Troubleshooting RODC's: Troubleshooting RODC location in the DMZ

  • Article

Consider the following scenario:

  • A NAP solution with a remediation zone (aka noncompliant network) for
    incoming clients
  • An RODC in the remediation zone subnet has been assigned to an AD site
    called 'RemediationSite'
  • The remediation subnet has been assigned to the RODC in the 'RemediationSite' site
  • Firewall rules prevent the incoming clients in the RemediationSite site from talking to any RWDC's

Typically, the NAP client is a laptop that was either shut down or hibernated while on the corporate LAN/WLAN and has then been brought up while on a home network and is attempting to establish a VPN connection into the corporate network.  At
some point, the NAP server may determine that the client needs to talk to a DC to apply Group Policy, authenticate, etc.

In this scenario, the incoming client may never be able to automatically discover the RODC.

The reason forthis is that the client doesn’t know in which site it is when it initially comes into the site RemediationSite, it must therefore eventually make a generic DNS query for the _msdcs.domain.com SRV record for a DC to talk to and the RODC by default doesn’t register any generic DNS information…it only registers site-specific DNS information.  DsGetDCName may therefore never return an RODC in the list of DC’s for the domain.

Note that the DCLocator function that DSGetDCName calls does however have a fallback to NetBIOS name resolution functionality (WINS and broadcasts) if no results are generated from DNS, if WINS is however not configured and broadcasts are blocked then that too will fail.

If the firewall rules however were to allow the client to talk to at least one RWDC, the client would get redirected to the RODC once the RWDC determines that the client is in the RODC’s site (both should at this point be in the non-compliant network).

 

But let's say you can’t/don’t want to change your firewall rules so we’re stuck in a Catch-22 scenario.  How can this be resolved?  Although an RODC in the non-compliant network may not be able to meet 100% of your DC needs, it is still possible to configure it to be discoverable by clients.

One possible method is to configure the RODC to register generic DNS records, but it does have some drawbacks that you need to be aware of.

  • The original reason for not registering generic DNS records is to ensure that only clients in the site the RODC is in talk to it.
    This is effectively the same principle as is described in the W2k3 Branch Office Guide where the W2k3 DC was configured to only register site-specific DNS records.
  • Not registering generic DNS records for RODC’s minimizes the risk of a users being manipulated into authenticating against a stolen RODC that has been brought online within the corporate network.

In short; IF the RODC needs to be discoverable from a generic DNS query, there is no alternative but to register generic DNS records for it.  It is however possible to minimize the security impact of registering the generic DNS records by modifying the
LDAPSrvPriority of the RODC in the remediation site to make sure other RO/RWDC’s will be preferred if available (See KB 306602 for details).

The DWORD registry entryRegisterSiteSpecificDnsRecordsOnly determines if the RODC will attempt to register generic DNS records.

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value name: RegisterSiteSpecificDnsRecordsOnly

Value type: DWORD

RegisterSiteSpecificDnsRecordsOnly

This specifies to register site-specific and CName records only.
Default is TRUE (1) for RODC.

If it is set to FALSE (0), then RODC will try to register all types of DNS records including non-site specific records.

If this value is set, the RODC needs to be given the required permissions on the relevant DNS zones in order to be able to register all DNS records.

 

How to optimize the location of a domain controller or global catalog that resides outside of a client's sitehttp://support.microsoft.com/?id=306602

Windows Server 2003 Active Directory Branch Office Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en

Planning the Placement of a NAP Remediation Serve
http://technet.microsoft.com/en-us/library/dd125378.aspx

Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network
http://support.microsoft.com/kb/977510