none
I can create users in RODC !!! RRS feed

  • 질문

  • Dear All
    I installed Active Diectory (ADDS) and Domain Name System (DNS)
    And a full installation of Read Only Domain Controller (RODC)
    but I can create users in RODC by
    open AD users and computers
    Expand Users container
    Right Click and choose new user
    !!!!
    I think it's read only not write able
    So, how can I still create users on it ?

    My Configuration

    I Used VMware

    Domain Name= my.domain

    First DC
    ---------
    ip address = 10.0.0.2
    Subnet Mask= 255.0.0.0
    Primary Dns Server= 10.0.0.2
    Computer Name= DC

    Second DC:
    ----------
    Ip Address= 10.0.0.3
    Subnet Mask= 255.0.0.0
    Primary DNS Server= 10.0.0.2
    Alternate DNS Server= 10.0.0.3
    Computer Name= RODC

    I did a full installation to RODC

    cmd
    dcpromo

    Thanks

    2010년 7월 21일 수요일 오후 10:04

답변

  • Hello,

    How does the client DNS update referral mechanism work? From: http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.

    The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.

    If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.

    Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.

    If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    2010년 7월 22일 목요일 오전 6:35

모든 응답

  • Hello,

    when you create account or change user password, you are actually connecting to a writable DC. Applications that perform a Write operation are referred to a writable domain controller.

    Also check the following what is not possible when a RWDC is not reachable:

    http://technet.microsoft.com/en-us/library/cc770854(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • 편집됨 Meinolf Weber 2010년 7월 21일 수요일 오후 10:16 Link added
    • 답변으로 표시됨 Miles LiModerator 2010년 7월 22일 목요일 오전 6:48
    • 답변으로 표시 취소됨 Miles LiModerator 2010년 7월 22일 목요일 오전 6:48
    2010년 7월 21일 수요일 오후 10:12
  • The object was created on the RWDC through the referral mechanism.

    Ybou should be able to verify this by querying that user's object attributes with repadmin /showobjmeta (more at http://technet.microsoft.com/en-us/library/cc742104(WS.10).aspx)

    hth
    Marcin

    2010년 7월 21일 수요일 오후 10:26
  • Thanks Meinolf and Marcin

    OK when dropped link between 2 DCs (RWDC and RODC) and open ADDS of RODC i can't create any new object

    But I notice that can't create any record in DNS of RODC whether link is up or down (I think because it secondary DNS)

    Can i make ADDS of RODC read only when the link is up ?

    (I understand from Meinof when connect to  ADDS actually connecting to a writable DC but i need the same thing like DNS console there are any configuration for that or i dream :))

    2010년 7월 22일 목요일 오전 6:01
  • Hello,

    How does the client DNS update referral mechanism work? From: http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.

    The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.

    If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.

    Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.

    If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    2010년 7월 22일 목요일 오전 6:35
  • As Meinolf has pointed out, the same referral mechanism applies in case of DNS. This is the reason for "Read-Only" part of the term "RODC". A request to create an object in AD (such as a user or an AD-integrated DNS record) is actually forwarded to RWDC and replicated back to RODC....

    hth
    Marcin

    2010년 7월 22일 목요일 오전 10:59
  • so is there actually a way to prevent the RODC from updating a RWDC?

    2011년 2월 17일 목요일 오전 9:18
  • Hello,

    Its happening because when you Start Active directory users & computers MMC Snap in > by default you are connected to Writable domain controller hence the user creation / modify AD database options are available.

     

    So to verify that RODC is functioning properly , in Active directory users & computers MMC Snap in  you must first connect to RODC Domain controller by following below steps:

     

    In Active directory users & computers MMC Snap in  > right click on  in Active directory users & computers > select Change Domain Controller > select domain controller which has been configured as RODC.

     

    Once you selected proper RODC controller then you will see that RODC is working properly & you cannot make any changes from RODC server to AD database.

    _____________________________________________

    Regards,

    Shahrukh Shaikh

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    2019년 3월 12일 화요일 오전 4:43
  • good boss thank you correct solution.
    2020년 2월 19일 수요일 오후 12:44