Joing a computer to the domain that uses a RODC

flames1000 · June 2009

Hi,

Ok. We are sending out a W2K8 RODC to a branch office. There will be 2 laptops that need to be joined to the domain there. The others are staged from corp. No problems. I do realize that i can not jojn a pc from the branch office as its only read only.

I did some testing and set the laptop with a static IP of its range and subnet:

ip - 192.168.16/100
sm - 255.255.255.0
dg - 192.168.16.254

i set the primary dns and secondary to point to our main dns at corp through a vpn connection. It worked, the laptop joined the domain. A few hours later today i started getting netlogon erros event id 5805 and 5723. It seems to be working fine, no trust popups, but wsus is not happy with it.

What is the easiest way to bring up a computer in a branch office with a rodc? Scouring the internet did not give me much answers and i have to get this out in 3 days.

any assistance would be appreciated.

thanks

Flames

RobertKaucher · June 2009

Flames,

One question for you...

How is the branch office connected to the main office? You say it's a VPN connection but can ONLY the RODC talk to the RWDCs?

Unless the connection is firewalled you will be able to join PCs to the domain at the branch office as normal. The RODC should simply forard the request to a RWDC. So you CAN join a client to the domain, it just needs to be able to talk to the RWDC.

Edit: Remember the RODC at a Branch Office scenario was created to increase security by ensuring that a copy of your AD was not accessible to theft/sabatoge at BOs that tend to lack physical security and to improve login performance. It wasn't created to prevent objects from being added to the AD.

flames1000 · June 2009

Hi Robert,

The RODC is connected via a sonicwall vpn back to corporate. It can talk to the other RWDC here. I installed the rodc compatibility pack on the xp client also and i got a error trying to promote it (cant remember what it was)

I do understand the security of the rodc in branch offices, but as it turns out, there are a couple pc/laptops that need to be joined to the domain. I thought that promoting it from the site would work and the request would come back to a rw, but thats not the case.

i have not been able to find very much info as to what to do in this case, all i did was hard code in a ip at the branch office and set the dns servers to poin to the corp rwdc and it joined. Is there something else i should do instead and i can try at work?

Any pointers would be appreciated.

thanks

Flames

RobertKaucher · June 2009

Are these imaged machines? You keep using alternating pronouns like it and they and I'm not sure if the device or devices generating the event ids is the RODC or the laptops. "It seems to be working fine." Is it the situation, the RODC, or one of the clients?

If the event ids are being generated by the clients then it sounds like your steps were correct but there was an issue that probably had nothing to do with the RODC. Remove the clients in question from the domain and ensure they are deleted from AD. Then rejoin them to the domain. I personally would rename them for good measure, but that is probably not required. If the RODC is generating then, demote it, unjoin it and take a do-over.

You should be able to join clients to the AD at a BO w/o any issues. I have encountered these event ids in Server 2003 environments and a rejoin always fixed it.

Also, VPN connection is still not clear to me... Is this PTP VPN where all the machines at the BO can talk to the home office? I assume so since you said there was DNS traffic going between the two. I assume it is two SonicWalls as the endpoints?

Joing a computer to the domain that uses a RODC

Comments