out errors coming from NETLOGON:

The session setup from the computer COMPUTERNAME failed to authenticate. The following error occurred: Access is denied.

A search for that error led me here but none of the solutions seem to be of any help (or maybe I'm not using the solutions correctly?)

Has anyone remedied this error before? Can someone point me in the correct direction?

blsub6
  • 1,101
  • 6
  • 25
  • 44
  • Have you modified the password replication policy on the RODC in AD Users & Computers? – Clint Nov 29 '10 at 23:53
  • See https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx under "Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site?" – iPath Aug 04 '15 at 00:08

1 Answers1

3

Just like users, you have to add computer objects to the policy allowing the RODC to authenticate them (link). The easiest way is to create a group of those computer objects and add them to the policy with Allow. Also keep in mind that Site configuration can affect which DC a station will contact.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296