Solved

Windows 2008 R2 Rodc and DCHP.

Posted on 2011-09-21
16
2,765 Views
Last Modified: 2012-06-21
Hello all,

We have branch office with RODC,DHCP and 200 clients.All the client will pull the IP address from branch office DHCP.

In main office we have writable DC'S.

Main ofiice and branch ofiice is connected over wan.

Problem
When branch ofice lost the communication to writable DC in Main office.

DHCP server is not offering the IP address to client desktop in branch office.

So DHCP should depend writable DC?

Jaya
0
Comment
Question by:shankarvetrivel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36578726
Looks like problem with DHCP authorization when writable DC is down. Do you have set up Global Catalog on that RODC in remote site? I think that should solve your problem.

Regards,
Krzysztof
0
 

Author Comment

by:shankarvetrivel
ID: 36579599
Already RODC in  branch office is a Global catalog.

Jaya
0
 
LVL 7

Accepted Solution

by:
ComputerBeast earned 125 total points
ID: 36580144
Hi all,

If you want to install DHCP directly on an RODC, you have to create the appropriate users and groups and have to ensure that they are replicated to the RODC before the installation.
 
For DHCP Users Group Configuration, refer to the article:

http://technet.microsoft.com/en-us/library/cc726854(WS.10).aspx
 
When RODC disconnect to the domain controller in main office and DHCP service stop working, what events or error messages were recorded in event log, event log ID and description might be helpful for troubleshooting.
And please check if the RODC DHCP server had been authorized in Active Directory, you might like to perform the action below on a writeable domain controller:
 
Authorize a DHCP server in Active Directory
http://technet.microsoft.com/en-us/library/cc759688(WS.10).aspx
 
Here is an old thread for you refer:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5abf9237-5df0-4873-a54f-955ff3cdbd6a

Thank you
Anil
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:shankarvetrivel
ID: 36584036
Just to confirm

Dhcp service is running on a seperate server.

Event ID is 1059 ' The DHCP server is failed to see a Directory server for authorization'

My question is why RODC is not authorizing DHCP service in branch office.

Jaya
0
 

Author Comment

by:shankarvetrivel
ID: 36588307
Can someone help me on this.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36592809
silly question but with a 200 user office why isnt it a full DC?

Listening here for info. Purposes..

Steve
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 36594221
On more than one occasion I have heard an MS employee admit that the whole RODC was just smply a bad idea,...and I agree.  Get rid of the RODC and make it a regular DC,...it isn't really protecting you from much of anything anyway.  If you don't want people messing with it then don't give them the administrator account's password and don't add any of their accounts to the administrator's group.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36594457
kinda my thoughts....  CAN have their place but only in very limited no. Of situations IMO - with too many things relying on a writable DC and therefore failing without a comms link in place I canKt imagine leaving 200 users to rely soley on one?

As to the actual Q don't know but glad someone else thinks RODC's are less than useful!

Steve
0
 

Author Comment

by:shankarvetrivel
ID: 36707876
pwindell

Our branch office is less secured.Any other way to make our DHCP server to authorize in RODC?

Jaya
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36716746
Keep in mind that MS only recenty "invented" RODCs,...but we have had "less than secure" Branch offices since before computers were invented.  What would you do, if say,..MS never invented the RODC?  I mean that seriously, I'm not being sarcastic or anything.  Just because MS invents something doesn't mean we have to use it, or it is the only way to do the job, or that it was ever a good idea to invent it in the first place.

Anyway, what I would do is:

1. As far as I am concerned the RODC is just off the table.  They are a disaster (IMO) and should all be eliminated. I never use one, never will, and just refuse to deal with one.  If anyone else wants to deal with that then that is perfectly fine, jump in, but I won't.

2. Put the server in a locked room.  Simple enough, rooms have doors, doors have locks,..put the server in such a room. Just be careful of overheating if the ventilation isn't good enough.   If there isn't a room for this,...build one.  If you can't build one then forget it,..it isn't the end of the world,...just leave the server out in plain sight so that no one can mess with it without everyone else seeing them do it.

3. This one I already said.  Don't give employees you can't trust the Administrator credentials and do not add their regular user account to the Administrator's group.  By default regular user accounts cannot log on locally to a Domain Controller.  Even if regular users could they still are not allowed by the OS to use the Administration tools. If you require someone at that location with such authority then only give it to someone you can trust with those duties.  If you can't trust anyone then it is probably time to fire someone and hire someone you can trust.
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 125 total points
ID: 36716996
Well said there pwindell!

Still don't know why the DHCP server won't authorize mind.  I guess we'd have to do a trace of what exactly it does when it DOES work vs when it doesn't and probably find it is requesting in such a way that a RODC by itself can't help.

Steve
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 36717104
I suspect that the DHCP Service expects to write to DNS (or request that he DNS Service make the write on its behalf),...and then I suspect that it is only going to make the request to the RODC because that would be the DC it is trying to use,...and of course that DC cannot fulfill that role.  The DHCP Service would have no idea what a RODC is since there was never any such thing when the DHCP Service was designed, and historically any DC would have been able to fulfill the request until someone came up with the idea of an RODC.

Those are my suspicions anyway,...I doubt I could prove any of it.   But as a test, if you pull the network cable on the RODC so that it appears to not exist,...then the DHCP server (may require a reboot) would fail over to another DC listed in it's TCP/IP specs and if that DNS was a writable DC then it would work.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36717386
Yes at least when we had PDC / BDC anything only expected to write to the PDC...
0
 

Author Closing Comment

by:shankarvetrivel
ID: 37486743
Thanks.
0

Featured Post

Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question