DNS on a Read Only Domain Controller (RODC)
MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
DNS on an RODC Main Highlights:
- Changes not allowed on the read-only DNS zone
- Records cannot be added manually
- Dynamic updates cannot be made
- Dynamic updates are “referred” to writeable domain controller
- DNS updates are handled the same as a Secondary Zone
- RODC returns to client the SOA and name of a 2008 RWDC, 2008 R2 RWDC, or newer.
- If no 2008 or 2008 R2 servers exist in the NS list, a 2003 DC will be chosen, but an Event ID 4015 will be generated when it attempts an RSO with a Windows 2003 DC.
RODC EventID 4015:
- Client will attempt a registration request in the zone
- If DHCP configured with credentials or DnsUpdateProxy group, then DHCP registers client record into the zone
- RODC performs a “Replicate Single Object” (RSO) Operation
- The RODC waits a certain amount of time before it replicates the record from the DNS server that it referred the client to through an RSO operation.
- Time wait depends on two configurable RSO values for DNS (defaults shown):
- DsRemoteReplicationDelay 5 sec
- DSPollingInterval 30 sec
Then it attempts to replicate the updated DNS object in Active Directory
More specifics regarding the above points:
Appendix A: RODC Technical Reference Topics:
Microsoft Official Curriculum
MOC 6425C, “Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services”
Module 11, page 11-31:
A DNS server on a Read-Only Domain Controller (RODC) can be authoritative for zones that are replicated to the RODC and can resolve queries for clients that use the RODC as their DNS server.
Of course, a key characteristic of an RODC is that it cannot make changes to Active Directory, so resource records cannot be added manually to the zone on an RODC, and dynamic updates are not accepted from clients.
Dynamic updates are serviced by referring clients to a writeable domain controller when they attempt to send an update to an RODC. It is useful for the RODC to include the client’s updated resource record in the zone as quickly as possible, so the RODC tracks the client that attempted the update, and the writable domain controller to which the client was referred. After a short wait, the RODC performs a replicate single object (RSO) operation in which it retrieves the updated DNS record for the client from the writable domain controller, bypassing standard replication mechanisms.
Event 4015 on an RODC:
RODCs will only replicate updates to itself from a Windows 2008 or newer DC/DNS, which must be in the NS list.
The RODC does not hold a writeable copy of the DNS zone. When the RODC queries for the SOA record, it returns the name of a writable domain controller from the NS list that runs Windows Server 2008 or later and hosts the Active Directory–integrated zone, just as a secondary DNS server handles updates for zones that are not Active Directory–integrated zones.
After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below read link below for specific time wait values), and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.
If a writable 2008 DC is not accessible, the RODC does a query for NS record and picks up “ANY” entry present there. Then the RODC attempts to perform a RSO (ReplicateSingleObject) operation with the selected NS. If the selected entry is a Windows Server 2003, it will return a failure (since Server 2003 doesn’t understand RSO) and an event to be logged on the RODC.
Therefore, if there are no 2008 or newer RWDCs in the NS list, and the RODC chooses a 2003 DC, then the RODC will generate an Event 4015 when it tries to perform the RSO operation with a DNS server that runs Windows Server 2003.
If there are any non-contactable NS entries, or if you’ve removed nameserver entries say due to the way your WANs are Designed and connected where you wanted to remove any non-contactable DC/DNS servers, and what’s left are 2003 DCs, it will choose one one of them.
To resolve this issue, please deploy DNS Server role on a Writable Domain Controller which is accessible from the RODC. Also ensure that it registers a NS record.
I don’t have any information, nor have I found anything in the registry or otherwise, to alter the selection criteria to make sure it chooses a DC that can be contacted. I’m sure that’s a question for the dev team.
The first link below provides more specifics on the 4015’s and the configurable wait time values (based on the default DsRemoteReplicationDelay 30 sec, and the DSPollingInterval, 3 min), an RODC will wait before it performs an RSO operation for the DNS record update.
Appendix A: RODC Technical Reference Topics
For how DNS Updates work, scroll down to “DNS updates for clients that are located in an RODC site”
RODC logs DNS event 4015 every 3 minutes with error code 00002095
Suggestions and Comments welcomed!