Hi there,
We are experiencing some interesting behaviour when deploying a member server into a firewalled zone. Below is the scenario:
We have 2 AD sites configured, internal and B2B. The internal AD site contains all of our RWDCs (mix of 2003 R2 and 2008) while the B2B AD site is firewalled and contains two RODCs only. The RODCs (Win 2008) in the B2B network zone are able to replicate and communicate to the internal RWDCs successfully but member servers in the B2B zone cannot connect to the RWDCs in the internal zone due to the firewall.
When we build a new server (2008 R2), we install the SOE when it is on the internal zone and with an IP that is within the internal AD sites ranges. After joining the domain, we are able to login with domain credentials as you would expect. After the server is built, we move it into B2B zone and then modify its IP address.
After this we are unable to login with domain credentials. When executing "nltest /sc_query:domain" it reports that no logon servers are available. "nltest /dsgetsite" reports that it is still in the internal site, even though its current IP is within a range that falls under the B2B AD site. DNS is working fine (directed to the RODCs in the B2B site) and the server is able to ping and telnet on 389, 636, etc to the B2B RODCs.
After inserting a SiteName registry value under \\HKLM\System\CurrentControlSet\Services\Netlogon\Parameters forcing the member server to acknowledge it is in the B2B zone, we were able to successfully login with domain credentials.
What I'm specifically trying to understand is the process that the server takes in order to determine that it has changed IPs and therefore AD sites and what it is that could be preventing the server from dynamically discovering its new site and seeking out the RODCs for authentication?
Thanks in advance for any input!