Hi all!
I have an AD site with its own RODC for specific set of clients. For security requirements the traffic to the writable DCs from this site/subnet is disabled on firewall (except RODC) so all clients have to authenticate to this RODC.
Computers only authenticate in that site if their credentials are cached (accounts are members of password replication policy allowed group). The computers without allowed credentials caching get Netlogon 5721 event
The session setup to the Windows Domain Controller \\RODC for the domain MyDomain failed because the Domain Controller did not have an account MyServer$ needed to set up the session by this computer MyServer
User accounts are not members of any PRP allowed group and still authenticate without problems.
According to docs the caching is useful to ensure users and computers can authenticate to RODC when RWDC is inaccessible and RODC cannot forward requests to it.
So I think it is an option only and not the requirement in conditions when RWDC is always accessible from RODC.
As I can see - if passwords are not cached RODC works like authentication proxy forwarding client authentication requests to RWDC and passing back responses.
cc753459(v=ws.10)"When users or computers in a site that is serviced by an RODC attempt to authenticate to the domain, the RODC by default cannot validate their credentials. The RODC then forwards the authentication request to a writable domain controller"
The "main" article about RODC authentication describes only the case with password caching enabled but request forwarding to RWDC presents here too cc754218(v=ws.10)
So it all should work.
On the other hand in the RODC event log I've found Netlogon events 5723:
The session setup from computer 'MyServer' failed because the security database does not contain a trust account 'MyServer$' referenced by the specified computer.
...If this is a Read-Only Domain Controller and 'MyServer$' is a legitimate machine account for the computer 'MyServer' then 'MyServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller)...
(Account for 'MyServer$' of course is present on RODC)
I'm at loss. Can the computers without cached passwords be authenticated on RODC or cannot?
Something wrong with my setup? Or RODC is not usable for it by design?