none
RODC in DMZ DNS Critical Errors

    Question

  • Hello,

    I have a 2012 R2 RODC in a DMZ. 

    -Firewall ports specifically open to 2 R/W DCs on the interior network and replication set up from both of those.

    -It points to itself as the primary DNS server via its IP address (not loopback address)

    The RODC seems to be functioning correctly and passes all DCDIAG tests, however in the DNS Event Log every 5 min is logged:

    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

    I have searched on this error but haven't found anything that seems to relate.

    Any ideas?

    Thursday, March 30, 2017 4:17 PM

Answers

  • Working with our network engineer we noticed the RODC wanting to talk on ports 445 and 389 to the R/W DC holding the FSMO roles for the domain.  When we open these ports to that DC in edition to the ports already opened to the R/W DC it's using for replication the error messages go away.     
    • Proposed as answer by Wendy JiangModerator Monday, April 10, 2017 1:34 AM
    • Marked as answer by cleik Wednesday, April 12, 2017 12:03 PM
    Friday, April 7, 2017 8:06 PM

All replies

  • this error usually means the active directory part is not initialized. Only once active directory is functioning does DNS start up.

    What do you see in the Directory service event logs.

    Can you also disable IPv6 and have a try. 

    Might need more diagnostics to understand what is happening. Because you said dcdiag tests are all fine, im suspecting something else with DNS though.

    Thursday, March 30, 2017 4:43 PM
  • Active Directory is started and there are no replication issues or other issues in the AD event logs other than this critical DNS entry. I had previously had IPv6 disabled and thought maybe that was causing the errors so I reenabled it - doesn't seem to matter.

    Basically everything seems to be working fine except for this error ever 5 minutes.

    Thursday, March 30, 2017 8:03 PM
  • Hi,
    Is the DNS server role installed on RWDC and RODC? If yes, please pointed RODC to itself as a primary DNS and point other available DNS server (RWDC) as secondary one.
    In addition, do you have any old DC (or DNS server) which was removed before, such as windows server 2003? If yes, RODC seems still attempt to perform a RSO (ReplicateSingleObject) operation with the old DNS server, in this case, please deploy DNS Server role on a Writable Domain Controller which is accessible from the RODC.and ensure that it registers a NS record, then restart the netlogon and DNS server service and run ipconfig /flushdns and ipconfig /registerdns.
    Please see details from: 
    DNS on a Read Only Domain Controller (RODC)
    https://blogs.msmvps.com/acefekay/2011/12/06/dns-on-a-read-only-domain-controller-rodc/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Wendy JiangModerator Friday, April 7, 2017 9:05 AM
    • Unproposed as answer by cleik Friday, April 7, 2017 8:03 PM
    Friday, March 31, 2017 8:42 AM
    Moderator
  • Working with our network engineer we noticed the RODC wanting to talk on ports 445 and 389 to the R/W DC holding the FSMO roles for the domain.  When we open these ports to that DC in edition to the ports already opened to the R/W DC it's using for replication the error messages go away.     
    • Proposed as answer by Wendy JiangModerator Monday, April 10, 2017 1:34 AM
    • Marked as answer by cleik Wednesday, April 12, 2017 12:03 PM
    Friday, April 7, 2017 8:06 PM
  • Hi,
    Thank you for the test and feedback, according to your description, can I think that the problem is fixed by opening ports? If yes, please help to mark the reply as answer, it will be greatly helpful to others who have the same question.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 1:37 AM
    Moderator