none
Remote site lost connection, triggered Event ID 1059: what is timeout?

    Question

  • Hi,

    We have a main office in London, UK. And a remote site in Asia with a read-only domain controller. This RODC is an authorized DHCP server for a scope which is unique to the Asia office.

    This past weekend their internet connection went down for 72 hours, from Friday night until Monday night. Shortly after it went down, the RODC started logging Event 1059 "The DHCP service failed to see a directory server for authentication". Unsurprising. It also stopped responding to clients on the network.

    This caused havoc with the clients as when they booted up on Monday morning, DHCP was not running so they all received a 169.x.x.x address.

    My question is if a RODC could not reach another AD server, how long is it before the DHCP service on RODC stops? 

    And would having a RWDC in that office overcome this issue?

    Thanks in advance.

    Tuesday, November 22, 2016 5:05 PM

Answers

  • Hi Burak,

    I already have two DC's (both are DHCP servers) in the my main office, so the groups were created when the domain was setup. Maybe I didn't make my original post clear enough.

    Meanwhile, I appear to have identified a solution to my question. This discussion includes an explanation from Wieger1983, which explains a lot of how DHCP is authorised. He explains...

    When a DHCP server is authorized, DHCP sever periodically tries to contact AD to check the authorization state ( default is 60minutes). The expected behavior when AD is unreachable is to maintain the last know state for 48 hours and then it will unauthorize itself. 

    This explains perfectly why DHCP at my remote site, which was offline for 72 hours, stopped serving clients. To fix this (to stop the RODC from de-authorizing itself) create/amend this registry key

    To disable rogue detection

    1. Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    2. In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    3. Create/Amend DisableRogueDetection (DWORD) and then click Modify…
    4. In Value Data type 1 and then click OK.

    Many thanks

    Wednesday, November 23, 2016 3:16 PM

All replies

  • Hi

     So the catch was, that since RODC can’t write back to the AD to create the needed DHCP security groups i.e DHCP Administrators and DHCP Users, the service would fail.

    Also check these;

    http://www.shariqsheikh.com/blog/index.php/200806/can-a-rodc-also-be-a-dhcp/

    https://technet.microsoft.com/en-us/library/cc774849%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    So dhcp server(on rodc) should be always connected with RWDC.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, November 23, 2016 6:52 AM
  • Hi Andrew,

    My question is if a RODC could not reach another AD server, how long is it before the DHCP service on RODC stops?

    >>>If you have enabled obtain ip address automatically, RODC will not go back before DHCP is down.

    And would having a RWDC in that office overcome this issue?

    >>>The problem is caused by the RODC do not has IP address. So, it is not related with RWDC or RODC.

    For the problem, if you add an unauthorized DHCP to your environment?

    Please detect your AD environment to check if there are unauthorized server.

    Here are articles below for your reference.

    Controlling DHCP Active Directory Authorization

    https://technet.microsoft.com/en-us/library/dd145306(v=ws.10).aspx

    More about authorizing DHCP servers in AD DS

    https://technet.microsoft.com/en-us/library/cc754493%28v=ws.11%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 23, 2016 1:22 PM
    Moderator
  • Hi Burak,

    I already have two DC's (both are DHCP servers) in the my main office, so the groups were created when the domain was setup. Maybe I didn't make my original post clear enough.

    Meanwhile, I appear to have identified a solution to my question. This discussion includes an explanation from Wieger1983, which explains a lot of how DHCP is authorised. He explains...

    When a DHCP server is authorized, DHCP sever periodically tries to contact AD to check the authorization state ( default is 60minutes). The expected behavior when AD is unreachable is to maintain the last know state for 48 hours and then it will unauthorize itself. 

    This explains perfectly why DHCP at my remote site, which was offline for 72 hours, stopped serving clients. To fix this (to stop the RODC from de-authorizing itself) create/amend this registry key

    To disable rogue detection

    1. Click Start, type regedit in Start Search, click Yes in User Account Control if prompted, and then press ENTER.
    2. In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters.
    3. Create/Amend DisableRogueDetection (DWORD) and then click Modify…
    4. In Value Data type 1 and then click OK.

    Many thanks

    Wednesday, November 23, 2016 3:16 PM