Windows 2008 R2 Rodc and DCHP.

Hello all,

We have branch office with RODC,DHCP and 200 clients.All the client will pull the IP address from branch office DHCP.

In main office we have writable DC'S.

Main ofiice and branch ofiice is connected over wan.

When branch ofice lost the communication to writable DC in Main office.

DHCP server is not offering the IP address to client desktop in branch office.

So DHCP should depend writable DC?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Looks like problem with DHCP authorization when writable DC is down. Do you have set up Global Catalog on that RODC in remote site? I think that should solve your problem.

shankarvetrivelAuthor Commented:
Already RODC in  branch office is a Global catalog.

Hi all,

If you want to install DHCP directly on an RODC, you have to create the appropriate users and groups and have to ensure that they are replicated to the RODC before the installation.
For DHCP Users Group Configuration, refer to the article:
When RODC disconnect to the domain controller in main office and DHCP service stop working, what events or error messages were recorded in event log, event log ID and description might be helpful for troubleshooting.
And please check if the RODC DHCP server had been authorized in Active Directory, you might like to perform the action below on a writeable domain controller:
Authorize a DHCP server in Active Directory
Here is an old thread for you refer:

Thank you

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

shankarvetrivelAuthor Commented:
Just to confirm

Dhcp service is running on a seperate server.

Event ID is 1059 ' The DHCP server is failed to see a Directory server for authorization'

My question is why RODC is not authorizing DHCP service in branch office.

shankarvetrivelAuthor Commented:
Can someone help me on this.
Steve KnightIT ConsultancyCommented:
silly question but with a 200 user office why isnt it a full DC?

Listening here for info. Purposes..

On more than one occasion I have heard an MS employee admit that the whole RODC was just smply a bad idea,...and I agree.  Get rid of the RODC and make it a regular DC, isn't really protecting you from much of anything anyway.  If you don't want people messing with it then don't give them the administrator account's password and don't add any of their accounts to the administrator's group.
Steve KnightIT ConsultancyCommented:
kinda my thoughts....  CAN have their place but only in very limited no. Of situations IMO - with too many things relying on a writable DC and therefore failing without a comms link in place I canKt imagine leaving 200 users to rely soley on one?

As to the actual Q don't know but glad someone else thinks RODC's are less than useful!

shankarvetrivelAuthor Commented:

Our branch office is less secured.Any other way to make our DHCP server to authorize in RODC?

Keep in mind that MS only recenty "invented" RODCs,...but we have had "less than secure" Branch offices since before computers were invented.  What would you do, if say,..MS never invented the RODC?  I mean that seriously, I'm not being sarcastic or anything.  Just because MS invents something doesn't mean we have to use it, or it is the only way to do the job, or that it was ever a good idea to invent it in the first place.

Anyway, what I would do is:

1. As far as I am concerned the RODC is just off the table.  They are a disaster (IMO) and should all be eliminated. I never use one, never will, and just refuse to deal with one.  If anyone else wants to deal with that then that is perfectly fine, jump in, but I won't.

2. Put the server in a locked room.  Simple enough, rooms have doors, doors have locks,..put the server in such a room. Just be careful of overheating if the ventilation isn't good enough.   If there isn't a room for this, one.  If you can't build one then forget it, isn't the end of the world,...just leave the server out in plain sight so that no one can mess with it without everyone else seeing them do it.

3. This one I already said.  Don't give employees you can't trust the Administrator credentials and do not add their regular user account to the Administrator's group.  By default regular user accounts cannot log on locally to a Domain Controller.  Even if regular users could they still are not allowed by the OS to use the Administration tools. If you require someone at that location with such authority then only give it to someone you can trust with those duties.  If you can't trust anyone then it is probably time to fire someone and hire someone you can trust.
Steve KnightIT ConsultancyCommented:
Well said there pwindell!

Still don't know why the DHCP server won't authorize mind.  I guess we'd have to do a trace of what exactly it does when it DOES work vs when it doesn't and probably find it is requesting in such a way that a RODC by itself can't help.

I suspect that the DHCP Service expects to write to DNS (or request that he DNS Service make the write on its behalf),...and then I suspect that it is only going to make the request to the RODC because that would be the DC it is trying to use,...and of course that DC cannot fulfill that role.  The DHCP Service would have no idea what a RODC is since there was never any such thing when the DHCP Service was designed, and historically any DC would have been able to fulfill the request until someone came up with the idea of an RODC.

Those are my suspicions anyway,...I doubt I could prove any of it.   But as a test, if you pull the network cable on the RODC so that it appears to not exist,...then the DHCP server (may require a reboot) would fail over to another DC listed in it's TCP/IP specs and if that DNS was a writable DC then it would work.
Steve KnightIT ConsultancyCommented:
Yes at least when we had PDC / BDC anything only expected to write to the PDC...
shankarvetrivelAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.