Solved

Windows 2008 R2 Rodc and DCHP.

Posted on 2011-09-21
16
2,579 Views
Last Modified: 2012-06-21
Hello all,

We have branch office with RODC,DHCP and 200 clients.All the client will pull the IP address from branch office DHCP.

In main office we have writable DC'S.

Main ofiice and branch ofiice is connected over wan.

Problem
When branch ofice lost the communication to writable DC in Main office.

DHCP server is not offering the IP address to client desktop in branch office.

So DHCP should depend writable DC?

Jaya
0
Comment
Question by:shankarvetrivel
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36578726
Looks like problem with DHCP authorization when writable DC is down. Do you have set up Global Catalog on that RODC in remote site? I think that should solve your problem.

Regards,
Krzysztof
0
 

Author Comment

by:shankarvetrivel
ID: 36579599
Already RODC in  branch office is a Global catalog.

Jaya
0
 
LVL 7

Accepted Solution

by:
ComputerBeast earned 125 total points
ID: 36580144
Hi all,

If you want to install DHCP directly on an RODC, you have to create the appropriate users and groups and have to ensure that they are replicated to the RODC before the installation.
 
For DHCP Users Group Configuration, refer to the article:

http://technet.microsoft.com/en-us/library/cc726854(WS.10).aspx
 
When RODC disconnect to the domain controller in main office and DHCP service stop working, what events or error messages were recorded in event log, event log ID and description might be helpful for troubleshooting.
And please check if the RODC DHCP server had been authorized in Active Directory, you might like to perform the action below on a writeable domain controller:
 
Authorize a DHCP server in Active Directory
http://technet.microsoft.com/en-us/library/cc759688(WS.10).aspx
 
Here is an old thread for you refer:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5abf9237-5df0-4873-a54f-955ff3cdbd6a

Thank you
Anil
0
 

Author Comment

by:shankarvetrivel
ID: 36584036
Just to confirm

Dhcp service is running on a seperate server.

Event ID is 1059 ' The DHCP server is failed to see a Directory server for authorization'

My question is why RODC is not authorizing DHCP service in branch office.

Jaya
0
 

Author Comment

by:shankarvetrivel
ID: 36588307
Can someone help me on this.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36592809
silly question but with a 200 user office why isnt it a full DC?

Listening here for info. Purposes..

Steve
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 36594221
On more than one occasion I have heard an MS employee admit that the whole RODC was just smply a bad idea,...and I agree.  Get rid of the RODC and make it a regular DC,...it isn't really protecting you from much of anything anyway.  If you don't want people messing with it then don't give them the administrator account's password and don't add any of their accounts to the administrator's group.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36594457
kinda my thoughts....  CAN have their place but only in very limited no. Of situations IMO - with too many things relying on a writable DC and therefore failing without a comms link in place I canKt imagine leaving 200 users to rely soley on one?

As to the actual Q don't know but glad someone else thinks RODC's are less than useful!

Steve
0
 

Author Comment

by:shankarvetrivel
ID: 36707876
pwindell

Our branch office is less secured.Any other way to make our DHCP server to authorize in RODC?

Jaya
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36716746
Keep in mind that MS only recenty "invented" RODCs,...but we have had "less than secure" Branch offices since before computers were invented.  What would you do, if say,..MS never invented the RODC?  I mean that seriously, I'm not being sarcastic or anything.  Just because MS invents something doesn't mean we have to use it, or it is the only way to do the job, or that it was ever a good idea to invent it in the first place.

Anyway, what I would do is:

1. As far as I am concerned the RODC is just off the table.  They are a disaster (IMO) and should all be eliminated. I never use one, never will, and just refuse to deal with one.  If anyone else wants to deal with that then that is perfectly fine, jump in, but I won't.

2. Put the server in a locked room.  Simple enough, rooms have doors, doors have locks,..put the server in such a room. Just be careful of overheating if the ventilation isn't good enough.   If there isn't a room for this,...build one.  If you can't build one then forget it,..it isn't the end of the world,...just leave the server out in plain sight so that no one can mess with it without everyone else seeing them do it.

3. This one I already said.  Don't give employees you can't trust the Administrator credentials and do not add their regular user account to the Administrator's group.  By default regular user accounts cannot log on locally to a Domain Controller.  Even if regular users could they still are not allowed by the OS to use the Administration tools. If you require someone at that location with such authority then only give it to someone you can trust with those duties.  If you can't trust anyone then it is probably time to fire someone and hire someone you can trust.
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 125 total points
ID: 36716996
Well said there pwindell!

Still don't know why the DHCP server won't authorize mind.  I guess we'd have to do a trace of what exactly it does when it DOES work vs when it doesn't and probably find it is requesting in such a way that a RODC by itself can't help.

Steve
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 36717104
I suspect that the DHCP Service expects to write to DNS (or request that he DNS Service make the write on its behalf),...and then I suspect that it is only going to make the request to the RODC because that would be the DC it is trying to use,...and of course that DC cannot fulfill that role.  The DHCP Service would have no idea what a RODC is since there was never any such thing when the DHCP Service was designed, and historically any DC would have been able to fulfill the request until someone came up with the idea of an RODC.

Those are my suspicions anyway,...I doubt I could prove any of it.   But as a test, if you pull the network cable on the RODC so that it appears to not exist,...then the DHCP server (may require a reboot) would fail over to another DC listed in it's TCP/IP specs and if that DNS was a writable DC then it would work.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36717386
Yes at least when we had PDC / BDC anything only expected to write to the PDC...
0
 

Author Closing Comment

by:shankarvetrivel
ID: 37486743
Thanks.
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now