locked
error: 5 (Access s denied) RODC (win srv 2012) with DC (win srv 2016) RRS feed

  • Question

  • Good Day Dears,

    I'm trying to add RODC (windows server 2012 R2) to DC (windows server 2016) and I have error: 5 (Access is denied)

    note that my user is member of : Administrators , Domain Admins , Allowed RODC Password and Enterprise Admin .

    Also I tried to add it from DC , from Pre-create Read-only Domain Controller account

    Br,

    Ahmed Maxsood

    Wednesday, July 22, 2020 8:57 AM

All replies

  • Hello Ahmed Maxsood ,

    Thank you for posting here.

    Q: I'm trying to add RODC (windows server 2012 R2) to DC (windows server 2016) and I have error: 5 (Access is denied)
    A: As I understand, we want to add one RODC to existing domain.

    Before we do any change in existing AD domain environment, we had better do:
    1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v on every DC.
    Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on every DC.

    2.Back up all domain controllers.

    Before we begin to troubleshoot, please let me know more information to clarify our issue, would you mind collecting the following information at your convenience? I appreciate your time and effort. 
    1.What is our domain functional level and forest functional level? 
    2.How many domain do you have? 
    3.How many DCs is each domain? 
    4.What specific operations are you doing, then we receive this error (add RODC to domain or promote RODC)? It is perfect that you can provide the screenshot with error message. 
    5.Would you please do the same operations with built-in domain Administrator account and check if it helps? 

    Note: If we want to add 2012 R2 DC to the existing domain, the domain functional level must be equal to or lower than 2012 R2. 

    If anything is unclear, please feel free to let us know. 



    This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Thursday, July 23, 2020 7:09 AM
  • Hi Dear,

    please check the below info :

    1.What is our domain functional level and forest functional level?  Functional as AD DS and DNS

    2.How many domain do you have?  1 domain
    3.How many DCs is each domain?  1 DC
    4.What specific operations are you doing, then we receive this error (add RODC to domain or promote RODC)? It is perfect that you can provide the screenshot with error message. add RODC 
    5.Would you please do the same operations with built-in domain Administrator account and check if it helps? I will check

    also please check the below info :

