January 10, 2015 - David Sokolik
There are currently no logon servers available to service the logon request
Error message when you try to log on to Windows Server based RODC: “There are currently no logon servers available to service the logon request”
So you are located at a remote branch site and are trying to login to your local server and suddenly you get “There are currently no logon servers available to service the logon request”
Many system administrators do not fully understand the way RODC (Read Only Domain Controller) works and therefore might experience this issue.
RODC’s are a great way to grant some active directory services to a remote site while preserving security so if those sites get breached they cannot affect your entire organization.
But what happens if the connectivity to the main site is no longer available or the local RODC server is down and requires maintenance?
The one thing almost every system administrator I have met are unaware is that those RODC cannot provide local active directory authentication by default to due the nature of the their design, therefore we must first configure the Password Replication Policy (PRP) before we can use this local RODC to provide us with any form authentication for our end users.
What is Password Replication Policy (PRP):
The PRP is what many refer to as credential caching. What PRP does is allowing the system administrator to define a set of users or security groups that need their credentials cached on an RODC.
For example assume we have an main office site (HQ) located in New York City with two branch sites, one located in California and one located in London.
How many of the users in New York will ever need to authenticate in California or London? and how many of the users in California or London will need to authenticate somewhere else?
If you have properly setup your active directory you either have security groups for users in those offices or have organization units (OU) with those users located in them.
With PRP we can define which groups or users will be cached in each desired RODC.
Consider creating a new security group for each RODC (but you can use the general ‘Allowed RODC Password Replication Group‘ if you want to grant the same users ability to login to all RODC’s).
How to configure the Password Replication Policy (PRP):
The PRP configuration occurs within a writeable domain controller (meaning NOT an RODC).
Open up the ‘Active Directory Users and Compuers‘ MMC snap-in
Inside the snap-in navigate to the OU where the RODC server is located and right click it and select ‘Properties‘ you will notice that there is a new tab labeled ‘Password Replication Policy‘ go into that tab.
Inside you will notice several pre populated security groups, the two groups you need to take a closer look at are: ‘Allowed RODC Password Replication Group‘ and ‘Denied RODC Password Replication Group‘
If you double click each group you will notice it also has several pre populated entries, the allowed group is blank by default while the deny group has a few entries the three must important ones are:
- Domain Admins
- Enterprise Admins
- Schema Admins
The users within these three groups are usually your IT administrators and services that require access to various network wide locations such as Exchange, Active Directory or Files and Data.
So we must note the users within those groups by default will not be cached and will denied caching even if we add them to the ‘Allowed RODC Password Replication Group‘
I recommend that you will create an administrative account for each local RODC and grant it local administrator privileges for the related RODC.
If you have created a dedicated security group for each branch simply add it with the ‘Allow passwords for the account to replicate to this RODC‘ setting
Now wait for the active directory replication to finish