I have 2 networks :
I have a DC in the internal network for my domain, and a RODC in the DMZ for the same domain. A firewall exists between these two networks, allowing only the ports/traffic I specify.
When I add a computer in the DMZ, and try to add it to the domain, it still tries to access my DC on the internal network, rather than the RODC in the DMZ. I've done the change as specified here (http://support.microsoft.com/kb/977510, i.e. allowing the RODC to be discoverable).
I am allowing the following ports between my RODC and DC :
Service Source Destination Ephemeral ports 49152:65535 49152:65535 FRsRPC 1:65535 53248 Kerberos 1:65535 88 LDAP 1:65535 389 SMB 1:65535 445 NTP 1:65535 123 RPCC Endpoint 1:65535 135
I have two Sites setup... DMZ and Internal. The RODC is part of the DMZ Site, and the DC is part of the Internal site. Subnets are also setup, and assigned to the correct sites.
If I run a nltest /dsgetdc:mydomain.local on a computer in the DMZ, the RODC is returned.
A few things:
A netmon packet capture would almost certainly point you in the right direction.
Netlogon debugging on the client provides useful information.
The logs are saved at: C:\Windows\debug\netlogon.log.
When you configure the sites, what really matters is what DNS records are returned to the client. That is how it knows which DC to connect to. The netlogon.log will actually show you the zone:
I would inspect that zone in DNS.
Then later:
So either the DNS record for RODC is not in the expected zone, or is not being returned by your DNS server, or the client is getting the correct DNS record, but some other problem is occurring and it is connecting to the other DC. Which, by the way, is the expected behavior.