Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » RODC Chaining
RODC Chaining [message #161912] Fri, 09 October 2009 01:44 Go to next message
Cuper  is currently offline Cuper  Australia
Messages: 2
Registered: October 2009
Junior Member
What happens when a client who creds are not cahced and its entry is not
found in chaining table? Will RODC provide the time from the response it
gets from RWDC? or will the clients time sync request fail?
Re: RODC Chaining [message #161915 is a reply to message #161912] Fri, 09 October 2009 01:52 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Cuper,

I can not really follow your posting. Do you talk about user logons where
the password is not cached on the RODC or do you talk about workstations
in the site with RODC and time synchronization of the workstation to the
domain time?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> What happens when a client who creds are not cahced and its entry is
> not found in chaining table? Will RODC provide the time from the
> response it gets from RWDC? or will the clients time sync request
> fail?
>
Re: RODC Chaining [message #161918 is a reply to message #161915] Fri, 09 October 2009 02:07 Go to previous messageGo to next message
Cuper  is currently offline Cuper  Australia
Messages: 2
Registered: October 2009
Junior Member
I beleive that the way branch office clients (workstations) sync time
depends on wheather their creds are cahched on the RODC. If they are cached,
the RODC provides the time, otherwise the RODC forwards the clients time
sync request to the upstream RWDC and the RODC forwards the response from
RWDC back to the Client. Is my understanding correct?

To keep a track of time requests that have been forwarded to the RWDC, the
RODC maintains a chaining table with all the details. See the below link:
http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx

In this link it says:
The RODC receives the response from the writable domain controller. An RODC
always attempts to match a response to an entry in the chaining table. The
response from the writable domain controller contains both the RID and the
OriginateTimestamp value, which the RODC matches to an entry in the chaining
table.
If an entry is found, the RODC forwards the request to the IP address in the
chaining table.
***If an entry is not found, the RODC assumes that the RODC itself sent a
request to the writable domain controller, and the RODC processes the
response accordingly.***

RODC processes the response accordingly?? What does it do?


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d73f08cc16dd54e0062c@msnews.microsoft.com...
> Hello Cuper,
>
> I can not really follow your posting. Do you talk about user logons where
> the password is not cached on the RODC or do you talk about workstations
> in the site with RODC and time synchronization of the workstation to the
> domain time?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> What happens when a client who creds are not cahced and its entry is
>> not found in chaining table? Will RODC provide the time from the
>> response it gets from RWDC? or will the clients time sync request
>> fail?
>>
>
>
Re: RODC Chaining [message #161924 is a reply to message #161918] Fri, 09 October 2009 03:08 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Cuper,

If i understand this correct, it means the RODC is the generator of the time
request and will not forward any authentication request to the client.

"In the Windows Server 2008 and Windows Server 2008 R2, in the case of the
read-only domain controller (RODC) as the server, if the RODC does not store
the cryptographic key locally, the server validates the RID. If the RID identifies
a valid object, the server forwards the original Client NTP Request message
to its own time source, which must be a writable domain controller. The writable
domain controller that has the cryptographic key authenticates the client's
request instead. On receiving the response from the writable domain controller,
the RODC forwards the response to the client. This process is known as "chaining".
If the RID is not identified as a valid object, the server fails the authentication
and ignores the request without responding."

From: http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-4 5c6-8dcf-a657e5900cd3/%5BMS-SNTP%5D.pdf

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I beleive that the way branch office clients (workstations) sync time
> depends on wheather their creds are cahched on the RODC. If they are
> cached, the RODC provides the time, otherwise the RODC forwards the
> clients time sync request to the upstream RWDC and the RODC forwards
> the response from RWDC back to the Client. Is my understanding
> correct?
>
> To keep a track of time requests that have been forwarded to the RWDC,
> the RODC maintains a chaining table with all the details. See the
> below link:
> http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx
>
> In this link it says:
> The RODC receives the response from the writable domain controller. An
> RODC
> always attempts to match a response to an entry in the chaining table.
> The
> response from the writable domain controller contains both the RID and
> the
> OriginateTimestamp value, which the RODC matches to an entry in the
> chaining
> table.
> If an entry is found, the RODC forwards the request to the IP address
> in the
> chaining table.
> ***If an entry is not found, the RODC assumes that the RODC itself
> sent a
> request to the writable domain controller, and the RODC processes the
> response accordingly.***
> RODC processes the response accordingly?? What does it do?
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d73f08cc16dd54e0062c@msnews.microsoft.com...
>
>> Hello Cuper,
>>
>> I can not really follow your posting. Do you talk about user logons
>> where the password is not cached on the RODC or do you talk about
>> workstations in the site with RODC and time synchronization of the
>> workstation to the domain time?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> What happens when a client who creds are not cahced and its entry is
>>> not found in chaining table? Will RODC provide the time from the
>>> response it gets from RWDC? or will the clients time sync request
>>> fail?
>>>
Re: RODC Chaining [message #161929 is a reply to message #161912] Fri, 09 October 2009 06:37 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
The time request from the client is sent to an RODC. If the RODC doesn't
contain a PRP for the client computer, it forwards the request to the RODC's
time source where this time source answers the request and sends it back to
the RODC which in turn sends it back to the client requesting the time.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Cuper" <Cuper@live.com> wrote in message
news:%23jDUURLSKHA.4568@TK2MSFTNGP06.phx.gbl...
> What happens when a client who creds are not cahced and its entry is not
> found in chaining table? Will RODC provide the time from the response it
> gets from RWDC? or will the clients time sync request fail?
>
>
>
>
Re: RODC Chaining [message #162058 is a reply to message #161912] Wed, 14 October 2009 13:38 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
authentication is forwarded to an RWDC when an RODC does not cache the
password of a certain account (user or computer)

NTP requests are signed. Because the RODC does not have the password of the
client cached it will need to forward it to an RWDC to sign the NTP request

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Cuper" <Cuper@live.com> wrote in message
news:#jDUURLSKHA.4568@TK2MSFTNGP06.phx.gbl...
> What happens when a client who creds are not cahced and its entry is not
> found in chaining table? Will RODC provide the time from the response it
> gets from RWDC? or will the clients time sync request fail?
>
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:Script to create multiple groups from Excel file
Next Topic:tombstone
Goto Forum:
  


Current Time: Fri Jan 19 00:44:55 MST 2018

Total time taken to generate the page: 0.02061 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software