Jan 15

“Could not retrieve default replication accounts” during RODC Promotion

The task was to promote the first RODC in a mixed OS domain with Windows 2003 Forest/Domain functional levels. Before DC promotion the AD Schema was successfully extended and there was one Writable Domain Controller (Windows Server 2013 R2) up and running.

I noticed some RODC related groups are missing even trough adprep finished without any errors:

  • Read-only Domain Controllers
  • Allowed RODC Password Replication Group
  • Denied RODC Password Replication Group

I thought they will appear after first RODC promotion. But that was not the case!

These groups, along with many others, are created AFTER you transfer the PDC role to a domain controller, running Windows Server 2008 or later!

After transferring the PDC role these groups were created:

Nice to know it 🙂

Thereafter the first RODC was promoted successfully!

References: