Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


What affect will having a read only 2008 r2 DC powered off have in our environment?

Posted on 2015-02-13
Medium Priority
Last Modified: 2015-02-13
We run 2008 R2k and have 2 writable DCs in our site and 2 read only DCs. I just found out that the two read only DCs are still showing up in AD even though they were removed from the site a year ago.

 Weve been having a slow login issue which is why I suspect it could be tied to this issue.

 I have no way of knowing if the read only DCs were demoted properly in AD. I dont think they were or else why would they still be showing up in AD when I search for computers in our site and theyre showing up as "Read-only Domain Controller" s?

 Our admin doesnt want to remove them yet and Im not sure why not. Couldnt this be causing our slow login issue?

 He assures me that new workstations booting up wont be trying to contact these permanently offline DCs. I'm not so sure being as they werent demoted properly. If they were demoted properly I shoudnt see them at all in AD.

 Whats your take on this?
Question by:NZermeno
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

by:Steve Whitcher
Steve Whitcher earned 664 total points
ID: 40608654
If the clients are in the same site where the RODC is located, I could see where they might first try to connect to the RODC before failing over to another site.  Whether that's actually happening or not, it's not terribly complicated to remove an RODC, and server 2008R2 should handle the metadata cleanup automatically once you remove the computer account.  If it were my network, I would remove them.

LVL 53

Expert Comment

by:Will Szymkowski
ID: 40608673
Clients use DNS to locate active directory services. If you have your clients pointing to the RODC for DNS as the primary DNS server in your network properties and a RWDC as secondary (because it is out of site) you will definitely have slow logon/query issues.

When a DNS server is not available in the Network Adapter Properties it has a timeout period of 2-5 minutes (respectively) before it will make it to the secondary DNS server.

An RODC needs to be treated the same as a RWDC in regards to demoting. The RODC has a read-only copy of the ADDS database from a replicated partner and also Read-only DNS as well. If your clients are pointing to this RODC for DNS this could be the slow issue.

LVL 30

Accepted Solution

Rich Weissler earned 668 total points
ID: 40608676
Just to play devil's advocate - the clients should be sending msgs to all the DCs at the same time, and only attempting to communicate with the one that responds first.  Since they RODCs can't respond, it would be an unusual circumstance that they'd be causing a problem.  (Not impossible, but unusual.)

That said, I can't remember offhand how the DC handle the queued up directory updates that can't be sent to offline servers.

I'd want to clean up the environment, but I'd want to make certain I had all my ducks in a row before removing them.  (Then again, I'm paranoid and like to have two backups in hand before moving forward.)
(Append:  AH!  If clients are using the retired systems for DNS -- that's a whole different can of worms.  Removing them from AD won't fix that problem though.  :-) )
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.


Author Comment

ID: 40608755
So after checking DNS, our clients are getting from DHCP the ip address for DNS and WINS of our main two RWDC's named STDC1 and STDC2

 The RODCs im concerned about lets say are called OLDSTDC1 and OLDSTDC2.. they are listed in AD when I look in ADUC for computers it says they are read only domain controllers.

 Our admin says they arent involved in the replication process as they have been long powered off. Im worried that this is still affecting our network performance somehow and agree that if It were 100% my network id get two backups first and then demote them.

 Maybe I shouldnt be worried after all if the clients are getting STDC1 or STDC2 when i do an echo %logonserver%

 Thanks again
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 668 total points
ID: 40608792
That being said you should be cleaning up the RODC's that are in place, to avoide any issues in the future.


Author Comment

ID: 40608993
Agreed... I will continue to ask our admins to remove them. Thanks everyone for your help!

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question