none
RODC Servers DNS service stops and DHCP gets unauthorized

    Question

  • I am facing a problem on the RODC servers located on remote locations from the main office which affects both DNS and DHCP. When this services are down the critical business serices goes down including even file services. The background of this problem is brought about by WAN network connection outage.  We have come across different logs which have been discussed onn various forums here: 4000. 4015, 4013...and many more on DNS and also error log on DHCP: The DHCP service failed to see a directory server for authorization. What I am looking for is not how to restore DNS service back or authorize DHCP because for sure when the WAN network is back, when I point to main DC and reboot, then force replication all this services are restored back.

    What I need is for example for DHCP found that we can disable rogue detection:

    To disable rogue detection

    • Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    • In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    • Right-click DisableRogueDetection and then click Modify…
    • In Value Data type 1 and then click OK.

    and the DHCP service will not stop working.I have not found a solution for DNS though some post have pointed to setting the registry value Repl Perform Initial Synchronizations to 0 in order to bypass initial synchronization requirements in Active Directory as per http://support.microsoft.com/kb/2001093.

    IS there any solution or configuration with evidence which will amke sure that this services can remain working when connection is down, please all your support will be helpful. I know there are good minds and quick here....

    Friday, November 23, 2012 10:34 AM

Answers

  • Thank you all  for your contribution, I have found a solution:

    1. For DHCP I disabel Rogue detection and the DHCP nolonger gets unauthorized.

    To disable rogue detection

    • Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    • In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    • Right-click DisableRogueDetection and then click Modify…
    • In Value Data type 1 and then click OK.

    2. The DNS service stopping issue when WAN connection is down is related to _msdc.xx.xx records missing since Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the DNS, including--but not restricted to--non-Microsoft implementations of LDAP and GC. However, sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers http://www.windowsitpro.com/article/dns/q-what-s-the-dns-_msdcs-zone-for-the-forest-root-domain-used-for-I

    The solution I am testing now have been suggested by Tim under this article here:

    As Tim stated, manually create the _msdcs.ForestFQDN. I right-clicked the Forward Lookup Zones/New Zone.../Next/Select "Primary zone" radio button and the "Store the zone in Active Directory" check box (these are defaults)/Next/for replication scope I selected "To all DNS servers running on domain controllers in this domain" (I have a simple single forest, single domain config)/Next/Zone Name: _msdcs.ForectFQDN

    Wait for replication and population of the zone. The population appears to happen automatically (DC,Domains,GC,PDC folders and NS, SOA, and Alias records), be patient and refresh your view on the other DNS servers where you expect this zone to replicate to.

    Hope this can help someone too. I am ruuning testing but I believe I have found my solution.

    • Marked as answer by Joel Rotich Friday, December 07, 2012 3:49 PM
    Friday, December 07, 2012 3:49 PM
  • Hi  Joel,

    Based on my knowledge, the WAN corruption won't cause the DNS service stop working, such as unable to resolve or the other things.

    The only possible cause is that the AD database on this RODC server encounter the issue even when the WAN is working properly. In order to check the status of this problematic RODC, please show me your dcdiag result on the RODC. 

    Please run the command below on it, and export the result to me:

    dcdiag /v

    You can refer to our ariticle:

    http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx

    Thanks.

    Best Regards,

    Annie Gu

    • Marked as answer by Joel Rotich Friday, December 07, 2012 3:49 PM
    Wednesday, December 05, 2012 9:49 AM

All replies

  • Are the clients and the member servers (including the DHCP server) on those remote offices configured to use the RODC as a DNS server? Just want to confirm if you are running DHCP and DNS on the RODC itself?


    Enfo Zipper Christoffer Andersson – Principal Advisor

    Friday, November 23, 2012 10:46 AM
  • Yes the RODC serves as DNS and also DHCP at the same time and connected via WAN network.
    Friday, November 23, 2012 2:03 PM
  • It seems to be dns misconfig issue on RODC server ensure that dns is set correctly as below and required port are open for AD replication.
    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Active Directory Firewall Ports requirement for RODC.
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    It is not recommended to have DHCP service role on DC.If you are getting event id 1059 is logged which states that the DHCP service failed to see a directory server for authorization.Restarted the dhcp server service event id 1044 is logged which states that dhpc is authorised and servicing.This is a common error/alert event with DHCP if it is placed on DC.Typically, DHCP won't authenticate properly with AD immediately after a reboot because DHCP starts faster than all the necessary AD services.Therefore, you get a temporary error that DHCP fail to authorise.This is a ONE time error during system reboot and therefore,the same could be ignored after restaring the dhcp service you will get sucessful event.Alternately you can delay start dhcp service:http://www.watchingthenet.com/speed-up-windows-xp-vista-boot-times-by-delaying-startup-of-services.html

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, November 25, 2012 11:42 PM
  • Yes the RODC serves as DNS and also DHCP at the same time and connected via WAN network.

    I haven't heard any such issues but that also depends on the configuration of the RODC. Is RODC pointing to itself for the DNS in its NIC as preferred DNS &  some other remote DNS in its NIC as an alternate DNS server. RODC is placed into the local LAN or DMZ, did you verify necessary ports are been allowed on the firewall?

