My apologies for this in advance. We are exclusively using 2012r2. I have a dmz network with a firewall between the internal and dmz resources. I have set up the subnets for each in AD S&S.
I have an RODC sitting in the DMZ with the appropriate ports open per https://technet.microsoft.com/en-us/library/Dd728028%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396
The RODC has been set up as a GC server in AD S&S, and the RODC has registersitespecficdnsrecordsonly set to false per https://support.microsoft.com/en-us/kb/977510 and I have confirmed that the new DNS records exist for the RODC (I did allow writes to the DNS system for the RODC). The RODC is also acting as the central NPS server
There is a member server sitting out in the DMZ that is acting as an RDG and a RD Web server. This server has been allowed communication on 3389 (to all internal resources) and 5504 (to the RDS CB). We also have a temporary rule in place that allows ALL network connection through the firewall for that member server (for AD join and configuration). I will call this the "temp rule" later on. All internal to DMZ traffic and DMZ to DMZ traffic is unblocked.
Here are my 2 issues:
1) When I disable the Temp Rule, I watch the firewall and find that there are still a lot of attempts to reach the RWDCs via 135 and the WMI port as well as several other strange ports . Even though there is an RODC server available. This also appears to intermittently cause problems with users not being able to connect to internal resources.
2) When I disable the Temp rule, I go to the RDG and look at the CAPs and RAPs and all of the AD groups are missing. The rules exist but they no longer have an AD group attached. I try to readd the AD groups to the RAPs and CAPs and this is where it gets weird. I can search for the groups and see the results of the search correctly. All AD Groups are found just fine, but when I hit OK to actually apply the groups, the CAP/RAP does not apply the group (the fields stay blank). I have to re-enable the temp rule and reboot twice to be able to reapply the groups to the CAPs/RAPs.
I'm going out of my mind here. I have been searching for 5+ days on how to get this up and running. Am I missing something obvious? Did something go wrong with the deployment and should I just redeploy the web/rdg server? ANY help would be greatly appreciated.
