I've dug a little bit more on the RODC set up.
I've tried using BIND with DLZ and without as well as the internal DNS
server.
In both cases, I get an error when the RODC tries to register itself to gc._
msdcs.test.com.
Under DLZ, it fails for a non-secure transaction:
Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of
signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient
access rights
When using the internal DNS server, it fails with the following output:
[2013/07/26 18:39:56, 0]
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback)
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback
failed NT_STATUS_IO_TIMEOUT
Also forced on the clients to use the Try Next Closes Site, but it gives an
error.
What is the behavior of an RODC?
It should have a copy of the AD without the passwords, and also it has a
copy of the DNS records?
Does it act like a proxy between one subnet and the main DC?
Should a new DNS entry be added to advertise the RODC as an available
KDC/AD?
Thanks
On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo <flipy.bcn at gmail.com>
wrote:
> I'm preparing a lab to test the scenario in which a remote office uses
a
> RODC to cache all users/computers/GPOs from a DC.
> I've set up a environment with all requirements (two subnets, one with
a
> DC and the other with a RODC).
> I've joined the domain with a windows machine to the RODC subnet with
both
> DCs being up.
>
> Using the windows tools (DSA), I've placed a user account and the
machine
> account inside the Allowed password replication group.
>
> I've switched off the master DC, and tried to login with the cached
user
> in the cached computer, but it failed.
>
> I've preloaded (samba-tool rodc preload) both the user account and the
> machine account in the RODC, without luck.
>
> I've a couple of questions:
> - Does samba 4.0.7 supports caching passwords for users?
> - What is the preload command for? Caching of passwords?
>
> The following link (
> http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
> talks about setting up the Next Closest DC in the network in the DC
> settings to allow RODCs to be trusted, should this be performed as well?
> Or is it enough to set it up as a GPO?
>
--
Atentamente,
Andreas Calvo