none
Need Help URGENT !!!!

    Question

  • Hello

     

    i need help Regarding DHCP Service installed on Windows Server 2008 RODC

    we have a datacenter that contains around 8 Windows Server 2008 Writable Domain Controllers and all of them are working fine without any problems, also we have around 160 Remote branch offices connected to the Datacenter with WAN Connection

    and every Remote Branch Office contains 1 Server having Windows Server 2008 Read only Domain Controller and DHCP on the same server to distribute IP Address to all Clients Computers in it own branch office. 

    The Problem is that once the WAN connection between the Remote Branch Office and the Datacenter i.e the RODC and the Writable DC Failes the DHCP that is on the same RoDC become "Unauthorized" and stop Serving, providing the clients with IP Addresses. once the connection come back i just manually authorize the DHCP and everything works back perfectly again.

    i need to know why this is happening? and what is the solution to fix this problem?

    coz i dont think this is normal coz is Main idea from RODC Concept that once the connection failes between the RODC and the WDC users will still be able to Log in and all the functions that the DC Does will not be effected

    waiting for replies ASAP and urgently

    Thanks


    Ahmad Ramadan AbaYazeed
    Sunday, October 03, 2010 6:36 AM

Answers

  • Dear Fog_Sigi

    I am the one that is really happy that someone faced the same problem that i faced and i looked into my post and found out the solution and it was helpful for him 

    actually i am so sorry that when i found out and reached for the solutioni didnt post it so anyone else could see and learn from it.

    here is the thing

    First of all I would like to provide some information regarding the issue. As we talked the RODC is only works as a Proxy when it comes to authentication requests( apart from the passwords configured in PRP [Password Replication Policy] ) and any request that involves a change in the AD environment. What I have found is that when a DHCP server is authorized DHCP sever periodically tries to contact AD to check the authorization state ( default is 60minutes). The expected behavior in AD unreachable scenario is to maintain the last know state and in case of AD unreachable is to maintain the last know state for 48 hours and then unauthorized  the server.and that is the reason that the DHCP gets unauthorized when the wan link goes down and cannot communicate with a writable DC for more than 48 hours  (This is by Design)

     

     

    As you can see from the information above unfortunately this is expected behavior and when the connection is cut more than 48 hours the DHCP will become un-authorized and stop servicing clients. Unfortunately adding an account to the PRP policy doesn’t actually has any affect because in order to authorize it needs a RWDC.

    When configured correctly and authorized for use on a network, Dynamic Host Configuration Protocol (DHCP) servers provide a useful administrative service. However, a misconfigured or unauthorized DHCP server can cause problems. For example, if an unauthorized DHCP server starts, it might begin either leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients that attempt to renew current address leases. To resolve these issues, DHCP servers are verified as authorized in Active Directory Domain Services before they can service clients and unauthorized, or rogue, servers are detected. This prevents most of the accidental damage caused by either misconfigured DHCP servers or correctly configured DHCP servers running on the wrong network. However there is a registry key in order to avoid this behavior;

    When the Below registry key is configured the DHCP Server will stay authorized always and will not be authorizing itself to the RWDC

     The registry key is normally not present so as you suggested you need to create it according to the steps below; 

    To disable rogue detection

    1. Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    2. In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    3. Right-click DisableRogueDetection and then click Modify…
    4. In Value Data type 1 and then click OK.

    I hope this answers your questions, please do not hesitate to contact me if you have further questions and queries. 

     


    Ahmad Ramadan AbaYazeed
    Thursday, December 22, 2011 5:54 AM
  • Hi Ahmad,

     

    Thanks for posting here.

     

    If you plan to install DHCP directly on an RODC, you have to create the appropriate users and groups and ensure that they are replicated to the RODC before the installation.

     

    DHCP Users Group Configuration

    http://technet.microsoft.com/en-us/library/cc726854(WS.10).aspx

     

    What events or error messages were recorded in event log when RODC disconnect to the domain controller in main office and DHCP service stop working .

    The event log ID and description might helpful for troubleshooting.

    And please check if the RODC DHCP server had been authorized in Active Directory, you might like to perform the action below on a writeable domain controller:

     

    Authorize a DHCP server in Active Directory

    http://technet.microsoft.com/en-us/library/cc759688(WS.10).aspx

     

    Here is an old thread for you refer:

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5abf9237-5df0-4873-a54f-955ff3cdbd6a

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Tuesday, October 12, 2010 7:41 AM
    Monday, October 04, 2010 8:08 AM

All replies

  • Hello


    Hello

    i need help Regarding DHCP Service installed on Windows Server 2008 RODC

    we have a datacenter that contains around 8 Windows Server 2008 Writable Domain Controllers and all of them are working fine without any problems, also we have around 160 Remote branch offices connected to the Datacenter with WAN Connection

    and every Remote Branch Office contains 1 Server having Windows Server 2008 Read only Domain Controller and DHCP on the same server to distribute IP Address to all Clients Computers in it own branch office. 

