locked
Cannot create RODC (option grayed out) RRS feed

  • Question

  • Hi all,

    I'm having trouble creating a RODC, I'm pretty sure that I meet the minimum requirement, windows 2003 functional level and at least 1 windows 2008 DC.
    When I run DCPromo the option to create RODC is grayed out.

    I verified that my forest functional level is 2003 with ADSIedit msDS-Behavior-Version 2=(WIN2003)

    And I have 2 2008 DC in my forest.

    Here is the structure.

    myco.com (root of forest) 3X2003 DC - Functionality 2003
    location.mycorp.com (resource\users domain) 3X 2003 DC, 2X 2008 DC - Functionality 2003. This is the domain where I want to add the RODC.

    Anyone has experienced the same issue?

    Any help would be great.

    Thanks all
    Monday, November 24, 2008 4:12 PM

Answers

  •  

    Hi Rudy,

     

    From the information in the DCPROMO wizard, I suspect that the forest function level of this forest is still Windows 2000. Please open the Active Directory Domains and Trusts console to verify the forest function level, since we can only check the domain function level in Active Directory Users and Computers (ADUC) console.

     

    If you would like to check the attribute msDS-Behavior-Version, please confirm if the attribute is on the CN=Partitions, CN=Configuration, DC=ForestRootDom.

     

    Note:

     

    The attribute msDS-Behavior-Version on the CN=Partitions, CN=Configuration, DC=ForestRootDom indicates the forest function level.

    The attribute msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom indicates the domain function level.

     

    For more information:

     

    How to raise domain and forest functional levels in Windows Server 2003

    http://support.microsoft.com//kb/322692

     

    In addition, please verify if adprep /rodcprep has been run on the forest. You can check the following object in Active Directory: CN=ActiveDirectoryRODCUpdate,CN=ForestUpdates,CN=Configuration,DC=domain,DC=com

    • Edited by Joson Zhou Friday, November 28, 2008 7:46 AM spelling mistake
    • Marked as answer by Joson Zhou Tuesday, December 2, 2008 2:05 AM
    Friday, November 28, 2008 3:57 AM

All replies

  • I think, the dcpromo wizard should will have an explanation in the text box below regarding why the RODC check box is grayed out.

    Btw, did you run adprep /rodcprep?

    Please refer to RODC deployment guide for more info: http://technet.microsoft.com/en-us/library/cc731243.aspx


    Swami
    • Proposed as answer by jletennier Thursday, December 9, 2010 11:51 PM
    Monday, November 24, 2008 8:05 PM
  • Where's the 2008DC located? A site directly attached to the site the RODC is placed?
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Wednesday, November 26, 2008 11:59 AM
  • Hi Swami

     Yes, all the forest\domain prep are done,

    I really should have included this with my original post. This is from DCPROMO:

    There are currently 19 DNS servers that are registered as authoritative name servers for this domain.

    The forest functional level is Windows 2000. To install a read-only domain controller, the forest functional level must be Windows Server 2003 or higher.


    But if I look at it with ADUC or ADSI edit it shows 2003 ADSIedit msDS-Behavior-Version 2=(WIN2003)

    And I did follow the deployement guide


    Thank you

    Rudy
    Wednesday, November 26, 2008 2:01 PM
  • Florian
     
    I tried in 2 of my sites where I already have a 2008 DC.  Is there an issue with having RODC and regular (writable) DC in the same site?

    Thank you

    Rudy
    Wednesday, November 26, 2008 2:03 PM
  •  

    Hi Rudy,

     

    From the information in the DCPROMO wizard, I suspect that the forest function level of this forest is still Windows 2000. Please open the Active Directory Domains and Trusts console to verify the forest function level, since we can only check the domain function level in Active Directory Users and Computers (ADUC) console.

     

    If you would like to check the attribute msDS-Behavior-Version, please confirm if the attribute is on the CN=Partitions, CN=Configuration, DC=ForestRootDom.

     

    Note:

     

    The attribute msDS-Behavior-Version on the CN=Partitions, CN=Configuration, DC=ForestRootDom indicates the forest function level.

    The attribute msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom indicates the domain function level.

     

    For more information:

     

    How to raise domain and forest functional levels in Windows Server 2003

    http://support.microsoft.com//kb/322692

     

    In addition, please verify if adprep /rodcprep has been run on the forest. You can check the following object in Active Directory: CN=ActiveDirectoryRODCUpdate,CN=ForestUpdates,CN=Configuration,DC=domain,DC=com

    • Edited by Joson Zhou Friday, November 28, 2008 7:46 AM spelling mistake
    • Marked as answer by Joson Zhou Tuesday, December 2, 2008 2:05 AM
    Friday, November 28, 2008 3:57 AM
  • I have the similar issue( RODC Option Grayed out) and your suggestions are appreciated.

