Windows Server 2003 Domain Controllers may perform Automatic Site Coverage for RODCs

Note: Domain controllers running Windows Server 2003 do not consider RODCs when they evaluate site coverage requirements and may register its Domain Name System (DNS) service (SRV) resource records for a site that contains an RODC. As a result, they perform automatic site coverage for any site regardless of the presence of an RODC for the same domain. Consequently, client computers that attempt to discover a domain controller in the RODC site can also find the domain controller that is running Windows Server 2003 and may not authenticate to the RODC.


There are a few possible solutions for this problem:



    1. Apply the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients (
      (This hotfix has to be applied to all Windows Server 2003 DCs that may perform automatic site Coverage)


    1. Ensure that only domain controllers running Windows Server 2008 are present in the site closest to the RODC site.


    1. Configure the weight or the priority of the DNS SRV records so that clients are more likely to authenticate with the RODC than with a remote Windows Server 2003 domain controller.


  1. Disable automatic site coverage on domain controllers running Windows Server 2003 present in the site closest to the RODC site.


How to disable automatic site coverage:



    1. Click Start, click Run, type regedit, and then click OK.


    1. Navigate to the following registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters


    1. Click Edit, point to New, and then click DWORD Value.


    1. Type AutoSiteCoverage as the name of the new entry, and then press ENTER.


    1. Double-click the new AutoSiteCoverage registry entry


    1. Under Value data, type 0 to disable automatic site coverage. 1 = to enable it.


    1. Click Start, Click Run, type cmd and then click OK.


  1. In the Command Prompt, type the following command:
    nltest /dsregdns or restart the netlogon service

Leave a Reply

Your email address will not be published. Required fields are marked *