Windows XP machines slow to startup in windows 2008 RODC sites
I'm having an issue at all my sites that now have windows 2008 RODC's, where the machine takes upwards of 20 minutes to apply settings before allowing the user to log on. When the user logs on, it is authenticated to a DC at another site, and
also runs the startup files from another site. (not the local RODC). Any insight? It's driving me crazy.
Yes, I do have Password caching on the RODC's and in the group. I've verified and re-verified that the DNS entries for an RODC are present and correct. I've installed the compatibility pack, but no change.
September 3rd, 2010 4:24pm
Read carefully this:
Read-only domain controller and Kerberos authentication
Windows Vista includes new Kerberos authentication protocol features to further protect a Windows Server 2008 domain controller that is physically located in a branch office. With the read-only domain controller (RODC), the KDC issues TGTs to branch
users only and forwards other requests to the hub domain controller.
In the Windows implementation, the keys used to create TGTs are derived from the password of the
krbtgt account. This account and its password are typically replicated to every domain controller in the domain. In the branch office scenario, the risk of theft or unauthorized access to the local domain controller—and therefore the
security of the krbtgt account—is typically greater. To mitigate this risk, the RODC has a unique
krbtgt account that does not have all of the capabilities of a standard
krbtgt account on a standard domain controller. If the RODC is compromised, the scope of the breach in regards to the
krbtgt account information is limited to that RODC, not the other KDCs.
ref:
http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx
and
http://blogs.technet.com/b/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx
Edoardo Benussi - Microsoft MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 5:14pm
Eduardo,
I understand how the authentication works with the RODC's, and all the associated groups, but this does not explain why it takes 20+ minutes to load computer settings, and why does the user login not use the local NETLOGON share for policies and scripts?
It's acting like the DC at the site does not exist. I've confirmed the NETLOGON share is there on the RODC.
September 3rd, 2010 5:52pm
can you post here ipconfig /all result from RODC,from a client in this site and from domain controller on which client authenticates itself ?Edoardo Benussi - Microsoft MVP
Management Infrastructure - Systems Administration
https://mvp.support.microsoft.com/Profile/Benussi
Windows Server Italian Forum Moderator
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 6:34pm
RODC
-----
Windows IP Configuration
Host Name . . . . . . . . . . . . : ARE1DC00002DC
Primary Dns Suffix . . . . . . . : inergyautomotive.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : inergyautomotive.com
Ethernet adapter Network Bridge:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 1E-C1-DE-03-A9-BC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.251.145.75(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 10.251.145.67
DNS Servers . . . . . . . . . . . : 10.248.122.68
10.248.122.69
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Client
------
Configuración IP de Windows
Nombre del host . . . . . . . . . : are1ws00051
Sufijo DNS principal . . . . . . : inergyautomotive.com
Tipo de nodo . . . . . . . . . . : desconocido
Enrutamiento habilitado. . . . . .: No
Proxy WINS habilitado. . . . . : No
Lista de búsqueda de sufijo DNS: inergyautomotive.com
inapps.inergyautomotive.com
Adaptador Ethernet Local Area Connection :
Sufijo de conexión específica DNS : inergyautomotive.com
Descripción. . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Dirección física. . . . . . . . . : 00-19-BB-E3-A6-35
DHCP habilitado. . . . . . . . . : No
Autoconfiguración habilitada. . . : Sí
Dirección IP. . . . . . . . . . . : 10.251.145.114
Máscara de subred . . . . . . . . : 255.255.255.192
Puerta de enlace predeterminada : 10.251.145.67
Servidor DHCP . . . . . . . . . . : 10.251.145.75
Servidores DNS . . . . . . . . . .: 10.251.145.75
Concesión obtenida . . . . . . . : viernes, 03 de septiembre de 2010 17:49:29
Concesión expira . . . . . . . . .: sábado, 04 de septiembre de 2010 17:49:29
Also, here is the NLTest from the Client PC.
DC:
\\PIR1VM00001DC.inergyautomotive.com
Address: \\10.251.32.59
Dom Guid: ed43f0a8-b14e-4d7e-9ad9-97b09fafa46d
Dom Name: inergyautomotive.com
Forest Name: empty.root
Dc Site Name: Piraquara
Our Site Name: Arevalo
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
The command completed successfully
This is when I log on.
September 3rd, 2010 6:54pm