Note: Domain controllers running Windows Server 2003 do not consider RODCs when they evaluate site coverage requirements and may register its Domain Name System (DNS) service (SRV) resource records for a site that contains an RODC. As a result, they perform automatic site coverage for any site regardless of the presence of an RODC for the same domain. Consequently, client computers that attempt to discover a domain controller in the RODC site can also find the domain controller that is running Windows Server 2003 and may not authenticate to the RODC.
There are a few possible solutions for this problem:
- Apply the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients (http://support.microsoft.com/kb/944043/en-us)
(This hotfix has to be applied to all Windows Server 2003 DCs that may perform automatic site Coverage)
- Ensure that only domain controllers running Windows Server 2008 are present in the site closest to the RODC site.
- Configure the weight or the priority of the DNS SRV records so that clients are more likely to authenticate with the RODC than with a remote Windows Server 2003 domain controller.
- Disable automatic site coverage on domain controllers running Windows Server 2003 present in the site closest to the RODC site.
How to disable automatic site coverage:
- Click Start, click Run, type regedit, and then click OK.
- Navigate to the following registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
- Click Edit, point to New, and then click DWORD Value.
- Type AutoSiteCoverage as the name of the new entry, and then press ENTER.
- Double-click the new AutoSiteCoverage registry entry
- Under Value data, type 0 to disable automatic site coverage. 1 = to enable it.
- Click Start, Click Run, type cmd and then click OK.
- In the Command Prompt, type the following command:
nltest /dsregdns or restart the netlogon service