Missing one of the "default Password Replication Policy groups"

This issue has been solved through Microsofts Product Support.

It is highly unlikely anybody else will have this particular problem, if
both the groups are missing they will created during DCPromo of the RODC.
The MS PS solution involved retriggering a process run during DCPromo by
setting the runSamUpgradeTasks attribute after tweaking the value of
samDomainUpdates.

I'll hold off posting the specfic values as anybody experiencing this
problem is best off contacting Microsoft so their environment can be properly
evaluated.

As to what caused the issue the best guess was random corruption on just the
wrong database page on the PDCe (NTDS ISAM 614, DS Schema 1153 warning
events).

Thanks to Paul, KJ and Florian who got me as close as was actually possible
to a solution before I had to contact Microsoft.

James

"James Brown" wrote:

> I'm missing a domain local group required for the operation of Read-only DCs,
> I need some way to properly create this group and I'm a little stumped as to
> why it missing in the first place...
>
> 2 Windows Server 2008 DCs
> o forest at Windows 2008 level
> o single domain at Windows 2008 level
> o SP2 and all updates installed
>
> AD was previously hosted on a single Windows Server 2003 DC
> o Upgrade was roughly 45 days ago
> o This DC has now been gracefully retired
> o (have full system backups of the old DC before the upgrade all the way
> through to its retirement)
>
> Wish to add Windows Server 2008 R2 as a RODC
> o Following steps here
> http://technet.microsoft.com/en-us/l...29(WS.10).aspx
> o ADPREP ran first time without errors, scheme level now 47
> § (Have full system backups before and after ADPREP)
>
> So when I hit next on “Additional Domain Controller Options” (step 7 of “To
> install an RODC on a full installation of Windows Server 2008”) I get “The
> default Password Replication Policy groups are not present on the PDC [My
> PDC]. The parameter is incorrect”.
>
> Sure enough the “Allowed RODC Password Replication Group” is missing. After
> some further thought I’m guessing this should have been created during
> DCPROMO of the first Windows Server 2008 to the 2003 domain.
>
> The “Denied RODC Password Replication Group” is present so what’s happened
> to the Allowed group?
>
> I've used the SysInternals AD Explorer to search for deleted groups with the
> right name or SID and there's nothing.
>
> Can anybody give me a new avenue of exploration?
>
> This is a cross post from the Directory Services forum where so far I've had
> no response
> http://social.technet.microsoft.com/...1-64f1df62e328

James Brown wrote:
> This issue has been solved through Microsofts Product Support.
>
> It is highly unlikely anybody else will have this particular problem,
> if both the groups are missing they will created during DCPromo of
> the RODC. The MS PS solution involved retriggering a process run
> during DCPromo by setting the runSamUpgradeTasks attribute after
> tweaking the value of samDomainUpdates.
>
> I'll hold off posting the specfic values as anybody experiencing this
> problem is best off contacting Microsoft so their environment can be
> properly evaluated.
>
> As to what caused the issue the best guess was random corruption on
> just the wrong database page on the PDCe (NTDS ISAM 614, DS Schema
> 1153 warning events).
>
> Thanks to Paul, KJ and Florian who got me as close as was actually
> possible to a solution before I had to contact Microsoft.
>
> James

Thanks for posting back the outcome James. If it happened to you, it'll
happen again to someone else.