    The Problem is that once the WAN connection between the Remote Branch Office and the Datacenter i.e the RODC and the Writable DC Failes the DHCP that is on the same RoDC become "Unauthorized" and stop Serving, providing the clients with IP Addresses. once the connection come back i just manually authorize the DHCP and everything works back perfectly again.

    i need to know why this is happening? and what is the solution to fix this problem?

    coz i dont think this is normal coz is Main idea from RODC Concept that once the connection failes between the RODC and the WDC users will still be able to Log in and all the functions that the DC Does will not be effected

    waiting for replies ASAP and urgently

    Thanks

     

    • Merged by Tiger Li Monday, October 04, 2010 6:09 AM
    Saturday, October 02, 2010 1:21 AM
  • Please check that that DHCP users groups have been created and replicated to the RODC.

    Also I would like to check if the replication from the WDC to the RODC had been started after you authorized DHCP.

    What is the result if you force AD replication manually? The problem is the same?

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, October 03, 2010 3:54 PM
  • Mr X Thank you for Reply, really appriciated

    1. as far as i know the DHCP creates 2 Groups Admins and Users, Do you mean these 2 Groups? and if yes, like i said i have around 160 Rodc i.e 160 DHCP so do i have to have these 2 Groups for Every DHCP or what?

    please Advice on that

    2. the Replication From the Rodc and DC will be Fine immediatly after the WAN Link Comes back and if i forced the Replication using Repadmin /Syncall or using the Replication Monitor everything is Totally Okay

    Waiting your Reply

    Kind Regards 


    Ahmad Ramadan AbaYazeed
    Sunday, October 03, 2010 8:56 PM
  • I mean the two groups you mentioned.

    It is just that when you were planning to install DHCP directly on an RODC, you should have make sure that you have created the appropriate users and groups and make sure that they were correctly replicated to the RODC before the installation.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, October 03, 2010 9:34 PM
  • the 2 Groups i can see them on all the WDC

    DHCP Admins And DHCP Users but it has no member at all

    do you want me to make sure that these 2 Groups are replicated to all the RODC's ??

    thats it?

    do u think that these 2 groups should have anything in thier memberhips or it should be empty ??

     

    waiting your reply


    Ahmad Ramadan AbaYazeed
    Sunday, October 03, 2010 10:25 PM
  • As I said, that should be done before the install of the DHCP service.

    I think the best way to proceed is to uninstall the DHCP service, make sure that all is okay with the replication and install it again and then check if the problem is solved or not.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     

    Sunday, October 03, 2010 10:27 PM
  • okay i will check them and feed you back

    but u didnt answer me, these 2 groups should have nothing in thier membership, or it should be empty?????


    Ahmad Ramadan AbaYazeed
    Sunday, October 03, 2010 10:42 PM
  • No, you can add the users you want. There is no problem. Just try what I mentioned.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     

    Sunday, October 03, 2010 10:50 PM
  • add the users?

    my friend u r talking about thousands of users

    please Explain in Details what should i do?

    peer in mind uninstalling and installing the DHCP is very very overhead coz like i said its over 160 DHCP and its not practical to do it one by one

    so what do u want me  to double check with these groups?!!


    Ahmad Ramadan AbaYazeed
    Sunday, October 03, 2010 11:04 PM
  • I just told you that you can let users you want member of these groups. I did not told you to add new ones.

    I just want that you check if uninstalling DHCP and re-installing it and doing what I mentioned solve the problem.

    Do that on only one RODC with DHCP service and tell me the result.

    That is all.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, October 03, 2010 11:11 PM
  • Hi Ahmad,

     

    Thanks for posting here.

     

    If you plan to install DHCP directly on an RODC, you have to create the appropriate users and groups and ensure that they are replicated to the RODC before the installation.

     

    DHCP Users Group Configuration

    http://technet.microsoft.com/en-us/library/cc726854(WS.10).aspx

     

    What events or error messages were recorded in event log when RODC disconnect to the domain controller in main office and DHCP service stop working .

    The event log ID and description might helpful for troubleshooting.

    And please check if the RODC DHCP server had been authorized in Active Directory, you might like to perform the action below on a writeable domain controller:

     

    Authorize a DHCP server in Active Directory

    http://technet.microsoft.com/en-us/library/cc759688(WS.10).aspx

     

    Here is an old thread for you refer:

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5abf9237-5df0-4873-a54f-955ff3cdbd6a

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Tuesday, October 12, 2010 7:41 AM
    Monday, October 04, 2010 8:08 AM
  • Hi Ahmad,

    I'am happy that I'm not the only one who have this problem. You exactly described the situation like I have in our environment.

    If the site-to-site connection from the site with an rodc to the mainoffice with rwdc goes down, the DHCP stops servicing clients and appears in the DCHP console with the red mark as unauthorized, and the following error appears in the event log “Event ID 1059 The DHCP service failed to see a directory server for authorization”.
    When the connection to a full domain controller is back, the DHCP works again normally and appears as authorized.

    I followed the discussion but until now, I can't see a solution for this problem. Do you still have this problem? If not, what did you do to solve it?

    Hope anyone can help me with this issue.

    Tuesday, December 20, 2011 9:55 AM
  • Dear Fog_Sigi

    I am the one that is really happy that someone faced the same problem that i faced and i looked into my post and found out the solution and it was helpful for him 

    actually i am so sorry that when i found out and reached for the solutioni didnt post it so anyone else could see and learn from it.

    here is the thing

    First of all I would like to provide some information regarding the issue. As we talked the RODC is only works as a Proxy when it comes to authentication requests( apart from the passwords configured in PRP [Password Replication Policy] ) and any request that involves a change in the AD environment. What I have found is that when a DHCP server is authorized DHCP sever periodically tries to contact AD to check the authorization state ( default is 60minutes). The expected behavior in AD unreachable scenario is to maintain the last know state and in case of AD unreachable is to maintain the last know state for 48 hours and then unauthorized  the server.and that is the reason that the DHCP gets unauthorized when the wan link goes down and cannot communicate with a writable DC for more than 48 hours  (This is by Design)

     

     

    As you can see from the information above unfortunately this is expected behavior and when the connection is cut more than 48 hours the DHCP will become un-authorized and stop servicing clients. Unfortunately adding an account to the PRP policy doesn’t actually has any affect because in order to authorize it needs a RWDC.

    When configured correctly and authorized for use on a network, Dynamic Host Configuration Protocol (DHCP) servers provide a useful administrative service. However, a misconfigured or unauthorized DHCP server can cause problems. For example, if an unauthorized DHCP server starts, it might begin either leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients that attempt to renew current address leases. To resolve these issues, DHCP servers are verified as authorized in Active Directory Domain Services before they can service clients and unauthorized, or rogue, servers are detected. This prevents most of the accidental damage caused by either misconfigured DHCP servers or correctly configured DHCP servers running on the wrong network. However there is a registry key in order to avoid this behavior;

    When the Below registry key is configured the DHCP Server will stay authorized always and will not be authorizing itself to the RWDC

     The registry key is normally not present so as you suggested you need to create it according to the steps below; 

    To disable rogue detection

    1. Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    2. In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    3. Right-click DisableRogueDetection and then click Modify…
    4. In Value Data type 1 and then click OK.

    I hope this answers your questions, please do not hesitate to contact me if you have further questions and queries. 

     


    Ahmad Ramadan AbaYazeed
    Thursday, December 22, 2011 5:54 AM
  • Dear Ahmad

    sorry for the late reply.

    Thank you very much for the explanation, because now I understand the correlation of this issue. After i disabled rogue detection on the RODC, the DHCP service worked as expected. :-) I'm very happy with this solution.

    I have a second issue, where you can help me maybe. You wrote, that you have quite much sites with RODC's. Did you ever have a similar problem with the DNS service? Like the DHCP service, before I disabled Rogue Detection, the DNS Service doesn't start after a reboot of the server when there is no connect to a RWDC. Eventlogs told me, that the DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. And I think, that's not possible without an connection to an RWDC.

    I found the following Regkey which should change this behavior, but it doesn't effect my DNS problem! 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    Value name: Repl Perform Initial Synchronizations
    Value type: REG_DWORD
    Value data: 0

    Do you have similar problems on your RODC's ? Or do you know how to solve this?

    Looking forward hearing from you!

    Kind regards

    Sebastian

    Monday, February 06, 2012 2:40 PM
  • Dear Sebastian

    really its my pleasure that my solution solved your problem, actually it feels so GREAT when you help other IT Colleges around the world.

    regarding your problem

    would you please give me the Event Log ID for this Error "DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed"

    i need to look into something about it

    if the Event ID Was 4013

    then you might have a problem in AD DNS Replication and The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.

    please check the follwoing links

    http://technet.microsoft.com/en-us/library/cc735824(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc735842(WS.10).aspx

    Regards


    Ahmad Ramadan AbaYazeed

    Tuesday, February 07, 2012 9:40 AM