error: 5 (Access s denied) RODC (win srv 2012) with DC (win srv 2016)

Sign in to vote

Hello Ahmed Maxsood ,

Thank you for posting here.

Q: I'm trying to add RODC (windows server 2012 R2) to DC (windows server 2016) and I have error: 5 (Access is denied)
A: As I understand, we want to add one RODC to existing domain.

Before we do any change in existing AD domain environment, we had better do:
1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v on every DC.
Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on every DC.

2.Back up all domain controllers.

Before we begin to troubleshoot, please let me know more information to clarify our issue, would you mind collecting the following information at your convenience? I appreciate your time and effort.
1.What is our domain functional level and forest functional level?
2.How many domain do you have?
3.How many DCs is each domain?
4.What specific operations are you doing, then we receive this error (add RODC to domain or promote RODC)? It is perfect that you can provide the screenshot with error message.
5.Would you please do the same operations with built-in domain Administrator account and check if it helps?

Note: If we want to add 2012 R2 DC to the existing domain, the domain functional level must be equal to or lower than 2012 R2.

If anything is unclear, please feel free to let us know.

This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Thursday, July 23, 2020 7:10 AM

Thursday, July 23, 2020 7:09 AM

0

Sign in to vote

Hi Dear,

please check the below info :

1.What is our domain functional level and forest functional level? Functional as AD DS and DNS

2.How many domain do you have? 1 domain
3.How many DCs is each domain? 1 DC
4.What specific operations are you doing, then we receive this error (add RODC to domain or promote RODC)? It is perfect that you can provide the screenshot with error message. add RODC
5.Would you please do the same operations with built-in domain Administrator account and check if it helps? I will check

also please check the below info :

C:\Users\a.maxsood>Dcdiag /v

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine APS-DC, is a Directory Server.
Home Server = APS-DC
* Connecting to directory service on server APS-DC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=aps,DC=iq,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=aps,DC=iq,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\APS-DC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... APS-DC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\APS-DC
Starting test: Advertising
The DC APS-DC is advertising itself as a DC and having a DS.
The DC APS-DC is advertising as an LDAP server
The DC APS-DC is advertising as having a writeable directory
The DC APS-DC is advertising as a Key Distribution Center
Warning: APS-DC is not advertising as a time server.
The DS APS-DC is advertising as a GC.
......................... APS-DC failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... APS-DC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... APS-DC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... APS-DC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... APS-DC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
Role Domain Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
Role PDC Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
Role Rid Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
Role Infrastructure Update Owner = CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq
......................... APS-DC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC APS-DC on DC APS-DC.
* SPN found :LDAP/APS-DC.aps.iq/aps.iq
* SPN found :LDAP/APS-DC.aps.iq
* SPN found :LDAP/APS-DC
* SPN found :LDAP/APS-DC.aps.iq/APS
* SPN found :LDAP/720c98fa-dd7c-48f5-9483-f6d7067f72f4._msdcs.aps.iq
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/720c98fa-dd7c-48f5-9483-f6d7067f72f4/aps.iq
* SPN found :HOST/APS-DC.aps.iq/aps.iq
* SPN found :HOST/APS-DC.aps.iq
* SPN found :HOST/APS-DC
* SPN found :HOST/APS-DC.aps.iq/APS
* SPN found :GC/APS-DC.aps.iq/aps.iq
......................... APS-DC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC APS-DC.
* Security Permissions Check for
DC=ForestDnsZones,DC=aps,DC=iq
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=aps,DC=iq
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=aps,DC=iq
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=aps,DC=iq
(Configuration,Version 3)
* Security Permissions Check for
DC=aps,DC=iq
(Domain,Version 3)
......................... APS-DC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\APS-DC\netlogon
Verified share \\APS-DC\sysvol
[APS-DC] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... APS-DC failed test NetLogons
Starting test: ObjectsReplicated
APS-DC is in domain DC=aps,DC=iq
Checking for CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq in domain DC=aps,DC=iq on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq in domain CN=Configuration,DC=aps,DC=iq on 1 servers
Object is up-to-date on all servers.
......................... APS-DC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
[Replications Check,APS-DC] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
"Replication access was denied."
......................... APS-DC failed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 2604 to 1073741823
* APS-DC.aps.iq is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2104 to 2603
* rIDPreviousAllocationPool is 2104 to 2603
* rIDNextRID: 2200
......................... APS-DC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on APS-DC, error 0x5 "Access is denied."
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... APS-DC failed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:34:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
A warning event occurred. EventID: 0x00004249
Time Generated: 07/26/2020 11:35:31
Event String:
6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:36:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:38:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:40:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:42:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:44:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:46:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0xC0000010
Time Generated: 07/26/2020 11:47:03
Event String:
While processing a TGS request for the target server m.qassim, the account m.qassim@APS.IQ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18 17. The accounts available etypes were 23 -133 -128 18 17. Changing or resetting the password of m.qassim will generate a proper key.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:47:15
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:47:22
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:47:23
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:48:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:50:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:52:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
A warning event occurred. EventID: 0x00004249
Time Generated: 07/26/2020 11:53:33
Event String:
4 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:54:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0xC0000010
Time Generated: 07/26/2020 11:54:30
Event String:
While processing a TGS request for the target server a.abbas, the account a.abbas@APS.IQ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18 17. The accounts available etypes were 23 -133 -128 18 17. Changing or resetting the password of a.abbas will generate a proper key.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:56:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 11:58:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:00:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:02:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:04:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:06:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:08:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:10:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:12:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
A warning event occurred. EventID: 0x00004249
Time Generated: 07/26/2020 12:13:38
Event String:
5 remote calls to the SAM database have been denied in the past 900 seconds throttling window.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:14:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:16:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:18:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:20:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:22:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:24:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:26:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:28:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:30:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
An error event occurred. EventID: 0x00009005
Time Generated: 07/26/2020 12:32:05
Event String:
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
......................... APS-DC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq and backlink on
CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq are correct.
The system object reference (serverReferenceBL)
CN=APS-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=aps,DC=iq and backlink on
CN=NTDS Settings,CN=APS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aps,DC=iq are
correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=APS-DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=aps,DC=iq and backlink on
CN=APS-DC,OU=Domain Controllers,DC=aps,DC=iq are correct.
......................... APS-DC passed test VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS
Test omitted by user request: DNS

