Link to home
Start Free TrialLog in
Avatar of shankarvetrivel
shankarvetrivel

asked on

Windows 2008 R2 Rodc and DCHP.

Hello all,

We have branch office with RODC,DHCP and 200 clients.All the client will pull the IP address from branch office DHCP.

In main office we have writable DC'S.

Main ofiice and branch ofiice is connected over wan.

Problem
When branch ofice lost the communication to writable DC in Main office.

DHCP server is not offering the IP address to client desktop in branch office.

So DHCP should depend writable DC?

Jaya
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Looks like problem with DHCP authorization when writable DC is down. Do you have set up Global Catalog on that RODC in remote site? I think that should solve your problem.

Regards,
Krzysztof
Avatar of shankarvetrivel
shankarvetrivel

ASKER

Already RODC in  branch office is a Global catalog.

Jaya
ASKER CERTIFIED SOLUTION
Avatar of ComputerBeast
ComputerBeast
Flag of Afghanistan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just to confirm

Dhcp service is running on a seperate server.

Event ID is 1059 ' The DHCP server is failed to see a Directory server for authorization'

My question is why RODC is not authorizing DHCP service in branch office.

Jaya
Can someone help me on this.
silly question but with a 200 user office why isnt it a full DC?

Listening here for info. Purposes..

Steve
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
kinda my thoughts....  CAN have their place but only in very limited no. Of situations IMO - with too many things relying on a writable DC and therefore failing without a comms link in place I canKt imagine leaving 200 users to rely soley on one?

As to the actual Q don't know but glad someone else thinks RODC's are less than useful!

Steve
pwindell

Our branch office is less secured.Any other way to make our DHCP server to authorize in RODC?

Jaya
Keep in mind that MS only recenty "invented" RODCs,...but we have had "less than secure" Branch offices since before computers were invented.  What would you do, if say,..MS never invented the RODC?  I mean that seriously, I'm not being sarcastic or anything.  Just because MS invents something doesn't mean we have to use it, or it is the only way to do the job, or that it was ever a good idea to invent it in the first place.

Anyway, what I would do is:

1. As far as I am concerned the RODC is just off the table.  They are a disaster (IMO) and should all be eliminated. I never use one, never will, and just refuse to deal with one.  If anyone else wants to deal with that then that is perfectly fine, jump in, but I won't.

2. Put the server in a locked room.  Simple enough, rooms have doors, doors have locks,..put the server in such a room. Just be careful of overheating if the ventilation isn't good enough.   If there isn't a room for this,...build one.  If you can't build one then forget it,..it isn't the end of the world,...just leave the server out in plain sight so that no one can mess with it without everyone else seeing them do it.

3. This one I already said.  Don't give employees you can't trust the Administrator credentials and do not add their regular user account to the Administrator's group.  By default regular user accounts cannot log on locally to a Domain Controller.  Even if regular users could they still are not allowed by the OS to use the Administration tools. If you require someone at that location with such authority then only give it to someone you can trust with those duties.  If you can't trust anyone then it is probably time to fire someone and hire someone you can trust.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes at least when we had PDC / BDC anything only expected to write to the PDC...
Thanks.