Client and Server Operating System Issues

  • Article

Applies To: Windows Server 2008

RODCs do not require any changes to client computers to allow them to use an RODC. Client computers running any of the following operating systems are supported for use with RODCs:

  • Microsoft Windows 2000 Server

  • Windows XP

  • Windows Server 2003

  • Windows Vista™

  • Member servers running Windows Server 2008

However, depending on your environment, you might need to apply the following hotfix or make configuration changes to address the following known issues:

  • Microsoft Knowledge Base article 929768

  • If you attempt to attach a server to a read-only domain controller (RODC) account in a highly-secured environment, the operation may fail with the error "Replication access denied."

    To avoid this, perform a complete non-delegated installation of the RODC using a Domain Administrator account.

    You can also correct this issue by adjusting the permissions for the following objects:

    • On the organizational unit of the domain controller, grant Read permission to Authenticated Users.

    • On the Infrastructure container, grant Read permission to Authenticated Users.

  • If an RODC is present in the site, applications may fail to register their Service Principle Names (SPNs).

    To correct this, identify the service account of any application that has failed to register its SPN and cache the account on all RODCs in the same site.

    To identify which RODCs have currently cached the password of the service account, open Active Directory Users and Computers, right-click the service account object, click Properties, and click the Password Replication tab.

    To cache the password on a specific RODC, open Active Directory Users and Computers, click Domain Controllers, right-click the RODC account object, click Properties, and then click the Password Replication Policy tab. Click Advanced, and then click Prepopulate Passwords.

  • After you add an RODC to a site that has a Windows Server 2003 global catalog server, you might see an Event ID 1645 error logged on the Windows Server 2003 global catalog server. The error indicates that a replication SPN could not be registered for the RODC. This is by design, and you can disregard the error. It occurs because the RODC requests replication notifications from the Windows Server 2003 global catalog server, but the Windows Server 2003 global catalog server does not use notifications to the RODC.

Note

As a best practice, you should not deploy an RODC in a location that has a writable domain controller because, if the RODC is compromised, then all other resources in that location can be compromised, including other domain controllers. However, there may be situations in which you temporarily have an RODC running in the same location as a writable domain controller, such as when you are replacing the writable domain controller with an RODC.