Thursday, January 23, 2014

Fixed: "Could not replicate the directory partition" when promoting the first RODC in an Active Directory Forest.

I was working with a customer today to install their first RODC.  Fun.

Then the DcPromo bombed out with a  Replication Failed error.  That's no fun.

I did some digging and found the cause.  On occasion, the AdPrep /RodcPrep does not set the proper permissions for all of the Directory Service Contexts (partitions). 

To find the actual error, I looked in C:\Windows\System32\Debug\DcPromo.log.  Here is the relevant bit.

01/24/2014 00:06:40 [INFO] Error - Active Directory Domain Services could not replicate the directory partition DC=contoso,DC=com from the remote Active Directory Domain Controller (8453)
01/24/2014 00:06:40 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.

Additional Data

Error value (decimal):

Error value (hex):

Internal ID:

The log indicates that my error is for the DC=Contoso,DC=Com Naming context.  I also read one report of this affecting the Schema Partition, so check the log!

To Fix it, fire up ADSIEdit.msc.  I used an Enterprise Admin account, but you might get by with a Domain Admin account if you only need to change a specific domain.

Open Action -> Connect To

For me, I'll connect to the "Default naming Context".  That is my domain partition since I'm on the domain.

 ... and click OK to connect. 
Now click on "Default Naming Context" in the left pane.  In the right pane, Right Click DC=Contoso,DC=Com and select Properties

On the Security Tab of the properties window, scroll through the list of permissions and look for "Enterprise Read-Only Domain Controllers".  This group should be granted the Replicating Directory Service permission.  In my domain this permission was missing.

To Add this permission, click the Add Button.  Type Enterprise Read-Only Domain Controllers in the Object names box and click OK.

Now uncheck all of the default permission boxes for this group and check only the Allow box for "Replicating Directory Changes".  Then click Ok.

Note:  Those "Replicating Directory Changes All" and "Replicating Directory Changes in Filtered Set" boxes look really tempting.  Don't do it!  Resist!  I spun up a shiny new Windows 2008 R2 Forest to verify that the OS default setting is only to allow "Replicating Directory Changes" for this group.

Now the RODC DcPromo is successful.  Fantastic!

This is the part where I say "Back to the salt mines", but that's not quite right.  I'd love to visit a salt mine or any kind of mine thus rendering the spirit of the quip null and void.

"Back to the PowerShell"

No comments: