John Policelli's Blog

Microsoft recently published an article that addresses a hot topic – whether or not you should place several RODCs in the same Active Directory site. In my opinion, this article does a good job of giving you the information you’ll need to determine RODC placement. The article can be read here: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx

I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.

Read the rest of this entry »

Does this sound familiar…you need to determine the port requirements for Active Directory and you find yourself having to refer to multiple KB articles. Well I have found myself in this situation many times, and I am happy to report that Microsoft has published a document that covers all Active Directory components (i.e. Replication, Trusts, GCs, RODCs, DNS, User and Computer Authentication, Group Policy, and Active Directory Web Services). I personally requested this whitepaper from MS, and helped the MS documentation team create it. The document can be found here: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx.

Microsoft has expanded their Windows Server 2008 Active Directory Domain Services (AD DS) Planning and Architecture collection to included AD DS in the perimeter network. More specifically, the new guide covers the following:

• Determining whether AD DS is appropriate for your perimeter network
• The various models for deploying AD DS in perimeter networks
• Planning and deploying read-only domain controllers (RODCs) in perimeter networks

The guide can be downloaded by going to http://technet.microsoft.com/en-us/library/dd728034.aspx.

Microsoft previously published an article that lists 11 fairly significant known issues for deploying RODCs. The known issues that are listed in abovementioned KB article include the following:

• Group Policy fails to access Windows Management Instrumentation (WMI) filters on an RODC.
• Internet Protocol security (IPsec) policies fail to apply from an RODC.
• The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
• Unsecure domain join fails
• Domain join using RODC in the perimeter network fails.
• Password changes fail in the perimeter network when only an RODC is available.
• The RODC fails to retrieve or create a public key certificate.
• Spooler does not reflect the correct printer publish state.
• The Find Printer user interface (UI) hangs when a computer that runs Windows XP or Windows Server 2003 can contact an RODC but not a writable domain controller.
• Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.
• Domain controllers running Windows Server 2003 perform automatic site coverage for sites with RODCs.

The KB article provides additional details on the scope and impact of each known issue. Additionally, there are workarounds listed for 6 of the 11 known issues.

However, Microsoft does recommend you install the Windows Server 2008 RODC Compatibility pack for Windows Server 2003 and Windows XP client computers that interact with RODCs. Additional information on this compatibility pack can be found here. It is important to note that Windows XP Server Pack 3 does not include this compatibility pack.