Appendix B: Read-Only Domain Controller Related Events

  • Article

Applies To: Windows Server 2008, Windows Server 2012

The following events can be logged for various operations on read-only domain controllers (RODCs). In some cases, you may have to change the diagnostic event logging level to see the event. For more information about changing the diagnostic event logging level, see article 314980 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=120551).

  • Event ID: 2116

    Severity: Error

    Message: The install from media (IFM) promotion of a read-only domain controller (RODC) cannot start because the specified source database is not allowed. Only databases from other RODCs can be used for IFM promotion of an RODC.

  • Event ID: 2117

    Severity: Error

    Message: The install from media (IFM) promotion of a domain controller cannot start because the specified source database is from a read-only domain controller. Only databases from other domain controllers can be used for IFM promotion of a domain controller.

  • Event ID: 2800

    Severity: Information

    Message: The caller made a replication-caching request for a security principal in the writable directory partition that has been denied.

    Directory partition: %n%1

    Security Principal requested: %n%2

  • Event ID: 2801

    Severity: Information

    Message: Could not find a Windows Server 2008 writable PDC for the domain.

  • Event ID: 2802

    Severity: Information

    Message: Configuration settings indicate that this read-only domain controller should be installed in site %1, but this site does not contain a site settings object.

  • Event ID: 2803

    Severity: Information

    Message: During read only domain controller promotion, setting options on site object %1 failed.

  • Event ID: 2804

    Severity: Information

    Message: Creating state objects for the read-only domain controller.

  • Event ID: 2805

    Severity: Information

    Message: Replicating secrets for the read-only domain controller.

  • Event ID: 2806

    Severity: Information

    Message: While promoting a read-only domain controller, failed to create the state objects.

  • Event ID: 2807

    Severity: Information

    Message: While promoting a read-only domain controller, failed to update the SPNs on the computer object.

  • Event ID: 2808

    Severity: Information

    Message: While promoting a read-only domain controller, failed to create the secondary krbtgt account.

  • Event ID: 2809

    Severity: Information

    Message: While promoting a read-only domain controller, failed to create the krbtgt link.

  • Event ID: 2810

    Severity: Information

    Message: While promoting a read-only domain controller, failed to replicate the secrets from the helper DC_TERM_ABBR.

  • Event ID: 2811

    Severity: Information

    Message: Failed to cache a write referral list on the read-only domain controller.

  • Event ID: 2812

    Severity: Information

    Message: A write request was received at the read-only domain controller. Failed to generate a write referral to a writable domain controller. Write request received from client %3

  • Event ID: 2813

    Severity: Information

    A write request was received at the read-only domain controller. The read-only domain controller has generated a referral to writable domain controller %1.

    A write request was received from client %2 for object %3. The write request was made by the user %4.

  • Event ID: 2814

    Severity: Information

    Message: Failed to replicate a single object (the krbtgt account) from the PDC to Helper DC_TERM

  • Event ID: 2815

    Severity: Information

    Message: Failed to replicate single object secret (for the krbtgt account) from PDC to Helper DC_TERM

  • Event ID: 2816

    Severity: Information

    Message: Failed to cache a write referral list for the PDC on the read-only domain controller.

  • Event ID: 2823

    Severity: Information

    Message: While promoting a read-only domain controller, failed to set the Reveal on Demand and/or Never Reveal groups.

  • Event ID: 2824

    Severity: Information

    Message: Checking state objects for the read-only domain controller.

  • Event ID: 2829

    Severity: Information

    Message: While promoting a read-only domain controller, the expected state objects could not be found.

  • Event ID: 2831

    Severity: Information

    Message: The directory service is no longer configured to host the following read-only application directory partition. An attempt to remove the partition failed.

    Application directory partition:%n%1

    This operation will be tried again later.

  • Event ID: 2832

    Severity: Information

    Message: The directory service is no longer configured to host the following read-only application directory partition.

    Application directory partition:%n%1

    The objects in this directory partition will be removed from the AD_TERM database on the directory service.

  • Event ID: 2834

    Severity: Error

    Message: The local directory service was prompted to add a writable replica of the following directory partition. The local directory service is read-only and cannot add a writable replica of any partition.

