1

OK, I'm in a bit of a pickle. At one of our remote sites, we have a Windows Server 2012 R2 read-only domain controller that does not sync Domain Admin passwords. Anytime a domain admin tries to log in, it forwards the request to the primary domain controller back at the home office.

In a recent IP address update, the IP address of the machine was transposed. What was supposed to be entered as 192.168.135.2 was entered as 192.168.2.135. The netmask and gateway IP were set right--meaning that the gateway configured is not even on the same subnet as the IP configured. So the RODC is completely offline.

No big problem. I'll just take another machine, give it the IP address of 192.168.2.130, RDP into the RODC and fix the IP blunder. Except when I RDP into the RODC as an admin, I get authentication errors because 1) it does not store the admin passwords and 2) it has no way of forwarding the authentication onto the PDC because it has an invalid gateway configuration.

Anyone know of any way I can log into this RODC and get the IP address changed back to what it should be?

mikdav
  • 61
  • 4
  • 1
    I certainly hope not. That would mean the the only purpose of using an RODC is completely useless. – Greg Askew Jul 26 '17 at 16:57
  • Yeah, I was hoping that I could do an RDP Kerberos SSO where the RODC would trust the ticket because it was signed by a trusted cert, but not actually require the password. However, it looks like the Kerberos SSO support in RDP is woefully behind the times and this is not possible. It also looks like I could use a Directory Services Restore Mode password, but this DC is years old and I have no idea what it is. Guess what we're doing today? Resetting all of our DSRM passwords on the other Dcs to a known value. – mikdav Jul 27 '17 at 17:23
  • Actually DSRM can synchronize with a domain account, using a shutdown/startup script with an NTDSUTIL command. – Greg Askew Jul 27 '17 at 17:28

0 Answers0