none
RODC promotion fails with While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC

    Question

  • Trying to fix the issue with one RODC failing with the below error.

    While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

    01/06/2017 09:45:14 [INFO] EVENTLOG (Warning): NTDS General / Replication : 1115
    Outbound replication has been disabled by the user.

    01/06/2017 09:45:14 [INFO] Replicating secrets for Read-only Domain Controller.
    01/06/2017 09:45:16 [INFO] Error - While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC. (8639)
    01/06/2017 09:45:16 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
    Internal error: An Active Directory Domain Services error has occurred.



    Additional Data

    Error value (decimal):
    -1073741823

    Error value (hex):
    c0000001

    Internal ID:
    3001806

    tried, rejoining the computer to domain and retry with no luck. Tried changing the source DC for replication during promotion with no luck. Tried removing all PRP accounts while promoting with no luck. another computer in the same domain , promotion worked perfectly fine. There are no firewalls configured. ANy help appreciated.

    Friday, January 6, 2017 8:55 PM

Answers

  • this problem turned out to be much more complicated. Basically we need to enable the NTDS diagnostic logging on the server before promotion, so we can capture all the logs in the C:\windows\debug\dcpromo*.log 

    Diagnostic logging with Replication events at 3.

    when the promotion fails, we can see that the krbtgt_XXXX account designated for the RODC is failing to get cached on the server. 

    During this moment, looking at the writable DC, we can see that the krbtgt_<Servername> is created and is being renamed to krbtgt_XXXX (with numbers). This is where it fails.

    I am trying to get the source code for the promotion to check and work this out. But atlast we know where the issue is.

    I prefer not to open a case with Microsoft as this is not a show stopper for us now, and is only occuring randomly. But the troubleshooting has given us a great deal of indepth knowledge on how the promotion works for an RODC.

    Monday, March 6, 2017 2:34 PM

All replies

  • Hi,

    Did you check if the KCC is already enabled on RODC site?

    You can refer to the link below to enable it :

    AD DS: The KCC should be enabled in this site in this forest to generate an optimal replication topology

    Friday, January 6, 2017 11:19 PM
  • Hi,
    According to the error message, it seems that outbound replication is disabled, you could have a try to re-enable outbound replication from the server , please type the following text, and then press ENTER to see if it helps:
    repadmin /options <DC NAME> -DISABLE_OUTBOUND_REPL
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 9, 2017 8:20 AM
    Moderator
  • This is an RODC, how can outbound replication be enabled on an RODC ????? it should not be....
    Monday, January 9, 2017 3:02 PM
  • checked and confirmed KCC is enabled. Please see that i also tried connecting to another Writable DC manually with no Luck.
    Monday, January 9, 2017 3:04 PM
  • Hi,

    What you get when you laucnh the following command in RODC and writable DC:

    repadmin /showrepl
    
    Dcdiag

    Monday, January 9, 2017 3:08 PM
  • If the RODC promotion is failing , i dont think i can run repadmin /showrepl....

    DCDIAG ive run on the multiple writable DC's and everything is successful. Please note that i promoted 30 other RODC's this way. This is just one server behaving this way.

    apparently i cannot find the error code documented anywhere. replication event 8639. 

    Let me share the dcpromoui logs which show this behavior

    01/09/2017 06:55:42 [INFO] Replicating data DC=XXXX,DC=XXXX,DC=com: Received 320 out of approximately 320 objects and 1130296 out of approximately 7947985 distinguished name (DN) values...
    01/09/2017 06:55:48 [INFO] Replicating data DC=XXXX,DC=XXXX,DC=com: Received 323 out of approximately 323 objects and 1147797 out of approximately 7947985 distinguished name (DN) values...
    01/09/2017 06:55:54 [INFO] Replicating data DC=XXXX,DC=XXXX,DC=com: Received 324 out of approximately 324 objects and 1165221 out of approximately 7947985 distinguished name (DN) values...
    01/09/2017 06:55:57 [INFO] Replicating data DC=XXXX,DC=XXXX,DC=com: Received 328 out of approximately 328 objects and 1176650 out of approximately 7947985 distinguished name (DN) values...
    01/09/2017 06:55:57 [INFO] Replicated the critical objects in the domain container.
    01/09/2017 06:55:57 [INFO] Replicating critical domain information...
    01/09/2017 06:55:57 [INFO] EVENTLOG (Warning): NTDS General / Internal Processing : 2143
    An optional feature is enabled on this DC. However, the functional level of the forest is incompatible with the complete behavior of this optional feature.


