Forum Discussion

BrentStobbs's avatar
BrentStobbs
Brass Contributor
Apr 27, 2022
Solved

Authenticating to a RoDC is unsuccessful

I have the requirement to create a segregated network for a group of my users.  The network will contain 1 file server, an RoDC and a bunch of workstations.    The workstations have no connectivity...
Active Directory
networking
security
windows server
  • BrentStobbs's avatar
    BrentStobbs
    May 03, 2022
    Thank you again Lain for your quick and thorough response.

    I have now resolved the issue and I am feeling quite stupid about it. The workstations (both of them) I was testing with were configured for DirectAccess. As the NLS is not available on the network, it was trying to connect via Direct Access and hence using NRPT to resolve the domain name, additionally DirectAccess was not able to reach the Domain Controllers, and as it therefore failed to connect, it was causing the DNS issues.

    I have removed the DirectAccess configuration for the workstation and things started working as expected.

    I am going to mark this response as the best answer, but I do want you to know that it was in no small part due to your assistance. I would not have come to this conclusion without the hints you have provided and your guidance with troubleshooting. Sincerely, thank you very much, I was really struggling.
LainRobertson's avatar
LainRobertson
Silver Contributor
May 03, 2022

BrentStobbs 

 

No worries.

 

First, are the clients able to reach both UDP 53 and TCP 53 of the RODC as well as writable domain controller you just opened up access to?

 

If it's only UDP 53 and not TCP 53, you will run into issues with queries that have results sets larger than 512 bytes, as the Windows DNS client will cut over to TCP 53 and re-issue the query by default in such circumstances.

 

I only mention that as an aside though, as for the explicit host query for "pdc.domain.local", that shouldn't/wouldn't have been big enough.

 

Given your member server is passing all the tests, I'm more suspect on the workstation side of things, specifically, what questions they're asking.

 

Putting the quick check from above aside then, can you run the following for me from an impacted workstation within a PowerShell console? Administrator rights are not required.

 

Get-DnsClientGlobalSetting;

nslookup -type=ALL domain.local. <IP-of-pdc.domain.local>

nslookup pdc.domain.local. <IP-of-pdc.domain.local>

nslookup rodc.domain.local. <IP-of-pdc.domain.local>

 

I'm curious to know what resolves and what does not. I've also mentioned search suffixes before, and the command on line 1 will show any that are configured. Here's an example of the output from line 1.

 

 

Here's example output for line 5 (which asks for all matching record types, making the bottom part of the results a bit busy, but useful) using my own test environment:

 

 

You should see your "pdc.domain.local" in the results, all things being equal. PS: I don't need to see these results, it's just something for you to check given you said "pdc.domain.local" isn't resolving from the clients even when talking directly to "pdc.domain.local".

 

Be sure to include the trailing period after each hostname as show on lines 3, 5 and 7. This is important as it instructs the DNS client to not append any client search suffixes.

 

So, if we let the IPv4 address of your "pdc.domain.local" = 192.168.1.1, then an example using line 3 from above would look like:

 

nslookup domain.local. 192.168.1.1

 

You can also use the -debug switch on nslookup to see what impact devolution is having (though this requires leaving the trailing period out.) For example, slightly changing line 3 from above to the following will show if the initial question is actually for domain.local or something else based on any search suffixes.

 

nslookup -debug domain.local 192.168.1.1

 

Cheers,

Lain

BrentStobbs's avatar
BrentStobbs
Brass Contributor
May 03, 2022
Thank you again Lain for your quick and thorough response.

I have now resolved the issue and I am feeling quite stupid about it. The workstations (both of them) I was testing with were configured for DirectAccess. As the NLS is not available on the network, it was trying to connect via Direct Access and hence using NRPT to resolve the domain name, additionally DirectAccess was not able to reach the Domain Controllers, and as it therefore failed to connect, it was causing the DNS issues.

I have removed the DirectAccess configuration for the workstation and things started working as expected.

I am going to mark this response as the best answer, but I do want you to know that it was in no small part due to your assistance. I would not have come to this conclusion without the hints you have provided and your guidance with troubleshooting. Sincerely, thank you very much, I was really struggling.
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    May 03, 2022

    No worries! It's always a relief when you find a solution, and there aren't any silly ones.

    You wont be the last person to be caught out by name resolution policies, and as of Server 2016, there's now also DNS Server policies to add into the mix of "things you can't see that are undermining you." Lots of fun to be had troubleshooting DNS in this day and age.

    Cheers,
    Lain

Resources