Hallo zusammen,
Ok vielleicht bin ich ja echt einfach zu Doof!!!!!
Habs jetzt 1000mal versucht auf die verschiedensten Arten wie hier erklärt.
Wir haben folgendes Test-Setup
1 PDC (schreibbarer DC) testdc02
1 RODC mit Qnap firmware 4.2.0 (samba4) mit dem Namen srv883601
Der RODC ist in einer site Namens biberbruggsite1
Folgendes funktioniert:
- Passwort-Caching und login selbst wenn der testdc02 offline ist.
- Zugriff auf die shares
Zeitweise scheint der Zugriff auszufallen, nach einem killall smbd gehts dann wieder, hierzu auch noch folgende Fehlermeldungen
Event-log error 1: Extern verlinkte Datei entfernt! Der Grund!
The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set. Requesting directory service:9a88c129-915b-4036-afa2-320d26699b62 (SRV883601.caritas.lab)Directory partition:DC=caritas,DC=lab User Action If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right. You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs.
Event-log error 2: Extern verlinkte Datei entfernt! Der Grund!
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11.11.2015 13:44:22
Event ID: 1645
Task Category: DS RPC Client
Level: Error
Keywords: Classic
User: ANONYMOUS-ANMELDUNG
Computer: testdc02.caritas.lab
Description:
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
9a88c129-915b-4036-afa2-320d26699b62._msdcs.caritas.lab
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/9a88c129-915b-4036-afa2-320d26699b62/caritas.lab@caritas.lab
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">1645</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>22</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T12:44:22.049568000Z" />
<EventRecordID>189</EventRecordID>
<Correlation />
<Execution ProcessID="476" ThreadID="624" />
<Channel>Directory Service</Channel>
<Computer>testdc02.caritas.lab</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>9a88c129-915b-4036-afa2-320d26699b62._msdcs.caritas.lab</Data>
<Data>E3514235-4B06-11D1-AB04-00C04FC2DCD2/9a88c129-915b-4036-afa2-320d26699b62/caritas.lab@caritas.lab</Data>
</EventData>
</Event>
Alles anzeigen
Folgendes funktioniert nicht:
-Zugriff auf die GPO auf den RODC
ein paar Screenshots im Anhang
Ich hoffe jemand anders hatte mehr Erfolg!
Lieber Gruss
Mike