Authentication fails when an external client tries to log on to a Windows Server 2008 server by using a read-only domain controller in a perimeter network
Note If the server is permitted to authenticate the external client by using an internal domain controller (DC), the authentication is successful.
Note If no results are generated from the DNS query, the DCLocator function that is called by the DSGetDCName function falls back to NetBIOS name resolution functionality (WINS and broadcasts). However, if WINS is not configured and broadcasts are blocked, then this fallback mechanism also fails.
If the firewall rules let the external client connect to at least one read/write domain controller (RWDC), the external client is redirected to the RODC. This behavior occurs as soon as the RWDC determines that the external client is in the RODC's site.
Note When this occurs both computers should be in the perimeter network.
Note You can minimize the security effect of registering the generic DNS records by changing the LDAPSrvPriority value of the RODC in the remediation site to make sure that other available read-only domain controllers or read/write domain controllers are preferred. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
RegisterSiteSpecificDnsRecordsOnlyThis DWORD value specifies to register site-specific and alias (CName) records only. The default value for an RODC is 1 (TRUE). If you set this value to 0 (FALSE), the RODC tries to register all DNS records. This includes non-site specific records.
Note If you set this DWORD value to 0, you must grant the RODC the required write permission on the relevant DNS zones to be able to register all DNS records.
Article ID: 977510 - Last Review: 11/24/2009 04:40:32 - Revision: 1.1
- kbtshoot kbexpertiseinter kbsurveynew kbprb KB977510