    In my environment I currently have

    1. Two Windows 2003 DC's

    2. Three Windows 2008 R2 DC's. ( One is running Server core).

    Note: I created my first 2008 R2 DC ,  after running the forest prep, Domain prep and Rodc prep.

    3. I have transferred all the FSMO roles from Windows 2003 DC to one of the 2008R2 DC. This was required for the to make the Active directory application center working. Now all FSMO roles are running from a Windows 2008 R2 DC.

    4. Now I need to creat a 2008 R2 RODC and the message I get is " A domain controller running Windows Server 2008 R2 could not be located in this domain". I have the RODC option grayed out. Why so?

    5. I have DNS running on two 2008 R2 Dc's and I see that the replication is happening. Is there any thing wrong with my DNS? WHat do I need to check here other than basic stuff.

    6. I have checked using ADSI edit that the schema has updates regarding the Rodc prep and the forest and domain functional level are set to Windows 2003.

     

    Why the DCPROMO process says there is no 2008 R2 DC. Where is this process check to verify the existince of WIn2k8 R2 DC's? Can someone list the items I can verify in Schema to make sure that I have all required updates/Fields.

    ANy thing to check for the DNS server that is running on win2kr2 DC's?

    Thanks

    Deepu

     

      

     

     


    Windows Engineer
    Monday, April 26, 2010 2:58 PM
  • Howdie!
     
    On 26.04.2010 16:58, plakeezhu wrote:
    > 4. Now I need to creat a 2008 R2 RODC and the message I get is " A
    > domain controller running Windows Server 2008 R2 could not be located in
    > this domain". I have the RODC option grayed out. Why so?
     
    Did you specify the correct domain? This there any relevant output in
    dcpromoui.log? Anything helpful?
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Monday, April 26, 2010 3:10 PM
  • Looks like the DCPROMO is still looking at the 2003 DC. DsGetDCName is still returning old DC name which currently does not have any FSMO roles. I think, something went wrong while transferring the role.

    I will do more research and will provide the details.

     

     


    Windows Engineer
    Monday, April 26, 2010 5:07 PM
  • Howdie!
     
    Am 26.04.2010 19:07, schrieb plakeezhu:
    > Looks like the DCPROMO is still looking at the 2003 DC. DsGetDCName is
    > still returning old DC name which currently does not have any FSMO
    > roles. I think, something went wrong while transferring the role.
    >
    > I will do more research and will provide the details.
     
    Did you verify with nltest? What does netdom query fsmo come up with?
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Monday, April 26, 2010 8:00 PM
  • Anyone ever find a solution to this? I'm having the exact same problem. My forest level is 2008 yet dcpromo refuses to see it.
    Thursday, July 22, 2010 9:06 PM
  •   I am running a full windows 2008 R2 Forest and now trying to install our first RODC and it is failing to install due to "Cannot create RODC (option grayed out)"

     

    any Ideas, and yes I have checked and every domain controller for all the necessarry attributes..(using both Console and ADSIEDIT. When I run DCPROMO it indictes the Forest level is at Windows 2000..

    any help much appreciated

    JM


    jletennier
    Thursday, December 9, 2010 11:14 PM
  • I am having the same or symilar problem.

    My Domain Function level shows Windows 2003 in both Domains and trusts and AD users and Computers.  I also checked the setting in adsi and found that windows 2003 function level was correct.  However when I run DCpromo from a Windows 2008 r2 machine I get the the Function level is ony 2000.  Something seems very wrong with this.  Has anyone found a answer for this.

     

    Rob

    Monday, September 19, 2011 8:36 PM
  • have you done?
    ADPREP /FORESTPREP
    ADPREP /DOMAINPREP
    ADPREP /RODCPREP
     
    from the w2k8r2 install media?
     

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "rchrist3" wrote in message news:cbcc4960-e59b-484e-b2ce-1d217a6236c7@communitybridge.codeplex.com...

    I am having the same or symilar problem.

    My Domain Function level shows Windows 2003 in both Domains and trusts and AD users and Computers.  I also checked the setting in adsi and found that windows 2003 function level was correct.  However when I run DCpromo from a Windows 2008 r2 machine I get the the Function level is ony 2000.  Something seems very wrong with this.  Has anyone found a answer for this.

     

    Rob


    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Wednesday, September 21, 2011 5:24 AM
  • in our case the order of DNS servers in the TCP/IP properties caused the search for the FSMO role holder to fail. we pushed the local IP to the bottom of the DNS list, then ran IPCONFIG /REGISTERDNS (probably not necessary) and ran NETDOM QUERY FSMO. This resolved the problem.
    Thursday, September 5, 2013 8:00 PM