    C:\Users\a.maxsood>Dcdiag /v

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       * Verifying that the local machine APS-DC, is a Directory Server.
       Home Server = APS-DC
       * Connecting to directory service on server APS-DC.
       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=aps,DC=iq,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
       Getting ISTG and options for the site
       * Identifying all servers.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=aps,DC=iq,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\APS-DC
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Determining IP4 connectivity
             * Active Directory RPC Services Check
             ......................... APS-DC passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\APS-DC
          Starting test: Advertising
             The DC APS-DC is advertising itself as a DC and having a DS.
             The DC APS-DC is advertising as an LDAP server
             The DC APS-DC is advertising as having a writeable directory
             The DC APS-DC is advertising as a Key Distribution Center
             Warning: APS-DC is not advertising as a time server.
             The DS APS-DC is advertising as a GC.
             ......................... APS-DC failed test Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Starting test: FrsEvent
             * The File Replication Service Event log test
             Skip the test because the server is running DFSR.
             ......................... APS-DC passed test FrsEvent
          Starting test: DFSREvent
             The DFS Replication Event Log.
             ......................... APS-DC passed test DFSREvent
          Starting test: SysVolCheck
             * The File Replication Service SYSVOL ready test
             File Replication Service's SYSVOL is ready
             ......................... APS-DC passed test SysVolCheck
          Starting test: KccEvent
             * The KCC Event log test
             Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
             ......................... APS-DC passed test KccEvent
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
             Role Domain Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
             Role PDC Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
             Role Rid Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
             ......................... APS-DC passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             Checking machine account for DC APS-DC on DC APS-DC.
             * SPN found :LDAP/APS-DC.aps.iq/aps.iq
             * SPN found :LDAP/APS-DC.aps.iq
             * SPN found :LDAP/APS-DC
             * SPN found :LDAP/APS-DC.aps.iq/APS
             * SPN found :LDAP/720c98fa-dd7c-48f5-9483-f6d7067f72f4._msdcs.aps.iq
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/720c98fa-dd7c-48f5-9483-f6d7067f72f4/aps.iq
             * SPN found :HOST/APS-DC.aps.iq/aps.iq
             * SPN found :HOST/APS-DC.aps.iq
             * SPN found :HOST/APS-DC
             * SPN found :HOST/APS-DC.aps.iq/APS
             * SPN found :GC/APS-DC.aps.iq/aps.iq
             ......................... APS-DC passed test MachineAccount
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC APS-DC.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=aps,DC=iq
                (NDNC,Version 3)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=aps,DC=iq
                (NDNC,Version 3)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=aps,DC=iq
                (Schema,Version 3)
             * Security Permissions Check for
               CN=Configuration,DC=aps,DC=iq
                (Configuration,Version 3)
             * Security Permissions Check for
               DC=aps,DC=iq
                (Domain,Version 3)
             ......................... APS-DC passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Verified share \\APS-DC\netlogon
             Verified share \\APS-DC\sysvol
             [APS-DC] User credentials does not have permission to perform this operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... APS-DC failed test NetLogons
          Starting test: ObjectsReplicated
             APS-DC is in domain DC=aps,DC=iq
             Checking for CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq in domain DC=aps,DC=iq on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq in domain CN=Configuration,DC=aps,DC=iq on 1 servers
                Object is up-to-date on all servers.
             ......................... APS-DC passed test ObjectsReplicated
          Test omitted by user request: OutboundSecureChannels
          Starting test: Replications
             * Replications Check
             [Replications Check,APS-DC] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
             "Replication access was denied."
             ......................... APS-DC failed test Replications
          Starting test: RidManager
             * Available RID Pool for the Domain is 2604 to 1073741823
             * APS-DC.aps.iq is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 2104 to 2603
             * rIDPreviousAllocationPool is 2104 to 2603
             * rIDNextRID: 2200
             ......................... APS-DC passed test RidManager
          Starting test: Services
             * Checking Service: EventSystem
             * Checking Service: RpcSs
             * Checking Service: NTDS
                Could not open NTDS Service on APS-DC, error 0x5 "Access is denied."
             * Checking Service: DnsCache
             * Checking Service: DFSR
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... APS-DC failed test Services
          Starting test: SystemLog
             * The System Event log test
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:34:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             A warning event occurred.  EventID: 0x00004249
                Time Generated: 07/26/2020   11:35:31
                Event String:
                6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
                For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:36:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:38:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:40:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:42:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:44:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:46:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0xC0000010
                Time Generated: 07/26/2020   11:47:03
                Event String:
                While processing a TGS request for the target server m.qassim, the account m.qassim@APS.IQ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18  17. The accounts available etypes were 23  -133  -128  18  17. Changing or resetting the password of m.qassim will generate a proper key.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:47:15
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:47:22
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:47:23
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:48:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:50:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:52:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             A warning event occurred.  EventID: 0x00004249
                Time Generated: 07/26/2020   11:53:33
                Event String:
                4 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
                For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:54:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0xC0000010
                Time Generated: 07/26/2020   11:54:30
                Event String:
                While processing a TGS request for the target server a.abbas, the account a.abbas@APS.IQ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18  17. The accounts available etypes were 23  -133  -128  18  17. Changing or resetting the password of a.abbas will generate a proper key.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:56:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   11:58:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:00:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:02:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:04:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:06:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:08:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:10:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:12:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             A warning event occurred.  EventID: 0x00004249
                Time Generated: 07/26/2020   12:13:38
                Event String:
                5 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
                For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:14:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:16:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:18:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:20:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:22:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:24:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:26:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:28:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:30:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             An error event occurred.  EventID: 0x00009005
                Time Generated: 07/26/2020   12:32:05
                Event String:
                The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
             ......................... APS-DC failed test SystemLog
          Test omitted by user request: Topology
          Test omitted by user request: VerifyEnterpriseReferences
          Starting test: VerifyReferences
             The system object reference (serverReference) CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq and backlink on
             CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq are correct.
             The system object reference (serverReferenceBL)
             CN=APS-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=aps,DC=iq and backlink on
             CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq are
             correct.
             The system object reference (msDFSR-ComputerReferenceBL)
             CN=APS-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=aps,DC=iq and backlink on
             CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq are correct.
             ......................... APS-DC passed test VerifyReferences
          Test omitted by user request: VerifyReplicas

          Test omitted by user request: DNS
          Test omitted by user request: DNS

       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : aps
          Starting test: CheckSDRefDom
             ......................... aps passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... aps passed test CrossRefValidation