    Regarding cleints, did you configure member machine in the RODC site to cache its account too along with users to establish secure channel with the RODC instead of RWDC.

    DNS recommendations from Microsoft   http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

    All About (RODC)Read Only Domain Controllers   http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, November 26, 2012 8:04 AM
  • Thank you Sandesh, the replication goes on well when WAN connection is on. What happens is that when the link is down the active directory synchronization with RODC and DC. As per my observation it seems DNS and DHCP on RODC servers are dependent on AD sychronization from the main DC.

    As I mention at the start that I am looking for solution teh same as the one I used under registry which ensures that the DNS service does not generate error log 4015; related to missing NS records and this in most cases after have led to DNS service completely stopped, and when the network connectivity is back and I point the DNS to main DNS, reboot and test it is restored back.

    Is there any solution for DNS like this one I have used on DHCP to keep it working independently even if the connection between main DC and RODC is down?

    What I need is for example for DHCP found that we can disable rogue detection:

    To disable rogue detection

    • Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    • In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    • Right-click DisableRogueDetection and then click Modify…
    • In Value Data type 1 and then click OK.
    and the DHCP service will not stop working.I have not found a solution for DNS though some post have pointed to setting the registry value Repl Perform Initial Synchronizations to 0 in order to bypass initial synchronization requirements in Active Directory as per http://support.microsoft.com/kb/200109

    Monday, November 26, 2012 10:14 AM
  • We have more than 300 offices globally and are connected via corporate WAN ntework via VSAT and some via MPLS links. All the RODC servers are configured to point to themslves. It all works well when connection is fine once down, teh dns service sometimes stops and DHCP gets unauthorized, what I would like to put in place is settings, configuration or any patch to make sure that when connection is down DNS will continue to function as it is on the DHCP as I posted above.


    • Edited by Joel Rotich Monday, November 26, 2012 1:29 PM
    Monday, November 26, 2012 1:28 PM
  • As per below KB article the events will be generated if Writable DC is not reachable and you cannot stop alert from logging.

    RODC logs DNS event 4015 every 3 minutes with error code 00002095
    http://support.microsoft.com/kb/969488

    DNS on a Read Only Domain Controller (RODC)
    http://msmvps.com/blogs/acefekay/archive/2011/12/07/dns-on-a-read-only-domain-controller-rodc.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, November 26, 2012 11:47 PM
  • Got it I understand that logs need to be generated when there is an issue, but we have three alerts generated on event viewer: Informartion, warning and Error. And after an specified threshold of warnings it starts logging error events and in this level the DNS service stops and DHCP gets unauthorized.

    I have mention on my question that for DHCP we state can be kept working normally when the connection is down by disabling rogue detection by applying a registry fix. What I am loking for is a way to make sure that even when synchronization is not working DNS service will not stop working.

    I hope this is clear now that I am not looking for  neither work around to restore the service nor best practices but I need a fix to avoid the problem from happening when link is down.

    Wednesday, November 28, 2012 8:45 AM
  • Hi  Joel,

    Based on my knowledge, the WAN corruption won't cause the DNS service stop working, such as unable to resolve or the other things.

    The only possible cause is that the AD database on this RODC server encounter the issue even when the WAN is working properly. In order to check the status of this problematic RODC, please show me your dcdiag result on the RODC. 

    Please run the command below on it, and export the result to me:

    dcdiag /v

    You can refer to our ariticle:

    http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx

    Thanks.

    Best Regards,

    Annie Gu

    • Marked as answer by Joel Rotich Friday, December 07, 2012 3:49 PM
    Wednesday, December 05, 2012 9:49 AM
  • Thank you all  for your contribution, I have found a solution:

    1. For DHCP I disabel Rogue detection and the DHCP nolonger gets unauthorized.

    To disable rogue detection

    • Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    • In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    • Right-click DisableRogueDetection and then click Modify…
    • In Value Data type 1 and then click OK.

    2. The DNS service stopping issue when WAN connection is down is related to _msdc.xx.xx records missing since Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the DNS, including--but not restricted to--non-Microsoft implementations of LDAP and GC. However, sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers http://www.windowsitpro.com/article/dns/q-what-s-the-dns-_msdcs-zone-for-the-forest-root-domain-used-for-I

    The solution I am testing now have been suggested by Tim under this article here:

    As Tim stated, manually create the _msdcs.ForestFQDN. I right-clicked the Forward Lookup Zones/New Zone.../Next/Select "Primary zone" radio button and the "Store the zone in Active Directory" check box (these are defaults)/Next/for replication scope I selected "To all DNS servers running on domain controllers in this domain" (I have a simple single forest, single domain config)/Next/Zone Name: _msdcs.ForectFQDN

    Wait for replication and population of the zone. The population appears to happen automatically (DC,Domains,GC,PDC folders and NS, SOA, and Alias records), be patient and refresh your view on the other DNS servers where you expect this zone to replicate to.

    Hope this can help someone too. I am ruuning testing but I believe I have found my solution.

    • Marked as answer by Joel Rotich Friday, December 07, 2012 3:49 PM
    Friday, December 07, 2012 3:49 PM