none
Server 2012 R2 RODC unable to enlist in DomainDNS or ForestDNSPartitions RRS feed

  • Question

  • I am attempting to configure one of our Windows Server 2012 R2 units as a RODC at a remote location. I am currently having an awful time getting DNS to replicate. 

    I was able to connect the server to the domain as a RODC, and I installed DNS Role to the server when I installed the Active Directory Role.

    When the server was restarted all of the Active Directory and Group Policy features were in place on the server, but i could not get the DNS Role to work. If you look in the Foward Lookup Zones in the DNS Server Manager it is completely blank.

    I verified that the server is set to point to the Writable Directory Server for DNS, and I am currently receiving the following errors in the log. 

     

    The DNS server detected that it is not enlisted in the replication scope of the  directory partition DomainDnsZones.SERVER.ELVFD. This prevents the zones that should be replicated to all DNS servers in the SERVER.ELVFD domain from replicating to this DNS server. For information on how to add a DNS server to the replication scope of an application directory partition, please see Help and Support. 

    To create or repair the domain-wide DNS directory partition, open the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 
     The error was 5.

    And this

      

    The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.SERVER.ELVFD. This prevents the zones that should be replicated to all DNS servers in the SERVER.ELVFD forest from replicating to this DNS server. 

    To create or repair the forest-wide DNS directory partition, open the DNS  console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. 

    The error was 5.

    I performed a search of these messages and found that you could use the DNSCMD from an Elevated Command Prompt as a Enterprise Administrator to enlist the server in the forest and domain dns zones partitions.

    using this guide.

    https://technet.microsoft.com/en-us/library/cc742490(v=ws.10).aspx

    After entering the commands meticulously using my domain information, the command prompt states that the commands were completed successfully.

    I then entered :

    C:\Users\administrator.SERVER>dnscmd /EnumDirectoryPartitions

    And Received this

    Enumerated directory partition list:

            Directory partition count = 2
     DomainDnsZones.SERVER.ELVFD               Not-Enlisted Auto Domain
     ForestDnsZones.SERVER.ELVFD               Not-Enlisted Auto Forest


    Command completed successfully.

    I have found other articles that state to right click the domain controller and click "add default directories" or something to that effect. But this does not appear to be an option in Server 2012, nor does it seem like it would work as this is a RODC. I did find that there was an option with DNSCMD that appeared to perform the same task, but it generated an error, becuase it says it cannot be performed on an RODC.

    Sunday, March 13, 2016 4:20 AM

Answers

All replies

  • Hi Nic,

    1.Please do a dc test on RODC server, from a command prompt,type:dcdiag

    2.Try to create or repair the partition in DNS server manager:

    Create the DNS directory partition

    Domain Name System (DNS) zones can be stored in the domain or application directory partitions of Active Directory Domain Services (AD DS). You can correct problems related to accessing directory partitions by creating a default application directory partition.

    To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

    To create a forest-wide and domain-wide DNS directory partition:

      1. On       the DNS server, start Server Manager. To start Server Manager, click Start,       click Administrative Tools, and then click Server Manager.
      2. In       the console tree, expand Roles, expand DNS Server, and then       expand DNS.
      3. Right-click       the DNS server, and then click Create Default Application Directory       Partitions.
      4. Follow       the instructions to create the DNS application directory partitions.

      Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Monday, March 14, 2016 7:00 AM
  • Cartman, 

    I appreciate your reply. after some work, I believe that I have figured out part of the issue. Part of the problem was based on my impatience. Our site to site link only has 512k upload speed (hence the need for a RODC controller at the secondary location.) And I feel like the replication just took a really long time for it to complete.

    Second, I did notice that my RWDC that is running DNS was not configured correctly. It was not set to point to itself for DNS in the adapter settings. And the RODC also was still set to look for the RWDC for DNS in its adapter settings. I have fixed that.

    I have seen the information that you posted on how to create default application directory while searching for a solution to my problem.  But either that option is missing from Server 2012, or i am not looking in the right place. I wound up doing the same thing using the DNSCMD application from the command prompt and it completed successfully after fixing the RWDC adapter settings and waiting a bit.

    That being said, my DNS trees appear to have replicated now, But I appear to have another problem with the client computers connecting back to the RWDC as a logon server rather than the RODC at the same site. But that should probably be a new post.

