• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 112
  • Last Modified:

Windows Server AD RODC, Windows DNS

Customer is not hosting their DNS in AD as DNS integrated zone. they used 1 of their member server and host the DNS services.
they have remote office that intended to deploy with RODC.

During the AD promote wizard, at the steps for RODC, GC and DNS enable page, there is message saying that can't locate the DNS server because it is using external DNS.
If I click next, the AD promotion can finish successfully.

However, when I launch DNS MMC, I got access denied. the account that I logged in has domain admin right.
I tested the same scenario in my lab, it works with no issue. (in my lab is using AD integrated DNS).

I tried to follow this https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742490(v=ws.10) to enlist the DNS, the command returned with access denied as well.

please advise.
0
hell_angel
Asked:
hell_angel
  • 13
  • 9
  • 6
  • +1
3 Solutions
 
ferraristaCommented:
Any issues if you launch dcdiag /q on the rodc ?
1
 
arnoldCommented:
make sure the RODC does not reference any external (public)  DNS servers
ipconfig /all on the RODC
The RODC should also have a read-only DNS that receives updates, can not perform them. the updates requests should be forwarded upstream and those rw DC/DNS will either allow or deny the requested update.

You should try the DNS mmc and connect to the Writeable DC/DNS that is the upstream from the RODC.
0
 
ferraristaCommented:
Yes, obviuosly the RODC must refer to a writable domain controller.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
hell_angelEngineerAuthor Commented:
i tried connect the DNS server from RODC MMC, it said not available.
telnet to writable DNS is able get through.

just want to emphasize again, the DNS service is hosted on another member server. it is not hosted on AD DC server itself.
and it is not AD integrated too.

thanks
0
 
ferraristaCommented:
The DNS server you're trying to connect to, is the same one as the one used by operating system of the RODC, right ? But you can telnet port 53 ?
0
 
ferraristaCommented:
Is it possible you are using local admin credentials of the RODC without rights to the DNS server ?
0
 
hell_angelEngineerAuthor Commented:
Hi ferrarista,

yes. the dns that I trying connect is the 1 same host as the RODC.The RODC still has local account???
0
 
ferraristaCommented:
Yes, it's one of the peculiarities of RODC, so that administrators can manage it without having full domain admin rights.
0
 
MaheshArchitectCommented:
if your DNS is hosted on non DC server, it is not AD integrated and in that case you cannot install R/W DNS zone on RODC server

If you logged on to RODC with domain admins credentials, you would be able to use MMC console and connect to DNS server on member server
0
 
hell_angelEngineerAuthor Commented:
I know that. but I install a dns service on RODC server as secondary dns, before deploy it as RODC.
after rebooted, I can't access the dns mmc anymore.

and from event viewer, I have error saying that the dns can't build the zone or partition.. something like that.
0
 
arnoldCommented:
Providing the errors related to DNS, please look at and post the out from ipconfig /all.
Make sure 127.0.0.1 is not one of the configured name servers.
0
 
MaheshArchitectCommented:
Uninstall and reinstall dns role on rodc should fix the issue
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

I tried. doesn't help.

after I uninstall DNS role, it doesn't allow me to add back again as its not allowed when there is DC role installed.
0
 
MaheshArchitectCommented:
you should be able to install DNS role though because its normal role and would not care about DC / RODC etc
After you added role, it won't allow you to configure DNS as you don't have AD integrated domain dns zone from which it can populate

My idea is, just install DNS role as standard server role on RODC and configure secondary zone of your standalone primary DNS server zone, you need to enable zone transfer on primary dns zone on primary dns server

I hope you are using *domain admins* account to logon to RODC, can you confirm?
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

yes, the account has domain admin rights. i can install the DNS role.
but, the main problem I faced is, when I launch DNS mmc, I got access denied error.

so I wonder if this related to RODC or some other settings that I should look for.
0
 
MaheshArchitectCommented:
I believe when u launch dns console, system is referring to some rw dc and hence you are getting error
From custom mmc console load dns mmc console and then connect to local server that should work
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

I selected local DNS.
0
 
arnoldCommented:
RODC does not have a writeable local DNS, connect to an upstream writeable DNS.
If you can change DNS on the local RODC you effectively can circumvent/alter pollute ......
0
 
MaheshArchitectCommented:
What I am saying is to connect to local dns server console, it should be blank
Now right click and add secondary zone pointing primary dns server
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

I don't think you get me.

when I launch DNS MMC, I got access denied error. in fact, I have configured the RODC DNS as secondary zone before I promote the AD services.
0
 
arnoldCommented:
Please try the following,
Start+r
Mmc.exe
File add/remove snap-in
Select DNS, when prompted specify a remote system where there is a writeable DNS. See what error if any do you get.
Using the administrator tools DNS, it defaults to accessing the local DNS server,...
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

that's what I did.

It returned error access denied.
0
 
MaheshArchitectCommented:
have you enabled zone transfer on primary dns zone?
and have you added rodc account as allowed computer account for zone transfer in primary dns properties ?
0
 
arnoldCommented:
Your issue is the injection of your setup of the DNS and the ADdomain as a secondary zone.
The link you followed, install the DNS sever after the Rodc setup.
You can not enlist the DNS and the ADzone when it is secondary versus ADI terraced.
0
 
hell_angelEngineerAuthor Commented:
Hi Mahesh,

Yes, zone transfer configured and it works before promote to RODC.

Arnold,

I have DNS zone configured before promote RODC. after DC Promote, I can't access the dns mmc anymore.
I doubt is GPO.
0
 
arnoldCommented:
Why did you configure the DNS addomain as a secondary zone?
were you able to access the DNS prior to DC promotions?

Are you able to access a writeable dc, use the DNS console on that system to access the DNS on the RODC?

The DNS Adi integrated settings limit access to the ad domain zone to DCs, changes to avail DNS on member servers access is one of the selection.

This is potentially why you had to add the AD domain as a secondary zone........ As it lacked rights to load the ADnintegrated zone.

Point of following the right up you reference is that it follows the MS guidelines,  .....

Are you in a position to start again?
0
 
MaheshArchitectCommented:
open dns zone properties on master server and add RODC account as read permission on security tab and check if it is able to populate secondary zone
0
 
hell_angelEngineerAuthor Commented:
Hi Arnold,

customer environment not using AD integrated DNS. their DNS is hosted on 1 of the member server.
Yes, from RODC network, I can query the writable DNS and AD.
0
 
hell_angelEngineerAuthor Commented:
Since my DNS is not AD integrated, and my DC is RODC.
should I manually add the relevant record to the writable DNS server?

http://www.dell.com/support/article/my/en/mybsd1/sln156678/windows-server-dns-records-registered-by-an-active-directory-domain-controller?lang=en


thanks
0
 
MaheshArchitectCommented:
Yes you can add NS record for rodc on writable dc server
0
 
hell_angelEngineerAuthor Commented:
I have added necessary records to the folders, including manually create forestdnszones and domaindnszones folder. All necessary record created except I can't manually create A record for (same as parent folder) record under DomainDnsZones and ForestDnsZones.

from event viewer, I seeing " the dns server was unable to create the built-in directory partition ForestDnsZones.domain.com. the error was 9906.
0
 
hell_angelEngineerAuthor Commented:
Issue resolved.

RODC no required DNS.
After investigate, end out there are few DNS record wasn't updated for new RODC that promoted. that make sense and customer is not using AD integrated DNS.

After create those necessary record, fixed some firewall policy. Replication succeed.
0
 
MaheshArchitectCommented:
your customer is not using AD INTEGRATED DNS  is the key point here
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 13
  • 9
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now