Troubleshooting RODC's: Troubleshooting domain joins against RODC's

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Ingolfur Arnar Stangeland — Thu, 03 Feb 2011 13:39:33 GMT

The first line calls DsGetDcName function with WRITABLE flag set, anything after that is an expected response to that.

I.e. what we're looking at here is after the fact, whatever caused the XP to ask for a writable DC would be logged earlier in the Netlogon log.

You could try adding ExpectedDialupDelay as per technet.microsoft.com/.../cc957332.aspx to give the Netlogon service more time before it goes out and asks for a DC.

It's also not impossible that you're simply hitting a path in the RODC Compatibility pack where a call to DsGetDCName wasn't modified to cater for RODCs' - in which case the current lifecycle of XP (EOL) means it won't be changed.

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Giovanni — Wed, 02 Feb 2011 17:20:19 GMT

The problem i'm troubleshooting is that machines do not authenticate to the right domain controller of their site when the machines startup. 15 minutes after the machine started the process of finding the best DC starts agian and then the machine authenticate to the RODC of the site. But I want it to authenticated to the RODC when it starts to and not only after 15 minutes

And the error in the log is that the read only domain controller isn't writable (of course)

DC4 is the RODC, 172.16.1.1 and 172.16.1.6 are writeable DC's

I put a piece of the log here for you: (i have replaced our domainname with "domain")

02/02 18:04:00 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: DS WRITABLE BACKGROUND RET_NETBIOS

02/02 18:04:00 [MAILSLOT] NetpDcPingListIp: domain.local.: Sent UDP ping to 192.168.66.1

02/02 18:04:00 [CRITICAL] NetpDcMatchResponse: DC4: domain.local.: Responder is not a writable server. 0x28fc

02/02 18:04:00 [CRITICAL] NetpDcGetNameIp: domain.local.: site specific SRV records done.

02/02 18:04:00 [MAILSLOT] NetpDcPingListIp: domain.local.: Sent UDP ping to 192.168.34.2

02/02 18:04:01 [MAILSLOT] NetpDcPingListIp: domain.local.: Sent UDP ping to 172.16.1.1

02/02 18:04:01 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags: DS WRITABLE BACKGROUND RET_NETBIOS

02/02 18:04:01 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: FORCE DS WRITABLE BACKGROUND RET_NETBIOS

02/02 18:04:01 [MAILSLOT] NetpDcPingListIp: domain.local.: Sent UDP ping to 192.168.66.1

02/02 18:04:01 [CRITICAL] NetpDcMatchResponse: DC4: domain.local.: Responder is not a writable server. 0x28fc

02/02 18:04:02 [CRITICAL] NetpDcGetNameIp: domain.local.: site specific SRV records done.

02/02 18:04:02 [MAILSLOT] NetpDcPingListIp: domain.local.: Sent UDP ping to 172.16.1.6

02/02 18:04:02 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags: FORCE DS WRITABLE BACKGROUND RET_NETBIOS

02/02 18:04:04 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: BACKGROUND RET_DNS

02/02 18:04:04 [MISC] NetpDcGetName: domain.local. using cached information

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Ingolfur Arnar Stangeland — Mon, 31 Jan 2011 09:20:16 GMT

So you don't have a domain join issue and you don't have a computer account password change issue.

What is the problem you're troubleshooting? (that has the Netlogon messages you describe).

Incidentally, as there is no hit on NtpDcMatchResponse that I can find I suspect you're actually referring to NetpDcMatchResponse. If that is the case then you may be looking at an issue with ADSI when used in combination with the Group Policy Preferences client where it specifically asks for a writable DC.

There is a fix for ADSI and Gppref that is available for Windows 7 but that fix will not be backported to XP or W2k3 as both are in Extended Support.

See support.microsoft.com/.../983531 for details on the Windows 7 fix.

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Giovanni — Sun, 30 Jan 2011 23:13:22 GMT

Yes the workstation is in the list of accounts allowed to replicate its password to the RODC, and i also see it in the list of accounts that have their passwords stored on it.

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Ingolfur Arnar Stangeland — Wed, 26 Jan 2011 14:35:42 GMT

Then you don't have a domain join issue, my bet is the workstation is trying to change the machine account password. Is it in the list of accounts allowed to replicate its password to the RODC? If it is, do you see it in the list of accounts that have their passwords stored on it?

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Giovanni — Wed, 26 Jan 2011 09:47:06 GMT

The XP client was already joined to the domain and after that we implemented the RODC. When the XP client startups i see the following in the netlogon.log

"NtpDcMatchResponse: DC3: Responder is not a writable server. 0x28fc" and then the clients sends a request to the writable DC

I also see this in the log "DsGetDcName function called: Dom:(null) Acct:(null) Flags: FORCE DS WRITABLE BACKGROUND RET_NETBIOS"

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Ingolfur Arnar Stangeland — Tue, 25 Jan 2011 20:34:15 GMT

Interesting....are you using the GUI or a script? Do both behave the same?

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Giovanni — Tue, 25 Jan 2011 20:32:00 GMT

Actually i see the flag in the netlogon debug log.

What happens is that a XP client tries to authenticate to the RODC, it finds the RODC but than in the log i see that the RODC isn't writable (of course) and the client then switches the authentication to a writable domain controller

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Ingolfur Arnar Stangeland — Tue, 25 Jan 2011 18:47:44 GMT

If you're seeing that flag then it sounds like you're trying to join using the GUI, the GUI doesn't add the required NETSETUP_JOIN_READONLY flag during the join operation.

I.e. XP and W2k3 clients can *only* join RODC's using a script where the NETSETUP_JOIN_READONLY flag is specified (and all the other prerequisites in the article are in place also).

re: Troubleshooting RODC's: Troubleshooting domain joins against RODC's

Giovanni — Tue, 25 Jan 2011 16:52:30 GMT

Thanks for the article this is exact the problem we have with our XP Clients.

I installed the compack but still the clients have the DS_WRITABLE_REQUIRED flag.

What else can we do to let the clients get the DS_DIRECTORY_SERVICE_REQUIRED flag.

Thanks,

Giovanni