?
Solved

DNS errors on Read Onlt Domain Controller

Posted on 2011-05-13
6
Medium Priority
?
1,521 Views
Last Modified: 2012-05-11
Hello,

I have a problem with the two RODCs I have in our domain. I get the error below recorded every 3 minutes for DNS.

EventID 4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002095: SvcErr: DSID-03210A69, problem 5012 (DIR_ERROR), data 16". The event data contains the error.

I have done some research and it all points to the issue mentioned in the Kb below. It basically says (as I understand it) to make sure that the RODC has access to a writable DC with DNS and also that the writable DC has an NS record.

http://support.microsoft.com/kb/969488

I run this command and it comes back with the correct DC which is writable and has DNS installed:
nltest /dsgetdc:DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6

Then I run this command and refers to the same DC and says all replication is successful:
repadmin /showrepl

The servers are both in remote sites that are connected through cisco ASAs on site-to-site vpn. But I can access the DNS server on port 53.

So all in all I'm lost. Any help would be appreciated. I don't seem to have a loss of functionality, just thousands of red crosses that are frustrating! Only option I can think of is to demote and promote them again as normal DCs.

Thanks
Gavin
0
Comment
Question by:piemckay
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35754847
Just make sure that in the TCP/IP Specs of the RODCs that they use the RWDC as their "DNS Server".  Do not have anything else listed there.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1500 total points
ID: 35754886
Personally I like the idea of demoting them and bring them back as regular DC.   I think the whole concept of the RODC has been a "flop".    But that's just me.....
0
 

Author Comment

by:piemckay
ID: 35759791
They have a primary and a secondary DNS server defined. However both of those DNS servers are RWDCs so I presume that's ok. I think I will go for the demote/promote option...
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 29

Expert Comment

by:pwindell
ID: 35770461
As long as the people who have physical access to the box (but aren't supposed to mess with the thing) don't have credentials that can log on locally to the DC I think a RWDC is fine.  
0
 

Author Comment

by:piemckay
ID: 35770484
I agree, I'll get to it. Thanks for your input.
0
 

Author Closing Comment

by:piemckay
ID: 35770490
Didn't directly fix the problem on the RODC, but overall is a better solution.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question