Why do DMZ machines contact writable dc instead of RODCs?

Question

Good morning,

I have a question regarding RODCs and DMZs.

I have a domain where I have several sites including a “DMZ” site. Within it there are multiple Client and Server machines and 2 RODCs. Through the firewall I have allowed traffic from the 2 RODCs to the DCs in production, inhibiting any other communication to the outside of the DMZ. The only possible connections are via RDP to Clients and Servers in the DMZ.

Now what I expect from the RODCs is that they have cached passwords of the users that are added to the “Allowed RODC Password Replication Group” while those that are not added to this group must authenticate via a Writable DC. However, whoever makes the authentication call should not be the “client” or “server” but should be the RODC.

Unfortunately, however, I see calls occurring from those machines to Writable DCs (obviously failing for the firewall).

I put the RODCs in the DMZ site and the Subnet in the same site. What am I doing wrong or not understanding?

From what I've read, this doesn't seem like correct behavior.

Thanks!

Answer 1

For starters, it's not recommended to have more than one RODC per site (to ensure consistent caching behavior). Regarding the behavior you're seeing, verify the following:

• There is a separate site representing the DMZ location
• The DNS records reflect the fact that the site coverage is provided by RODC
• You have cached the passwords of the computer accounts in DMZ, in addition to user accounts

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin