locked
Missing one of the "default Password Replication Policy groups" RRS feed

  • Question

  • So, I'm trying to install a Read Only Domain Controller but one of the "Password Replication Policy groups" is missing from my AD, I can't find any sign of it ever existing and have no idea how to manually create it.

    ·         2 Windows Server 2008 DCs

    o   forest at Windows 2008 level

    o   single domain at Windows 2008 level

    o   SP2 and all updates installed

    ·         AD was previously hosted on a single Windows Server 2003 DC

    o   Upgrade was roughly 45 days ago

    o   This DC has now been gracefully retired

    §  (have full system backups of the old DC before the upgrade all the way through to its retirement)

    ·         Wish to add Windows Server 2008 R2 as a RODC

    o   Following steps here http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx

    o   ADPREP ran first time without errors, scheme level now 47

    §  (Have full system backups before and after ADPREP)

    So when I hit next on “Additional Domain Controller Options” (step 7 of “To install an RODC on a full installation of Windows Server 2008”) I get “The default Password Replication Policy groups are not present on the PDC [My PDC].  The parameter is incorrect”.

    Sure enough the “Allowed RODC Password Replication Group” is missing.  I’m guessing this should have been created during DCPROMO of the first Windows Server 2008 to the 2003 domain. 

    The “Denied RODC Password Replication Group” is present so what’s happened to the Allowed group? 

    I’ve used LDP and checked for a Deleted Object, no joy on a group of that name.  I’m going to try and search AD (including deleted items) by SID to see if I can find it by another name but I’m not holding my breath.  I even span up a clone of my PDC DC on an isolated network and added a Windows 2008 R2 machine as a full writable DC without problems but I still couldn’t create a RODC, the Allow group was still missing.

    Can anybody give me a new avenue of exploration? 

    This is a cross post from the Directory Services forum where so far I've had no response
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/56c72e7e-d367-4c13-85a1-64f1df62e328

    • Edited by JCBrown79 Friday, January 29, 2010 12:23 PM Formatting
    Friday, January 29, 2010 12:14 PM

Answers

All replies