    This condition could be due to a delay in replication to this Active Directory Domain Controller of a change to the functional level of the forest, and may correct itself automatically. If this condition persists, manual intervention may be necessary.



    User Action

    Raise the functional level of the forest to at least the minimum required functional level.



    Optional feature: Recycle Bin Feature

    Minimum required functional level: 4

    Current functional level: 4294967295


    01/09/2017 06:55:57 [INFO] EVENTLOG (Warning): NTDS General / Replication : 1115
    Outbound replication has been disabled by the user.

    01/09/2017 06:55:57 [INFO] Replicating secrets for Read-only Domain Controller.
    01/09/2017 06:55:58 [INFO] Error - While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC. (8639)
    01/09/2017 06:55:58 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
    Internal error: An Active Directory Domain Services error has occurred.



    Additional Data

    Error value (decimal):
    -1073741823

    Error value (hex):
    c0000001

    Internal ID:
    3001806

    also checking from the successful dcpromo logs of a similar server to RODC, this step of replicating secrets takes only 5 to 6 seconds. 


    Tuesday, January 10, 2017 2:11 AM
  • Hi,
    If the problem only happened on this server, have you checked if there is any difference between it and the other working machines? Maybe, that is the cause of this problem.
    In addition, as you said, event 8639 has no more information which could be found, in my opinion, you could open up a case with Microsoft Technical Support to see if they could get more information regarding this problem: https://support.microsoft.com/en-us/contactus/?ws=support
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 2:36 AM
    Moderator
  • this problem turned out to be much more complicated. Basically we need to enable the NTDS diagnostic logging on the server before promotion, so we can capture all the logs in the C:\windows\debug\dcpromo*.log 

    Diagnostic logging with Replication events at 3.

    when the promotion fails, we can see that the krbtgt_XXXX account designated for the RODC is failing to get cached on the server. 

    During this moment, looking at the writable DC, we can see that the krbtgt_<Servername> is created and is being renamed to krbtgt_XXXX (with numbers). This is where it fails.

    I am trying to get the source code for the promotion to check and work this out. But atlast we know where the issue is.

    I prefer not to open a case with Microsoft as this is not a show stopper for us now, and is only occuring randomly. But the troubleshooting has given us a great deal of indepth knowledge on how the promotion works for an RODC.

    Monday, March 6, 2017 2:34 PM
  • Had the same issues - found that the following helped to solve

    1) Create static DNS entries for the pre-staged RODC on the write-able DC

    (tends to cause "Replicating schema" unresponsive system- and "Access denied" errors - inbound connections)

    2) Set IPv4 to enable NETBIOS over TCP/IP on all NICS

    (tends to cause "Replicating schema" unresponsive system- and "Access denied" errors - inbound connections)

    3) Double check your site-links sub-nets and assignments

    (tends to cause "Replicating RODC secrets" unresponsive system errors - outbound connections) 

    Hope this helps

    RudiK

    Monday, September 4, 2017 6:32 AM
  • -          Rename to temporary name

    -          Remove from domain

    -          Delete ad computer object

    -          Force sync of domain

    -          Rename back to original name and add to domain at the same time

    -          Add domain services role

    -          Promote to RODC.  

    This worked for me. But a root cause still unknown, something wrong with computer object maybe

    • Proposed as answer by MarkJLucas Wednesday, November 21, 2018 12:32 AM
    Wednesday, September 20, 2017 3:59 PM
  • Thank you, Dmitry.  This set of steps solved it for me.  One should always remember the remove from domain/add to domain as a possible solution.  As useful as reboot!
    Wednesday, November 21, 2018 12:33 AM
  • Thanks for this Dmitry. It solved the issue as my last option. Also used the ps script to delete the object but not sure if that helps. Thanks again!
    Monday, November 26, 2018 7:21 PM