gday all,
We have configured a RODC in our DMZ as per the Microsoft Whitepaper.
http://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx
We have a TMG server in our DMZ that is joined to the domain and communicating to the RODC for authentication.
We have issues when attempting to request a kerberos ticket via KCB.
There is a Cisco Firewall between the DMZ and our internal network, and the TMG server is configured in single nic mode.
Looking through the logs on the Cisco firewall, it seems the TMG server is attempting to perform LDAP and kerberos to internal RWDCs.
Opening up traffic from the TMG server to one internal RWDC allows the kerberos ticket to be issued.
This is not how we would like it to work however, we want the TMG server to query the RODC in the DMZ for the kerberos ticket, as per the authentication guide
http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_AuthRODC
Checking on the RODC and the SPN is visible.
My initial thoughts are that the DMZ is still resolving our domain to the internal writable DCs.
I have configured the DNS server on the RODC as per this guide to support generic DNS queries.
http://blogs.technet.com/b/instan/archive/2009/03/24/troubleshooting-rodc-s-troubleshooting-rodc-location-in-the-dmz.aspx
I'm not sure if i set RegisterSiteSpecificDnsRecordsOnly to 1 or 0 and if i need to create a DNS record for kerberos lookups?
Any help would be greatly appreciated.
Cheers
Chris