DNS errors on Read Onlt Domain Controller

Posted on 2011-05-13
Last Modified: 2012-05-11

I have a problem with the two RODCs I have in our domain. I get the error below recorded every 3 minutes for DNS.

EventID 4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002095: SvcErr: DSID-03210A69, problem 5012 (DIR_ERROR), data 16". The event data contains the error.

I have done some research and it all points to the issue mentioned in the Kb below. It basically says (as I understand it) to make sure that the RODC has access to a writable DC with DNS and also that the writable DC has an NS record.

I run this command and it comes back with the correct DC which is writable and has DNS installed:

Then I run this command and refers to the same DC and says all replication is successful:
repadmin /showrepl

The servers are both in remote sites that are connected through cisco ASAs on site-to-site vpn. But I can access the DNS server on port 53.

So all in all I'm lost. Any help would be appreciated. I don't seem to have a loss of functionality, just thousands of red crosses that are frustrating! Only option I can think of is to demote and promote them again as normal DCs.

Question by:piemckay
    LVL 29

    Expert Comment

    Just make sure that in the TCP/IP Specs of the RODCs that they use the RWDC as their "DNS Server".  Do not have anything else listed there.
    LVL 29

    Accepted Solution

    Personally I like the idea of demoting them and bring them back as regular DC.   I think the whole concept of the RODC has been a "flop".    But that's just me.....

    Author Comment

    They have a primary and a secondary DNS server defined. However both of those DNS servers are RWDCs so I presume that's ok. I think I will go for the demote/promote option...
    LVL 29

    Expert Comment

    As long as the people who have physical access to the box (but aren't supposed to mess with the thing) don't have credentials that can log on locally to the DC I think a RWDC is fine.  

    Author Comment

    I agree, I'll get to it. Thanks for your input.

    Author Closing Comment

    Didn't directly fix the problem on the RODC, but overall is a better solution.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now