    Directory partition:%n%1

    Network address:%n%2

    Options:%n0x%3

  • Event ID: 2835

    Severity: Warning

    Message: The local directory service has detected an incorrect serverReference value on the following server object.

    Server object:%n%1

    Expected value:%n%2

  • Event ID: 2837

    Severity: Information

    Message: While promoting a read-only domain controller, failed to update the DNS host name on the server object.

  • Event ID: 2838

    Severity: Information

    Message: While promoting a read-only domain controller, failed to update the operating system version information on the computer object.

  • Event ID: 2843

    Severity: Error

    Message: The Knowledge Consistency Checker was unable to locate a replication connection for the read-only local directory service. A replication connection with the following option must exist in the forest for correct FRS system behavior.

    Additional Data: Option: %n%1

    User Action: Restore the original replication connection for the local directory service instance on a writable directory service instance.

    Logging level: 0

  • Event ID: 2844

    Severity: Warning

    Message: The Knowledge Consistency Checker located a replication connection for the local read-only directory service, but the source server is not responsive or not replicating. A new source server will be chosen and a writable directory service instance will be updated.

    Additional Data: Connection: %n%1

    Source Server: %n%2

    Logging level: 2

  • Event ID: 2845

    Severity: Error

    Message: The Knowledge Consistency Checker located a replication connection for the local read-only directory service, but the source server is not responsive or not replicating. A new suitable source server was not found from the current replication partners. This operation will be retried.

    Additional Data: Connection: %n%1

    Source Server: %n%2

  • Event ID: 2846

    Severity: Information

    Message: The Knowledge Consistency Checker located a replication connection for the local read-only directory service, but the connection's schedule is not accurate. A new schedule was found from a current replication partner. It will be updated in the forest.

    Additional Data: Connection: %n%1

    Current Partner Connection: %n%2

    Logging level: 2

  • Event ID: 2847

    Severity: Error

    Message: The Knowledge Consistency Checker located a replication connection for the local read-only directory service and attempted to update it remotely on the following directory service instance. The operation failed. It will be retried.

  • Event ID: 2853

    Severity: Error

    Message: While promoting a read-only domain controller (RODC), failed to create a connection object for the RODC.

    Logging level: 1

  • Event ID: 2854

    Severity: Error

    Message: The local directory service was prompted to add a partial-attribute set read-only replica (global catalog options) of the following directory partition. The local directory service is a read-only domain controller and cannot add a partial-attribute set replica of any partition.

    Directory partition:%n%1

    Network address:%n%2

    Options:%n0x%3

  • Event ID: 2855

    Severity: Error

    Message: The local directory service was prompted to add an unknown replica type of the following directory partition. The local directory service is a read-only domain controller and cannot add unknown replica types.

    Directory partition:%n%1

    Network address:%n%2

    Options:%n0x%3

  • Event ID: 2872

    Severity: Error

    Message: The domain controller is trying to replicate the following NC from the following read-only domain controller. Replication with a source as the read-only domain controller is not allowed to proceed.

    Naming Context:%n%1

    Server:%n%2

These additional events can be logged in other logs or on other servers.

  • Event ID: 1645

    Severity: Information

    Message: Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

    Destination domain controller:%n%1

    SPN:%n%2

    User Action: Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.

Note

This event is logged on a domain controller that runs Windows Server 2003, if the domain controller is a global catalog server and an RODC is in the same site. This configuration is not recommended but could be a temporary situation during an upgrade of a site.

  • Event ID: 1699

    Severity: Information

    Message: This event is registered in the Directory Service log on the writable domain controller that is the replication partner of a read-only domain controller (RODC) when the RODC attempts a replicate single object (RSO) operation to cache a password for an account that is not allowed to be cached on the RODC.

  • Event ID: 4015

    Severity: Error

    Message: This event is registered in the DNS event log on the RODC when it tries an RSO operation against a Windows Server 2003 DNS server. This event happens if only Windows Server 2003 DNS servers have registered name server (NS) records for that zone.

  • Event ID: 4768

    Severity: Information

    Message: This event is registered in the Security log after a successful logon. This event is logged on both the RODC and its replication partner.