Sunday, November 22, 2015

Client and Server Operating System Issues in Read-Only Domain Controller

RODCs do not require any changes to client computers to allow them to use an RODC. Client computers running any of the following operating systems are supported for use with RODCs:
  • Microsoft Windows 2000 Server
  • Windows XP
  • Windows Server 2003
  • Windows Vista™
  • Member servers running Windows Server 2008
However, depending on your environment, you might need to apply the following hotfix or make configuration changes to address the following known issues:
  • Microsoft Knowledge Base article 929768
  • If you attempt to attach a server to a read-only domain controller (RODC) account in a highly-secured environment, the operation may fail with the error "Replication access denied."

    To avoid this, perform a complete non-delegated installation of the RODC using a Domain Administrator account.

    You can also correct this issue by adjusting the permissions for the following objects:

    • On the organizational unit of the domain controller, grant Read permission to Authenticated Users.
    • On the Infrastructure container, grant Read permission to Authenticated Users.
  • If an RODC is present in the site, applications may fail to register their Service Principle Names (SPNs).

    To correct this, identify the service account of any application that has failed to register its SPN and cache the account on all RODCs in the same site.

    To identify which RODCs have currently cached the password of the service account, open Active Directory Users and Computers, right-click the service account object, clickProperties, and click the Password Replication tab.

    To cache the password on a specific RODC, open Active Directory Users and Computers, click Domain Controllers, right-click the RODC account object, click Properties, and then click the Password Replication Policy tab. Click Advanced, and then click Prepopulate Passwords.
  • After you add an RODC to a site that has a Windows Server 2003 global catalog server, you might see an Event ID 1645 error logged on the Windows Server 2003 global catalog server. The error indicates that a replication SPN could not be registered for the RODC. This is by design, and you can disregard the error. It occurs because the RODC requests replication notifications from the Windows Server 2003 global catalog server, but the Windows Server 2003 global catalog server does not use notifications to the RODC. 

No comments:

Post a Comment