7

I have a two-site domain (call them Local and Remote). Site Local has our main IT infrastructure, including two Active Directory Domain Controllers (2008R2). We're trying to set up an RODC at site Remote, which for the most part works just fine. Everything is replicated, password replication follows the policy, the remote DC answers queries - so all good. Except that machines in site Local, when querying the AD, are referred to site Remote. If I do a tcpdump, I see the LDAP query hit both of the Local DCs, and then go on to the Remote RODC.

I've ensured that all of the subnets on both ends are configured in the Site and Services snap-in, and that the DCs are both in their respective sites. According to my research, that should be all that's required for the clients to query the closest DC. Have I missed a step?

bab
  • 443
  • 1
  • 5
  • 12
  • Is it possible that the RODC is the only global catalog server active? Or perhaps that the RODC has somehow gained control of any of the FSMO roles? – Peter Grace Dec 08 '11 at 15:34

1 Answers1

3

From technet:
"When a client that is searching for a domain controller receives the list of domain controller IP addresses from DNS, the client begins querying the domain controllers in turn to find out which domain controller is available and appropriate. Active Directory intercepts the query, which contains the IP address of the client, and passes it to Net Logon on the domain controller. Net Logon looks up the client IP address in its subnet-to-site mapping table by finding the subnet object that most closely matches the client IP address and then returns the following information:

  1. The name of the site in which the client is located, or the site that most closely matches the client IP address.

  2. The name of the site in which the current domain controller is located.

  3. A bit that indicates whether the found domain controller is located (bit is set) or not located (bit is not set) in the site closest to the client.

The domain controller returns the information to the client. The response also contains various other pieces of information that describe the domain controller. The client inspects the information to determine whether to try to find a better domain controller. The decision is made as follows:

  1. If the returned domain controller is in the closest site (the returned bit is set), the client uses this domain controller.

  2. If the client has already tried to find a domain controller in the site in which the domain controller claims the client is located, the client uses this domain controller.

  3. If the domain controller is not in the closest site, the client updates its site information and sends a new DNS query to find a new domain controller in the site. If the second query is successful, the new domain controller is used. If the second query fails, the original domain controller is used."

"the LDAP query hit both local..." How are you using to query AD? What server shows up if you type print %logonserver% from a cmd prompt?

Paul Ackerman
  • 2,729
  • 15
  • 23
  • Thanks guys. FSMO roles are correct and %logonserver% shows a local server. The testing was done by watching a Wireshark dump while initiating a logon. Also tested from a Mac OS X machine, and same behavior observed while initiating a connection to a DFS share. – bab Dec 15 '11 at 03:51