    I will post the results of DCDIAG as soon as I can get them from my RODC.

    Tuesday, March 22, 2016 12:53 AM
  • Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = ELVFDS2
       * Identified AD Forest.
       STATION3\ELVFDS3 is an unoccupied RODC account. All tests will be skipped.
       Done gathering initial info.

    Doing initial required tests

       Testing server: STATION2\ELVFDS2
          Starting test: Connectivity
             ......................... ELVFDS2 passed test Connectivity

    Doing primary tests

       Testing server: STATION2\ELVFDS2
          Starting test: Advertising
             ......................... ELVFDS2 passed test Advertising
          Starting test: FrsEvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... ELVFDS2 passed test FrsEvent
          Starting test: DFSREvent
             ......................... ELVFDS2 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... ELVFDS2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... ELVFDS2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... ELVFDS2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... ELVFDS2 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... ELVFDS2 passed test NCSecDesc
          Starting test: NetLogons
             [ELVFDS2] User credentials does not have permission to perform this
             operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... ELVFDS2 failed test NetLogons
          Starting test: ObjectsReplicated
             ......................... ELVFDS2 passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,ELVFDS2] No replication recently attempted:
                From ELVFDS1 to ELVFDS2
                Naming Context: DC=ForestDnsZones,DC=SERVER,DC=ELVFD
                The last attempt occurred at 2016-03-21 16:06:19 (about 3 hours
                ago).
             [Replications Check,ELVFDS2] No replication recently attempted:
                From ELVFDS1 to ELVFDS2
                Naming Context: DC=DomainDnsZones,DC=SERVER,DC=ELVFD
                The last attempt occurred at 2016-03-21 16:06:19 (about 3 hours
                ago).
             [Replications Check,ELVFDS2] No replication recently attempted:
                From ELVFDS1 to ELVFDS2
                Naming Context: CN=Schema,CN=Configuration,DC=SERVER,DC=ELVFD
                The last attempt occurred at 2016-03-21 16:06:19 (about 3 hours
                ago).
             [Replications Check,ELVFDS2] No replication recently attempted:
                From ELVFDS1 to ELVFDS2
                Naming Context: CN=Configuration,DC=SERVER,DC=ELVFD
                The last attempt occurred at 2016-03-21 16:06:19 (about 3 hours
                ago).
             [Replications Check,ELVFDS2] No replication recently attempted:
                From ELVFDS1 to ELVFDS2
                Naming Context: DC=SERVER,DC=ELVFD
                The last attempt occurred at 2016-03-21 16:05:55 (about 3 hours
                ago).
             [Replications Check,ELVFDS2] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
             ......................... ELVFDS2 failed test Replications
          Starting test: Services
                Could not open NTDS Service on ELVFDS2, error 0x5
                "Access is denied."
             ......................... ELVFDS2 failed test Services
          Starting test: SystemLog
             ......................... ELVFDS2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... ELVFDS2 passed test VerifyReferences


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : SERVER
          Starting test: CheckSDRefDom
             ......................... SERVER passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... SERVER passed test CrossRefValidation

       Running enterprise tests on : SERVER.ELVFD
          Starting test: LocatorCheck
             ......................... SERVER.ELVFD passed test LocatorCheck
          Starting test: Intersite
             ......................... SERVER.ELVFD passed test Intersite
    Tuesday, March 22, 2016 2:00 AM
  • Hi Nic,

    Sorry for delay.This is for your reference:

    >>Starting test: NetLogons
             [ELVFDS2] User credentials does not have permission to perform this
             operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... ELVFDS2 failed test NetLogons

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/2486e6fd-3646-4934-a1b4-2991179e90e7/delegating-dcdiag-how-can-i-find-the-required-permissions?forum=winserverDS

    >>Replications Check,ELVFDS2] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
             ......................... ELVFDS2 failed test Replications

    https://social.technet.microsoft.com/forums/windowsserver/en-US/963c5b95-d646-43bd-9965-6abd1ec9b5cb/replication-issues

    >>Starting test: Services
                Could not open NTDS Service on ELVFDS2, error 0x5
                "Access is denied."
             ......................... ELVFDS2 failed test Services

    https://support.microsoft.com/en-us/kb/2002013

    Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Nic Y Jones Saturday, March 23, 2019 10:22 PM
    Tuesday, April 5, 2016 8:50 AM