This afternoon, I ran into a customer with a very interesting configuration–a 300-user department with 15 domain controllers spread among 6 sites.
Which, given our guidance in the past didn’t seem that out of line (redundant domain controllers at each site to process logons).
What made it really interesting was that each site (including the main office) had a read-only domain controller (RODC).
Personally, as a consultant, I’m pretty certain that RODCs are a spawn of Satan. They are practically useless in all but the most extreme situations where you don’t have the ability to physically or logically secure the environment.
That is not this environment.
During the export to AD, the customer was receiving this delightful error hundreds of times (one for each user object that had a pending export to on-premises Active Directory):
Normally, when an account doesn’t have rights to write-back to a user object, we see an access-denied error message in the Operations Log. However, this one was new to me. Having run into a similar error in the past with RODCs and password hash sync failure, I decided to go check out their DCs. The customer confirmed that they indeed had RODCs all over the place like candy from a busted pinata.
To confirm my hypothesis, I went to the properties of the AD Connector, selected the Configure Directory Partitions item, and then looked at the Last Used box. Indeed, the DC listed was configured as the infernal read-only domain controller.
Since a change control was needed to update the domain controller configuration, we opted for the next-best thing until such a change could be approved and implemented: configuring preferred domain controllers. As one might expect, this is a configuration we don’t normally advocate, but given the quirky circumstances, I felt it was a good option (at least from the troubleshooting perspective).
Click the Use only preferred domain controllers checkbox.
Then, add the DNS names of domain controllers in your environment that AAD Connect can communicate with and can actually write data to. If I see you put an RODC in this box, I’ll hit you upside the head. Have you learned nothing, son?
Click OK twice (once to close this dialog box, once to close the connector properties), and then either wait for the next sync cycle or under the Actions pane, click Run, select Export, and then click OK.
Voila! Exports should be working again.
As my history teacher used to say, “Never fear you’ve lived your life in vain–you can always be used as a bad example.”