We're having issues with clients authenticating to the client VPN if the domain controller it's pointing to is a read-only domain controller.
Is this a known issue/restriction in place? As soon as I point it to a full DC, it works fine.
We use RODC in small site branches for security reasons, so if it's a restriction and we need to point the auth activities to another site it defeats the purpose slightly of giving staff the ability to come in through another site (if one site is down for example).
Thanks!
Can any clients authenticate through a RODC?
Also, do any clients have authentication issues when signing into the site with the primary DC?
No, no one can VPN through the MX65W when it's pointing to a RODC for AD authentication.
Once I changed the AD controller it's pointing at to a full DC, authentication is fine.
I don't know the answer.
You also don't say weather you are using RADIUS (via NPS) or Active Directory authentication.
If see NPS has quite a few restrictions when used with RODC. Search this article for NPS:
https://support.microsoft.com/en-nz/help/4053480/rodc-application-compatibility
Have you enabled the Password Replication Policy to your RODC? Password caching needs to be enabled on them to be able to use LDAPS against the.
Also - have you enabled LDAPs on those RODC? The RODC needs a certificate to be installed to enable this.
Using AD auth.
Password replication policy is in place, but I don't believe LDAPS is in place. Would we need to have a CA server running in the environment in order to use LDAPS?
Just to close the loop on this one - it was a fairly simple fix in the end.