>
> "James Brown" wrote:
>
>> I'm missing a domain local group required for the operation of
>> Read-only DCs, I need some way to properly create this group and I'm
>> a little stumped as to why it missing in the first place...
>>
>> 2 Windows Server 2008 DCs
>> o forest at Windows 2008 level
>> o single domain at Windows 2008 level
>> o SP2 and all updates installed
>>
>> AD was previously hosted on a single Windows Server 2003 DC
>> o Upgrade was roughly 45 days ago
>> o This DC has now been gracefully retired
>> o (have full system backups of the old DC before the upgrade all
>> the way through to its retirement)
>>
>> Wish to add Windows Server 2008 R2 as a RODC
>> o Following steps here
>> http://technet.microsoft.com/en-us/l...29(WS.10).aspx
>> o ADPREP ran first time without errors, scheme level now 47
>> � (Have full system backups before and after ADPREP)
>>
>> So when I hit next on "Additional Domain Controller Options" (step 7
>> of "To install an RODC on a full installation of Windows Server
>> 2008") I get "The default Password Replication Policy groups are not
>> present on the PDC [My PDC]. The parameter is incorrect".
>>
>> Sure enough the "Allowed RODC Password Replication Group" is
>> missing. After some further thought I'm guessing this should have
>> been created during DCPROMO of the first Windows Server 2008 to the
>> 2003 domain.
>>
>> The "Denied RODC Password Replication Group" is present so what's
>> happened to the Allowed group?
>>
>> I've used the SysInternals AD Explorer to search for deleted groups
>> with the right name or SID and there's nothing.
>>
>> Can anybody give me a new avenue of exploration?
>>
>> This is a cross post from the Directory Services forum where so far
>> I've had no response
>> http://social.technet.microsoft.com/...1-64f1df62e328

--
/kj

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:126C87A5-32B7-4174-843C-B8CD96BC7612@microsoft.com...

I'm glad to hear that it was resolved. Interesting issue. I will have to
remember it for any possible future posts with the same issue.

Ace


> This issue has been solved through Microsofts Product Support.
>
> It is highly unlikely anybody else will have this particular problem, if
> both the groups are missing they will created during DCPromo of the RODC.
> The MS PS solution involved retriggering a process run during DCPromo by
> setting the runSamUpgradeTasks attribute after tweaking the value of
> samDomainUpdates.
>
> I'll hold off posting the specfic values as anybody experiencing this
> problem is best off contacting Microsoft so their environment can be
> properly
> evaluated.
>
> As to what caused the issue the best guess was random corruption on just
> the
> wrong database page on the PDCe (NTDS ISAM 614, DS Schema 1153 warning
> events).
>
> Thanks to Paul, KJ and Florian who got me as close as was actually
> possible
> to a solution before I had to contact Microsoft.
>
> James
>
> "James Brown" wrote:
>
>> I'm missing a domain local group required for the operation of Read-only
>> DCs,
>> I need some way to properly create this group and I'm a little stumped as
>> to
>> why it missing in the first place...
>>
>> 2 Windows Server 2008 DCs
>> o forest at Windows 2008 level
>> o single domain at Windows 2008 level
>> o SP2 and all updates installed
>>
>> AD was previously hosted on a single Windows Server 2003 DC
>> o Upgrade was roughly 45 days ago
>> o This DC has now been gracefully retired
>> o (have full system backups of the old DC before the upgrade all the
>> way
>> through to its retirement)
>>
>> Wish to add Windows Server 2008 R2 as a RODC
>> o Following steps here
>> http://technet.microsoft.com/en-us/l...29(WS.10).aspx
>> o ADPREP ran first time without errors, scheme level now 47
>> § (Have full system backups before and after ADPREP)
>>
>> So when I hit next on “Additional Domain Controller Options” (step 7
>> of “To
>> install an RODC on a full installation of Windows Server 2008”) I get
>> “The
>> default Password Replication Policy groups are not present on the PDC [My
>> PDC]. The parameter is incorrect”.
>>
>> Sure enough the “Allowed RODC Password Replication Group” is missing.
>> After
>> some further thought I’m guessing this should have been created during
>> DCPROMO of the first Windows Server 2008 to the 2003 domain.
>>
>> The “Denied RODC Password Replication Group” is present so what’s
>> happened
>> to the Allowed group?
>>
>> I've used the SysInternals AD Explorer to search for deleted groups with
>> the
>> right name or SID and there's nothing.
>>
>> Can anybody give me a new avenue of exploration?
>>
>> This is a cross post from the Directory Services forum where so far I've
>> had
>> no response
>> http://social.technet.microsoft.com/...1-64f1df62e328