none
2008 RODC RRS feed

  • Question

  • We have a domain with 2 dc's active on it, the main dc on 2008 server, and the secondary DC also on 2008.

    We have raised the domain level and forest level to 2008 adprep'd the domain for rodc which all passes.

    When trying to make an rodc, it has an error during DCpromo which says

    "While promoting Read-only Domain Controller, the expected state objects could not be found".

    the machine can be converted successfully into a full DC and then demoted again but cannot be made into a RODC.

    how can i fix this error?

    The following information came from the end of the dcpromo.log file

    05/26/2010 14:03:10 [INFO] Replicated the configuration container.
    05/26/2010 14:03:10 [INFO] Checking state objects for Read-only Domain Controller.
    05/26/2010 14:03:11 [INFO] Error - While promoting Read-only Domain Controller, the expected state objects could not be found. (234)
    05/26/2010 14:03:11 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
    Internal error: An Active Directory Domain Services error has occurred.



    Additional Data

    Error value (decimal):
    -1073741823

    Error value (hex):
    c0000001

    Internal ID:
    30014c7

    05/26/2010 14:03:13 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
    Active Directory Domain Services was shut down successfully.

    05/26/2010 14:03:13 [INFO] NtdsInstall for S3K.local returned 234
    05/26/2010 14:03:13 [INFO] DsRolepInstallDs returned 234
    05/26/2010 14:03:13 [ERROR] Failed to install to Directory Service (234)
    05/26/2010 14:03:28 [INFO] Starting service NETLOGON
    05/26/2010 14:03:28 [INFO] Configuring service NETLOGON to 2 returned 0
    05/26/2010 14:03:28 [INFO] The attempted domain controller operation has completed
    05/26/2010 14:03:28 [INFO] DsRolepSetOperationDone returned 0
    Thursday, May 27, 2010 2:08 PM

Answers

  • You may also try by Pre-creating Read-only Domain Controller account in active directory by right clicking on the Domain controllers and then try running the command

    dcpromo /UseExistingAccount:Attach

    http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx

     

    Thanks


    http://www.virmansec.com/blogs/skhairuddin
    • Marked as answer by Bruce-Liu Friday, June 4, 2010 7:57 AM
    Sunday, May 30, 2010 2:03 PM
  • Hi All,

    This issue may occurr if you have the following Application Partition in your Active Directory

    DC=TAPI3Directory,DC=Domain,DC=local

    I just fix this issue after removing this application partition. Hope it can help you!

    Best Regards,

    Peter

    • Marked as answer by Bruce-Liu Thursday, June 24, 2010 10:06 AM
    Wednesday, June 23, 2010 2:08 AM

All replies

  • Hello,

    The functional schema extensions need to be run from your Windows Server 2008 DVD on (preferrably) your PDC emulator FSMO role DC in this order:

    1. adprep /forestprep 
    2. adprep /domainprep /gpprep  
    3. adprep /rodcprep 

    Are your DCs 2k8 or 2k8 R2? Is the RODC R2?

    Regards,

    Peter Rajcinov

    Thursday, May 27, 2010 2:25 PM
  • hello

    Are your 2 active w2k8 domain controllers also GC and DNS servers?


    Isaac Oben MCITP:EA, MCSE
    Thursday, May 27, 2010 2:44 PM
  • Hi,

     

    You may try to perform a metadata cleanup to remove data from AD DS that identifies a domain controller to the replication system:

     

    Clean Up Server Metadata

    http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

     

    Then, please try to promo RODC again.

     

    http://technet.microsoft.com/en-us/library/cc742451(WS.10).aspx

     

    Regards,

    Bruce

    Friday, May 28, 2010 7:38 AM
  • have done all the adprep stuff already and both the DC's are just 2008 not R2, the RODC i am trying to make is also 2008 and not R2.

    I had already been through the metadata cleanup as there was a failed DC a few years ago, and there was nothing left in the metadata cleanup bit although i found some records in DNS which have since been removed.

    Tried DC promo again but still the same error.

     

    Friday, May 28, 2010 8:34 AM
  • Hello,

    as all above doesn't help, i suggest to enable advanced logging in the domain according to, the article still applies for Windows server 2008 as no new logging options where set:

    http://support.microsoft.com/kb/314980/en-us


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, May 30, 2010 12:21 PM
  • You may also try by Pre-creating Read-only Domain Controller account in active directory by right clicking on the Domain controllers and then try running the command

    dcpromo /UseExistingAccount:Attach

    http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx

     

    Thanks


    http://www.virmansec.com/blogs/skhairuddin
    • Marked as answer by Bruce-Liu Friday, June 4, 2010 7:57 AM
    Sunday, May 30, 2010 2:03 PM
  • Did you add RDOC  in your DC.?

    First you have to add your RODC  name  in your DC. 

     Then try to install RODC.

    Sunday, May 30, 2010 6:15 PM
  • Hi

    Please check this link under videos section to learn how to add a RODC.

    http://srvcore.wordpress.com/2010/02/06/active-directory-windows-2008-and-2008-r2-useful-documentation/

     


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Monday, May 31, 2010 8:39 PM
  • Hi Sigma3,

     

    Have you tried the suggestions? If there is any update about this issue, please let us know.

     

    Regards,

    Bruce

    Wednesday, June 2, 2010 6:26 AM
  • Hi All,

    We met the same problem When promoting RODC. I also checked "Steps for Deploying an RODC" http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx , which mentioned Delegate RODC installation. However, it seems this is optional steps. Any other suggestions are appreciated?

    Thanks,

    Peter

    Thursday, June 10, 2010 7:35 AM
  • Hello Peter,

    please describe more details about your environment, amount of DCs and OS versions in use etc. Did you also follow all mentioned steps here in detail?

    Also as this thread is marked as solved and the OP hasn't added additional information it will be better to create your own posting instead.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, June 10, 2010 8:21 AM
  • Hi All,

    This issue may occurr if you have the following Application Partition in your Active Directory

    DC=TAPI3Directory,DC=Domain,DC=local

    I just fix this issue after removing this application partition. Hope it can help you!

    Best Regards,

    Peter

    • Marked as answer by Bruce-Liu Thursday, June 24, 2010 10:06 AM
    Wednesday, June 23, 2010 2:08 AM
  • Hi Peter,

     

    Thanks for letting us know how you fixed the issue. This information will be useful for other people who encounters the same problem. If you have more questions in the future, you’re welcomed to this forum.

     

    Regards,

    Bruce

     

    Thursday, June 24, 2010 10:08 AM
  • I had a similar issue on a RODC deployment scenario. This was the error message in PS:

    Install-ADDSDomainController : The operation failed because:
    While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.
    "The replication operation failed because the target object referred by a link value is recycled."
    At line:1 char:1
    + Install-ADDSDomainController `
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Install-ADDSDomainController], DCPromoExecutionException
        + FullyQualifiedErrorId : DCPromo.General.54,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADD
       SDomainControllerCommand
    

    In my case, Microsoft KB 2737935 solved the issue

    • Proposed as answer by GradyG Friday, November 15, 2013 4:34 AM
    Thursday, October 24, 2013 8:56 PM