Old DC back on the network

Posted on 2014-03-25
Last Modified: 2014-03-25
We have two sites, a main site and a branch office.  In the main site we have a mixture of 2008 R2 and 2012 R2 DCs.  Recently the FSMO roles were transferred to the 2012 R2 DC (recently brought online), and the domain and forest functional level was increased from 2003 to 2008.  It now turns out that during this time the 2008 R2 RODC at the branch office was offline.  This RODC has now been brought back online, however it is unable to replicate due to the fact that it is still pointing to the previous 2008 R2 DC for the FSMO roles.

I'm wondering the best way to resolve this.  I'm wondering if it is possible to transfer the FSMO roles back to the original 2008 R2 DC (which the RODC is looking to for its FSMO role holder), would this then cause the RODC to replicate again.  Would there be any problems with doing this now that the domain and forest functional level has changed.  I don't want to corrupt my AD in any way.  The RODC has been offline for approximately 2 weeks.
Question by:Riana
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 100 total points
ID: 39952837
Demote the RODC an then promote again as this would be your best solution.   Ensure to remove it while not on network and then cleanup metadata using Ntdsutil.  Refer to link below for guidance:

Author Comment

ID: 39952878
Thanks for replying.  Since I posted the question I see that the RODC has replicated in some way with the other DCs, I see schema changes in the logs, and it looks like it has picked up that the domain and forest level has changed.  Nevertheless it still is not detecting the correct FSMO role holders, so I think you are probably right, in that the RODC should be demoted and then rebuilt.  When I run repadmin /showrepl on the RODC I can see the schema container is the only thing to have successfully replicated recently.

Can I ask you to clarify something, when demoting the RODC you advise for it to be disconnected from the network, is this absolutely necessary?  Reason I ask is the RODC is in South Africa and I am in London, so I was hoping to do the demotion remotely.
LVL 37

Assisted Solution

Mahesh earned 400 total points
ID: 39952882
have you tried to reboot the RODC and tried forcefully replicating AD from R/W DC to RODC ?
Also ensure that you are able to find new domain controllers from RODC ADUC
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 37

Expert Comment

ID: 39952891
Please do not demote right away, two weeks offline is not very big time
Try running below command on PDC if you already not run below command
adprep /rodcprep
note that you must be logon to PDC with domain and enterprise admins ID
Then force AD replication, reboot the RODC and check if its showing FSMO correctly

Author Comment

ID: 39952911
At the moment the RODC is unable to contact the new PDC.  In DNS on the RODC there is no host record for the new 2012 R2 PDC.  I am unable to add a DNS record for it as it is a RODC.  I could add an entry for the new PDC in the hosts file of the RODC, so that it can at least communicate with it, but I'm wondering if this would do more harm then good.  What do you both think?

Author Comment

ID: 39953014
OK, I manually forced replication to the faulty RODC via AD Sites & Services, and now when I run repadmin /showrepl I can see the following containers have successfully replicated:


However Domain and Forest DNS zones are not replicated.  If I now run dcdiag on the RODC I get the following error:

     Starting test: KnowsOfRoleHolders

         [DC4] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         Warning: DC4 is the Schema Owner, but is not responding to DS RPC


         Ldap search capabality attribute search failed on server DC4, return

         value = 81
         Warning: DC4 is the Schema Owner, but is not responding to LDAP Bind.

         Warning: DC4 is the Domain Owner, but is not responding to DS RPC


         Warning: DC4 is the Domain Owner, but is not responding to LDAP Bind.

         Warning: DC4 is the PDC Owner, but is not responding to DS RPC Bind.

         Warning: DC4 is the PDC Owner, but is not responding to LDAP Bind.

         Warning: DC4 is the Rid Owner, but is not responding to DS RPC Bind.

         Warning: DC4 is the Rid Owner, but is not responding to LDAP Bind.

         Warning: DC4 is the Infrastructure Update Owner, but is not responding

         to DS RPC Bind.

         Warning: DC4 is the Infrastructure Update Owner, but is not responding

         to LDAP Bind.

         ......................... DC3 failed test KnowsOfRoleHolders

DC4 is the new holder of all the FSMO roles, DC3 is the RODC.
LVL 37

Accepted Solution

Mahesh earned 400 total points
ID: 39953046
Actually nothing will harm
RODC does not replicate any thing to R/W DC
Have you already ran adprep /rodcprep earlier on PDC ?
Have you checked NS record for RODC on R/W DC ?
Can you please point RODC to R/W DC in network card DNS for time being and then restart netlogon and DNS service on RODC and check if it works ?

Author Comment

ID: 39953117
I think I may be a bit stuck now.. The command adprep /rodcprep was ran a few weeks ago on the domain when the RODC was first set up, so the schema has already been modified to allow for the RODC to be on the network.

On the PDC the NS record and host record for the RODC (DC3) are correct.  Also I previously had added the new PDC as the primary DNS entry in the RODC DNS on the NIC.  Still when I reboot the RODC the DNS is out of sync, and unfortunately as it is read-only I am unable to manually amend or add the necessary SRV locator records for the new PDC on the RODC dns.  I really need to force a resync of the _msdsc.domain.local zone to the RODC so that it has all the SRV records correct.  Not sure if it is possible to do this.

Author Comment

ID: 39953163
OK, on the RODC now when I check the operations masters it knows that DC4 is holding all the FSMO roles whereas before it was just saying 'Error'.  Also when I run netdom /query FSMO it is now showing the correct DC for the FSMO roles.

Author Comment

ID: 39953217
Well, just checked the RODC again and it has now successfully replicated DNS, so all looks good again.  I was just about to run the following commands to force replication from the new PDC:

repadmin /replicate DC3 DC4 DC=DomainDNSZones,DC=domain,DC=local
repadmin /replicate DC3 DC4 DC=ForestDNSZones,DC=domain,DC=local

But the clever old RODC appears to have worked things out for itself and now looks to be back in sync with its pals back in London.  Mahesh thanks for you assistance in helping to get this resolved.  I'm guessing the demotion/promotion of the RODC would have worked as well, so I will award some points to mnkhawaja too.
LVL 37

Expert Comment

ID: 39953248
Ya, anyhow demotion\promotion will work for sure
But In reality I don't thought that time was came to take extreme steps

Some times it may take some more time to reflect changes due to network latency too

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question