       Running enterprise tests on : aps.iq
          Test omitted by user request: DNS
          Test omitted by user request: DNS
          Starting test: LocatorCheck
             GC Name: \\APS-DC.aps.iq
             Locator Flags: 0xe001f1bd
             PDC Name: \\APS-DC.aps.iq
             Locator Flags: 0xe001f1bd
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             KDC Name: \\APS-DC.aps.iq
             Locator Flags: 0xe001f1bd
             ......................... aps.iq failed test LocatorCheck
          Starting test: Intersite
             Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
             provided.
             ......................... aps.iq passed test Intersite

    C:\Users\a.maxsood>repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\APS-DC
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: 720c98fa-dd7c-48f5-9483-f6d7067f72f4
    DSA invocationID: ea5521a1-5e95-4bcd-a92c-566052c72ca7



    C:\Users\a.maxsood>repadmin /replsum
    Replication Summary Start Time: 2020-07-26 12:33:17

    Beginning data collection for replication summary, this may take awhile:
      ....


    Source DSA          largest delta    fails/total %%   error


    Destination DSA     largest delta    fails/total %%   error



    C:\Users\a.maxsood>

    Sunday, July 26, 2020 11:50 AM
  • Hello,
    Thank you for your update.

    From the result of DCdiag /v, it seem there are some problems about this DC.

    1.We can check domain functional level and forest  functional level as below:





    2.Is this DC a GC? We can check as below:

    3.Are netlgon folder and sysvol folder shared? We can run net share on this DC to check.

    4.We can run Netdom query FSMO on this DC to check the resut about FSMO roles holder.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, July 27, 2020 5:09 AM
  • Thanks Dear for reply please check the below info :
    - current forest functional level: Windows Server 2016 (not 2012)
    - this DC is GC
    -net share

    Share name   Resource                        Remark

    -------------------------------------------------------------------------------
    IPC$                                         Remote IPC
    C$           C:\                             Default share
    print$       C:\Windows\system32\spool\drivers
                                                 Printer Drivers
    ADMIN$       C:\Windows                      Remote Admin
    aps          C:\aps
    DAG.aps.iq   C:\witness                      File share witness created for ...
    NETLOGON     C:\Windows\SYSVOL\sysvol\aps.iq\SCRIPTS
                                                 Logon server share
    p            C:\p
    share        C:\share
    SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
    witness      C:\witness
    The command completed successfully.

    -netdom query fsmo

    Schema master               APS-DC.aps.iq
    Domain naming master        APS-DC.aps.iq
    PDC                         APS-DC.aps.iq
    RID pool manager            APS-DC.aps.iq
    Infrastructure master       APS-DC.aps.iq
    The command completed successfully.
    Monday, July 27, 2020 8:10 AM
  • Any update please ?
    Wednesday, July 29, 2020 6:42 AM
  • Hi,
    I am sorry for the late reply.

    Ensure that all domain functional levels are equal to or higher than the forest functional level;
    Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;

    Windows Server 2016
    Supported Domain Controller Operating System:

    Windows Server 2019
    Windows Server 2016


    So we can add a 2016 RODC or 2019 RODC to your AD domain.

    Reference
    Forest and Domain Functional Levels
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 29, 2020 8:48 AM
  • You can't add DC with installed WS2012R2 to forest level WS2016 - it's unsupportable configuration. Use at least WS2016 for deploying RODC.
    Wednesday, July 29, 2020 8:52 AM
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 31, 2020 4:10 AM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, August 3, 2020 7:41 AM
  • thanks Dear for your reply .
    Wednesday, August 5, 2020 7:04 AM
  • You can't add DC with installed WS2012R2 to forest level WS2016 - it's unsupportable configuration. Use at least WS2016 for deploying RODC.
    ok dear , thanks .
    Wednesday, August 5, 2020 7:08 AM
  • Hi,
    Thank you for your update.

    If we add Windows Server 2019 RODC or Windows Server 2016 RODC in the domain, is it successful?

    If so, as always, if there is any question in future, we warmly welcome you to post in Q&A forum again. We are happy to assist you!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Thursday, August 6, 2020 6:27 AM
  • Hello,

    Greetings!

    Because this technet forum will become read-only since 8/10, in order to provide support for you conveniently , we have posted the same post as this case on the Q&A forum for you. 

    If you need further help about this case, you are welcome to go to the Q&A forum to continue consulting. 

    I am sorry for the inconvenience, thank you so much for your understanding and support.

    New case link:
    https://docs.microsoft.com/en-us/answers/questions/61377/error-5-access-s-denied-rodc-win-srv-2012-with-dc.html


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, August 7, 2020 7:44 AM