Link to home
Start Free TrialLog in
Avatar of piemckay
piemckay

asked on

DNS errors on Read Onlt Domain Controller

Hello,

I have a problem with the two RODCs I have in our domain. I get the error below recorded every 3 minutes for DNS.

EventID 4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002095: SvcErr: DSID-03210A69, problem 5012 (DIR_ERROR), data 16". The event data contains the error.

I have done some research and it all points to the issue mentioned in the Kb below. It basically says (as I understand it) to make sure that the RODC has access to a writable DC with DNS and also that the writable DC has an NS record.

http://support.microsoft.com/kb/969488

I run this command and it comes back with the correct DC which is writable and has DNS installed:
nltest /dsgetdc:DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6

Then I run this command and refers to the same DC and says all replication is successful:
repadmin /showrepl

The servers are both in remote sites that are connected through cisco ASAs on site-to-site vpn. But I can access the DNS server on port 53.

So all in all I'm lost. Any help would be appreciated. I don't seem to have a loss of functionality, just thousands of red crosses that are frustrating! Only option I can think of is to demote and promote them again as normal DCs.

Thanks
Gavin
Avatar of pwindell
pwindell
Flag of United States of America image

Just make sure that in the TCP/IP Specs of the RODCs that they use the RWDC as their "DNS Server".  Do not have anything else listed there.
ASKER CERTIFIED SOLUTION
Avatar of pwindell
pwindell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of piemckay
piemckay

ASKER

They have a primary and a secondary DNS server defined. However both of those DNS servers are RWDCs so I presume that's ok. I think I will go for the demote/promote option...
As long as the people who have physical access to the box (but aren't supposed to mess with the thing) don't have credentials that can log on locally to the DC I think a RWDC is fine.  
I agree, I'll get to it. Thanks for your input.
Didn't directly fix the problem on the RODC, but overall is a better solution.