piemckay
asked on
DNS errors on Read Onlt Domain Controller
Hello,
I have a problem with the two RODCs I have in our domain. I get the error below recorded every 3 minutes for DNS.
EventID 4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002095: SvcErr: DSID-03210A69, problem 5012 (DIR_ERROR), data 16". The event data contains the error.
I have done some research and it all points to the issue mentioned in the Kb below. It basically says (as I understand it) to make sure that the RODC has access to a writable DC with DNS and also that the writable DC has an NS record.
http://support.microsoft.com/kb/969488
I run this command and it comes back with the correct DC which is writable and has DNS installed:
nltest /dsgetdc:DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6
Then I run this command and refers to the same DC and says all replication is successful:
repadmin /showrepl
The servers are both in remote sites that are connected through cisco ASAs on site-to-site vpn. But I can access the DNS server on port 53.
So all in all I'm lost. Any help would be appreciated. I don't seem to have a loss of functionality, just thousands of red crosses that are frustrating! Only option I can think of is to demote and promote them again as normal DCs.
Thanks
Gavin
I have a problem with the two RODCs I have in our domain. I get the error below recorded every 3 minutes for DNS.
EventID 4015 DNS-Server-Service
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002095: SvcErr: DSID-03210A69, problem 5012 (DIR_ERROR), data 16". The event data contains the error.
I have done some research and it all points to the issue mentioned in the Kb below. It basically says (as I understand it) to make sure that the RODC has access to a writable DC with DNS and also that the writable DC has an NS record.
http://support.microsoft.com/kb/969488
I run this command and it comes back with the correct DC which is writable and has DNS installed:
nltest /dsgetdc:DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE /DS_6
Then I run this command and refers to the same DC and says all replication is successful:
repadmin /showrepl
The servers are both in remote sites that are connected through cisco ASAs on site-to-site vpn. But I can access the DNS server on port 53.
So all in all I'm lost. Any help would be appreciated. I don't seem to have a loss of functionality, just thousands of red crosses that are frustrating! Only option I can think of is to demote and promote them again as normal DCs.
Thanks
Gavin
Just make sure that in the TCP/IP Specs of the RODCs that they use the RWDC as their "DNS Server". Do not have anything else listed there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
They have a primary and a secondary DNS server defined. However both of those DNS servers are RWDCs so I presume that's ok. I think I will go for the demote/promote option...
As long as the people who have physical access to the box (but aren't supposed to mess with the thing) don't have credentials that can log on locally to the DC I think a RWDC is fine.
ASKER
I agree, I'll get to it. Thanks for your input.
ASKER
Didn't directly fix the problem on the RODC, but overall is a better solution.