We have an internal domain controller I've been authenticating against for development. Externally, we use a read-only copy with a slightly different name.
Since the username is the same, I thought simply changing it to the proper RODC would be all thats needed.
Unfortunately its not working. I've tested this connection in ADSiEdit and its connecting as it should both my local box and the dmz box. Any tips on diagnosing whats actually going wrong?
Did you find and read these URLs?
LDAP browsers that you test with will usually connect without having 445 open which makes it even more difficult to solve problems.
Port 445 not being open was definitely one of the issues, thank you. I can get to the login screen now, but unfortunately its still not authenticating. Going to see if its possible to grab a log of the attempts from the RODC.
Looking at the packets themselves gives this error:
V80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 0, v2580.
I'm assuming you already found this? http://stackoverflow.com/questions/31411665/ldap-error-code-49-80090308-ldaperr-dsid-0c0903a9-comment-acceptsecurityc
Yeah thats a slightly different error though. I only found one unanswered question on StackOverflow that had this exact error/situation. Trying to get in contact with him now.
Some time has passed with this issue. We ended up opening a ticket with Epi and also looked at a contractor to resolve this, but its essentially dead in the water. Looking at another contractor as an option and possibly into ADFS as an alternative.
Here is a good couple of articles about AD on DMZ in that I hope you will find something intresting, please see
Please keep us posted about your findings.
You wrote that opening port 445 (related to trust relationships ) was slighly improved the situation and leads to get the logon screen. Furthermore I suspect the root of your issues is a broken trust relationships between domains (there are many cases to break it, i.e. DC reboots), could you try to reestablish the trusts?