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : aps
Starting test: CheckSDRefDom
......................... aps passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... aps passed test CrossRefValidation

Running enterprise tests on : aps.iq
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\APS-DC.aps.iq
Locator Flags: 0xe001f1bd
PDC Name: \\APS-DC.aps.iq
Locator Flags: 0xe001f1bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\APS-DC.aps.iq
Locator Flags: 0xe001f1bd
......................... aps.iq failed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... aps.iq passed test Intersite

C:\Users\a.maxsood>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\APS-DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 720c98fa-dd7c-48f5-9483-f6d7067f72f4
DSA invocationID: ea5521a1-5e95-4bcd-a92c-566052c72ca7

C:\Users\a.maxsood>repadmin /replsum
Replication Summary Start Time: 2020-07-26 12:33:17

Beginning data collection for replication summary, this may take awhile:
....

Source DSA largest delta fails/total %% error

Destination DSA largest delta fails/total %% error

C:\Users\a.maxsood>

Sunday, July 26, 2020 11:50 AM

0

Sign in to vote

Hello,
Thank you for your update.

From the result of DCdiag /v, it seem there are some problems about this DC.

1.We can check domain functional level and forest functional level as below:

2.Is this DC a GC? We can check as below:

3.Are netlgon folder and sysvol folder shared? We can run net share on this DC to check.

4.We can run Netdom query FSMO on this DC to check the resut about FSMO roles holder.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Monday, July 27, 2020 5:09 AM

Monday, July 27, 2020 5:09 AM

0

Sign in to vote

Thanks Dear for reply please check the below info :
- current forest functional level: Windows Server 2016 (not 2012)
- this DC is GC
-net share

Share name Resource Remark

-------------------------------------------------------------------------------
IPC$ Remote IPC
C$ C:\ Default share
print$ C:\Windows\system32\spool\drivers
Printer Drivers
ADMIN$ C:\Windows Remote Admin
aps C:\aps
DAG.aps.iq C:\witness File share witness created for ...
NETLOGON C:\Windows\SYSVOL\sysvol\aps.iq\SCRIPTS
Logon server share
p C:\p
share C:\share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
witness C:\witness
The command completed successfully.

-netdom query fsmo

Schema master APS-DC.aps.iq
Domain naming master APS-DC.aps.iq
PDC APS-DC.aps.iq
RID pool manager APS-DC.aps.iq
Infrastructure master APS-DC.aps.iq
The command completed successfully.

Edited by Ahmed Maxsood Monday, July 27, 2020 8:11 AM

Monday, July 27, 2020 8:10 AM

0

Sign in to vote

Any update please ?

Wednesday, July 29, 2020 6:42 AM

0

Sign in to vote

Hi,
I am sorry for the late reply.

Ensure that all domain functional levels are equal to or higher than the forest functional level;
Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;

Windows Server 2016
Supported Domain Controller Operating System:

Windows Server 2019
Windows Server 2016

So we can add a 2016 RODC or 2019 RODC to your AD domain.

Reference
Forest and Domain Functional Levels
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, July 29, 2020 8:48 AM

0

Sign in to vote

You can't add DC with installed WS2012R2 to forest level WS2016 - it's unsupportable configuration. Use at least WS2016 for deploying RODC.

Wednesday, July 29, 2020 8:52 AM

0

Sign in to vote

Hi
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Friday, July 31, 2020 4:10 AM

Friday, July 31, 2020 4:10 AM

0

Sign in to vote

Hi,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Monday, August 3, 2020 7:41 AM

Monday, August 3, 2020 7:41 AM

0

Sign in to vote

thanks Dear for your reply .

Wednesday, August 5, 2020 7:04 AM

0

Sign in to vote

You can't add DC with installed WS2012R2 to forest level WS2016 - it's unsupportable configuration. Use at least WS2016 for deploying RODC.

ok dear , thanks .

Wednesday, August 5, 2020 7:08 AM

0

Sign in to vote

Hi,
Thank you for your update.

If we add Windows Server 2019 RODC or Windows Server 2016 RODC in the domain, is it successful?

If so, as always, if there is any question in future, we warmly welcome you to post in Q&A forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Friday, August 7, 2020 7:10 AM

Thursday, August 6, 2020 6:27 AM

0

Sign in to vote

Hello,

Greetings!

Because this technet forum will become read-only since 8/10, in order to provide support for you conveniently , we have posted the same post as this case on the Q&A forum for you.

If you need further help about this case, you are welcome to go to the Q&A forum to continue consulting.

I am sorry for the inconvenience, thank you so much for your understanding and support.

New case link:
https://docs.microsoft.com/en-us/answers/questions/61377/error-5-access-s-denied-rodc-win-srv-2012-with-dc.html

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

"Directory Services" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.

Edited by Daisy ZhouMicrosoft contingent staff Friday, August 7, 2020 7:45 AM

Friday, August 7, 2020 7:44 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

error: 5 (Access s denied) RODC (win srv 2012) with DC (win srv 2016)

Question

All replies