Setting up two servers in our DMZ for ADFS proxy roles. I did a DJOIN to add them to the domain and they seem to be authenticating alright against our RODC as admins can RDP using domain credentials, however I'm getting a NETLOGON 5721 constantly. I've verified that the computer account does in fact exist on the RODC as well as our PDC/all other RWDCs. Also seeing a GroupPolicy 1109 warning as well fairly consistently. Any help is appreciated, even if the answer is that this is normal. :)
Log Name: SystemSource: NETLOGON
Date: 10/22/2012 3:56:52 PM
Event ID: 5721
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: sjc04-adfs-fsp1.domain.com
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\SJC04-EPD-RODC3.domain.com for the domain domain failed because the Domain Controller did not have an account SJC04-ADFS-FSP1$ needed to set up the session by this computer SJC04-ADFS-FSP1.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5721</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-10-22T22:56:52.000000000Z" />
<EventRecordID>5127</EventRecordID>
<Channel>System</Channel>
<Computer>sjc04-adfs-fsp1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>\\SJC04-EPD-RODC3.domain.com</Data>
<Data>domain</Data>
<Data>SJC04-ADFS-FSP1</Data>
<Data>SJC04-ADFS-FSP1$</Data>
<Binary>8B0100C0</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 10/22/2012 3:58:16 PM
Event ID: 1109
Task Category: None
Level: Warning
Keywords:
User: DOMAIN\alex
Computer: sjc04-adfs-fsp1.domain.com
Description:
The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1109</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-10-22T22:58:16.846220200Z" />
<EventRecordID>5140</EventRecordID>
<Correlation ActivityID="{1500BBC7-D089-4C89-B134-E100614E492C}" />
<Execution ProcessID="836" ThreadID="2388" />
<Channel>System</Channel>
<Computer>sjc04-adfs-fsp1.domain.com</Computer>
<Security UserID="S-1-5-21-359538278-52765162-2211038576-31747" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1779</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">530</Data>
<Data Name="DCName">
</Data>
</EventData>
</Event>