Windows XP machines slow to startup in windows 2008 RODC sites
I'm having an issue at all my sites that now have windows 2008 RODC's, where the machine takes upwards of 20 minutes to apply settings before allowing the user to log on. When the user logs on, it is authenticated to a DC at another site, and also runs the startup files from another site. (not the local RODC). Any insight? It's driving me crazy. Yes, I do have Password caching on the RODC's and in the group. I've verified and re-verified that the DNS entries for an RODC are present and correct. I've installed the compatibility pack, but no change.
September 3rd, 2010 4:24pm

Read carefully this: Read-only domain controller and Kerberos authentication Windows Vista includes new Kerberos authentication protocol features to further protect a Windows Server 2008 domain controller that is physically located in a branch office. With the read-only domain controller (RODC), the KDC issues TGTs to branch users only and forwards other requests to the hub domain controller. In the Windows implementation, the keys used to create TGTs are derived from the password of the krbtgt account. This account and its password are typically replicated to every domain controller in the domain. In the branch office scenario, the risk of theft or unauthorized access to the local domain controller—and therefore the security of the krbtgt account—is typically greater. To mitigate this risk, the RODC has a unique krbtgt account that does not have all of the capabilities of a standard krbtgt account on a standard domain controller. If the RODC is compromised, the scope of the breach in regards to the krbtgt account information is limited to that RODC, not the other KDCs. ref: http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx and http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx Edoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 5:14pm

Eduardo, I understand how the authentication works with the RODC's, and all the associated groups, but this does not explain why it takes 20+ minutes to load computer settings, and why does the user login not use the local NETLOGON share for policies and scripts? It's acting like the DC at the site does not exist. I've confirmed the NETLOGON share is there on the RODC.
September 3rd, 2010 5:52pm

can you post here ipconfig /all result from RODC,from a client in this site and from domain controller on which client authenticates itself ?Edoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 6:34pm

RODC ----- Windows IP Configuration Host Name . . . . . . . . . . . . : ARE1DC00002DC Primary Dns Suffix . . . . . . . : inergyautomotive.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : inergyautomotive.com Ethernet adapter Network Bridge: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : MAC Bridge Miniport Physical Address. . . . . . . . . : 1E-C1-DE-03-A9-BC DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.251.145.75(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.192 Default Gateway . . . . . . . . . : 10.251.145.67 DNS Servers . . . . . . . . . . . : 10.248.122.68 10.248.122.69 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Client ------ Configuración IP de Windows Nombre del host . . . . . . . . . : are1ws00051 Sufijo DNS principal . . . . . . : inergyautomotive.com Tipo de nodo . . . . . . . . . . : desconocido Enrutamiento habilitado. . . . . .: No Proxy WINS habilitado. . . . . : No Lista de búsqueda de sufijo DNS: inergyautomotive.com inapps.inergyautomotive.com Adaptador Ethernet Local Area Connection : Sufijo de conexión específica DNS : inergyautomotive.com Descripción. . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Dirección física. . . . . . . . . : 00-19-BB-E3-A6-35 DHCP habilitado. . . . . . . . . : No Autoconfiguración habilitada. . . : Sí Dirección IP. . . . . . . . . . . : 10.251.145.114 Máscara de subred . . . . . . . . : 255.255.255.192 Puerta de enlace predeterminada : 10.251.145.67 Servidor DHCP . . . . . . . . . . : 10.251.145.75 Servidores DNS . . . . . . . . . .: 10.251.145.75 Concesión obtenida . . . . . . . : viernes, 03 de septiembre de 2010 17:49:29 Concesión expira . . . . . . . . .: sábado, 04 de septiembre de 2010 17:49:29 Also, here is the NLTest from the Client PC. DC: \\PIR1VM00001DC.inergyautomotive.com Address: \\10.251.32.59 Dom Guid: ed43f0a8-b14e-4d7e-9ad9-97b09fafa46d Dom Name: inergyautomotive.com Forest Name: empty.root Dc Site Name: Piraquara Our Site Name: Arevalo Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST The command completed successfully This is when I log on.
September 3rd, 2010 6:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics