none
Read only domain controller option greyed out RRS feed

  • Question

  • Hi, 

    Recently tried to implement a read only domain controller but the option is greyed out. The additional information states the forest functional level is windows 2000. 

    Server 2008 R2 OS Domain joined member server with all updates.  

    Adprep /rodcprep has been run and the correct entry in adsi edit forest updates is shown and replication has taken place. 

    All domain controllers are 2008 R2

    Domain functional level and forest functional level show as 2003 (Functional level shows as 2003 interim) in both ADUC and Domains and trusts. 

    ADSI Edit shows 

    Partitions msDS-Behavior-Version 1 = (win2003_with_mixed_domains) (Read somewhere that I should change this to 3 to cure the fault but do not know what impact that will have.)

    Powershell command returns correct domain and forest levels as 2003. 

    DCDIAG runs without errors repadmin runs without errors, DNS is working fine. 

    OS is activated and active directory tools etc is installed and working. 

    Pretty stuck at the moment, any help would be much appreciated. 

    Thanks

    Wednesday, May 11, 2016 10:08 AM

Answers

  • Hi, 

    Recently tried to implement a read only domain controller but the option is greyed out. The additional information states the forest functional level is windows 2000. 

    Server 2008 R2 OS Domain joined member server with all updates.  

    Adprep /rodcprep has been run and the correct entry in adsi edit forest updates is shown and replication has taken place. 

    All domain controllers are 2008 R2

    Domain functional level and forest functional level show as 2003 (Functional level shows as 2003 interim) in both ADUC and Domains and trusts. 

    "2003 Interim" is a rather special DFL/FFL and this article explains why you have that and what you need to do.

    https://support.microsoft.com/en-us/kb/322692

    [interestingly, the article says that when at this DFL/FFL, WS2008 DC's aren't supported, but you said your DC's are WS2008R2 ??]

    Also, you may find further assistance in the dedicated DS forum:
    https://social.technet.microsoft.com/Forums/en-US/winserverDS/threads


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 12:29 AM

All replies

  • Hi,

    If all domain controller of your forest is Windows server 2008 R2, I suggest you set the domain function level and the forest function level to Windows server 2008.

    To Install and configure RODC in domain, we need to check below prerequisites 

    1. PDC emulator operation master should be on Windows server 2008

    2. Domain Functional Level\Forest Functional Level should be set as Windows Server 2008 or Windows Server 2003.

    3. If there is windows server 2003 environment, we need to prepare the domain for RODC installation by “ADPREP\RODCPREP”

    4. There should be only one RODC per site

    5. If the user outlook is the RODC site, make RODC a global catalog

    For more information, you could refer to the article below.

    Read Only Domain Controller (RODC): Installation and Configuration - Part1

    http://social.technet.microsoft.com/wiki/contents/articles/16102.read-only-domain-controller-rodc-installation-and-configuration-part1.aspx

    In addition, here is an article below about prepare a forest for a read-only domain controller for your reference.

    Prepare a Forest for a Read-Only Domain Controller

    https://technet.microsoft.com/en-us/library/cc771055(v=ws.10).aspx

    There is an article below about RODC post-installation configuration may be helpful to you.

    RODC Post-Installation Configuration

    https://technet.microsoft.com/en-us/library/cc742490(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 12, 2016 5:58 AM
    Moderator
  • Hi Jay, 

    Thanks for the response. I was speaking to a colleague regarding setting the functional level to 2008. is there any major issues doing this? 

    The domain functional level and forest functional level are both 2003 so I do not know why the wizard is reporting it as 2000.

    The ADPREP\RODCPREP command ran successfully and the correct entry under forest update for RODC has been created.

    I will start investigating raising the functional level to 2008. 

    Thursday, May 12, 2016 6:33 AM
  • Hi Nick,

    What is the situation of your problem after raising the functional level to 2008?

    In addition, to make sure your environment meet the prerequisites that descripted above.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 17, 2016 6:59 AM
    Moderator
  • Hi, 

    We have not raised the level yet, this is being done soon. I will report back when it has been done.  

    Thanks

    Friday, May 20, 2016 2:28 PM
  • Hi, 

    Recently tried to implement a read only domain controller but the option is greyed out. The additional information states the forest functional level is windows 2000. 

    Server 2008 R2 OS Domain joined member server with all updates.  

    Adprep /rodcprep has been run and the correct entry in adsi edit forest updates is shown and replication has taken place. 

    All domain controllers are 2008 R2

    Domain functional level and forest functional level show as 2003 (Functional level shows as 2003 interim) in both ADUC and Domains and trusts. 

    "2003 Interim" is a rather special DFL/FFL and this article explains why you have that and what you need to do.

    https://support.microsoft.com/en-us/kb/322692

    [interestingly, the article says that when at this DFL/FFL, WS2008 DC's aren't supported, but you said your DC's are WS2008R2 ??]

    Also, you may find further assistance in the dedicated DS forum:
    https://social.technet.microsoft.com/Forums/en-US/winserverDS/threads


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 12:29 AM