Solved

Enlist RODC 2012 R2

Posted on 2015-02-04
9
216 Views
Last Modified: 2015-02-16
Hi experts,

Need a bit of help with Enlisting a RODC on a 2012 R2 server.
Here's the details.

Created two RODC's and trying to enlist them in DNS
From a writable DC:
I run from elevated cmd:
 DnsCmd RODCServername /EnlistDirectoryPartition ForestDNSZones.domainname.com

I get the following:
Enlist directory partition failed: forestdnszones.nice.com
    status = 8367 (0x000020AF)
Command failed:  ERROR_DS_COULDNT_CONTACT_FSMO     8367    0x20AF

I then try to use NTDSUTIL

C:\Windows\system32>ntdsutil
ntdsutil: partition management
partition management: connections
server connections: connect to server Servername
Binding to Servername ...
Connected to Servername using credentials of locally logged on user.
server connections: quit
partition management: add NC Replica DC=DomainDNSZones,DC=child, DC=domain,DC=com servername.child.domain.com
Error parsing Input - Invalid Syntax.

Not sure where I'm going wrong.
0
Comment
Question by:damejen
  • 5
  • 2
  • 2
9 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
Comment Utility
Ensure your Active directory DNS zones are configured as Active directory integrated and replicate all domain controllers on domain. Then, wait until replication ends.
0
 

Author Comment

by:damejen
Comment Utility
All AD DNS Zones are AD integrated.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
Comment Utility
Could you try remove space between DC=Child,  and DC=Contoso
0
 

Author Comment

by:damejen
Comment Utility
I've done that, no spaces. I've also removed the Replica in the string as a link I found said this command was buggy
DNS RODC Enlist

I've tried it add NC DC=DomainDNSZones,DC=child,DC=domain,DC=com Servername.child.domain.com
though I still get :
Error parsing Input - Invalid Syntax
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Are there any errors in the Directory Service event log on the RODC? I'm asking mainly because of this:
Command failed:  ERROR_DS_COULDNT_CONTACT_FSMO     8367    0x20AF
Also, I've just promoted a 2012 R2 RODC in my test environment. I specified that it should be a DNS server during the promotion, and as soon as it rebooted, it was already enlisted in the DomainDnsZones and ForestDnsZones directory partitions with no extra effort needed on my part.
0
 

Author Comment

by:damejen
Comment Utility
I can see one repeating error and one repeating warning in the Directory Service log.

Error:
Active Directory Domain Services was unable to establish a connection with the Global Catalog.

Additional Data
Error value:
8430 The directory service encountered an internal failure
Internal ID:
3200db0

User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
\\Servername.domain.com

The operation in progress might be unable to continue. Active Directory Domain Services will use the domain controller locator to try to find an available global catalog server.

Additional Data
Error value:
1722 The RPC server is unavailable.

It repeats the two above error and warnings, though in the warning trying to communicate with the global catalog its trying every GC in the Forest.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Since this is an RODC, I'm assuming it's at a remote site. Is there anything interfering with connectivity between that site and others? Could there be a firewall whose rules are too restrictive? (Firewalls are a common cause of "RPC server unavailable" errors, though certainly not the only cause.)
0
 

Accepted Solution

by:
damejen earned 0 total points
Comment Utility
I've asked my network guys if there is any traffic being blocked and they have confirmed that nothing DNS or AD related is blocked.

I ran the commands again but this time I noticed that I had entered in quit after connecting to a Writeable DC which took me back to partition management in NTDSUTIL I ran the rest of the commands and it worked.

After that I checked with List NC Replicas DC=ForestDnsZones,DC=domain,DC=com and List NC Replicas DC=DomainDnsZones,DC=child,DC=domain,DC=com and can confirm that the directory partitions for those RODC's are now available in DNS.

Also checked in DNS after an hour or so post replication and confirmed that RODC's can see the Zones.

Thanks for all the help guys.
0
 

Author Closing Comment

by:damejen
Comment Utility
Attempted the suggested fixes, though after further troubleshooting/analysis noticed the syntax was incomplete.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now