none
Forest with two domains and big problems RRS feed

  • Question

  • I'll try to make this explanation as clear as possible. The forest in question at one point had several child domains under it. At this stage, there are currently two:

    DOMAIN_A (forest root)
    DOMAIN_B (child)

    About 5 years ago, there was a large sell-off of one of the organizations tied to this forest which resulted in some temporary trusts being created for migration purposes. Unfortunately, that's about all I know of how things go to where they are. The problem I'm facing right now is that PDC for DOMAIN_B (child) sees itself as holding ALL of the FSMO roles, including schema and naming master. DOMAIN_A (root) also sees schema and naming as the PDC for DOMAIN_B and shows the remaining roles where they should be. 

    Even more of a pain is that my predecessor had apparently blocked all replication from DOMAIN_A (root) at some point during the migration and never turned things backed on. Users in DOMAIN_B cannot login to DOMAIN_A and vice versa. There is an Exchange server in the mix as well as an SQL server, both of which are tied to the forest root domain. The Exchange server has recently began exhibiting odd behavior during new mailbox creation. Everything looks fine in Exchange but the user mailbox is being reported as "unavailable" in OWA and Outlook cannot connect to it. After rebooting a couple of DC's in both domains, things start working.

    Replication is working fine for DC's in both domains independently but without knowing exactly what was done to this environment all those years ago, I'm feeling a little lost as to what I should do to resolve my issues here. Do I need to seize roles and remove all DC's with exception to one in each domain? I should note that our organization operates entirely off of the child domain and could care less about the root, but I also know that I can't just pull this domain from the forest.

    Thursday, May 11, 2017 8:50 AM

All replies

  • > Even more of a pain is that my predecessor had apparently blocked all replication from DOMAIN_A (root) at some point during the migration and never turned things backed on.

    Can we assume this happened more than 180 days ago (Tombstone livetime)? If yes, the only thing you can do with domain_b is "decommission it".


    To add one thing: Decommisioning the root domain will not be a solution. A child without root is kinda "lost". You will loose your Enterprise and Schema admins - and this WILL create issues sooner or later. Also you might loose your ForestDNSZones master. (Personally, I never did this, so I cannot provide a comprehensive list of what will break :-))
    Thursday, May 11, 2017 9:50 AM
  • To make it clear, You have Root 'contoso.com' and child domain 'child.contoso.com'.

    In child.contoso.com, if you run the netdom command it shows all the five roles in one DC of child.contoso.com?

    And in contoso.com, if you run the command it again shows those five roles in one of the DC in contoso.com?

    Now, my question is other than disabling AD replication manually on all DCs between the child and parent, have they disabled all the network communications also or are you able to contact between the domains?

    Have you tried transferring the roles to a different DC and see what happens? Do they shows as expected?

    How many DCs do you have in each domains? Does the result shows the same DC as fsmo owner if you verify it from any of the machines in the domain?

    Thursday, May 11, 2017 10:39 AM
  • ROOT domain shows only SCHEMA and NAMING roles being assigned to CHILD, which is terribly wrong as those are the two roles that should stay with the forest root. CHILD domain shows all 5 FSMO roles on the PDC for that domain.

    Network connectivity is working between the two. I've been slowly rebuilding DNS for name resolution between the two but that has been a PITA as well. 

    Transferring fails period stating that it cannot contact the current role holder (even though I'm logged into and connected to current role holder via ntdsutil). PDC for both domains is now reachable via host name so DNS resolution looks to be working.

    Until recently, the ROOT had a single VM (yes, a single DC for the forest root, don't scold me too much please). I just spun up a second DC in the root domain this last week and attempted to demote the first, which is when I started noticing all of these other issues. The child domain has 4 DC's at 3 sites. Replication between all DC's in both domains appears to be working fine. NETDOM QUERY FSMO does NOT display the same results per domain. 

    ROOT results look like this:

    SCHEMA - CHILD PDC
    NAMING - CHILD PDC
    INFRASTRUCTURE - ROOT PDC
    RID - ROOT PDC
    PDC - ROOT PDC

    CHILD results look like this:

    SCHEMA - CHILD PDC
    NAMING - CHILD PDC
    INFRASTRUCTURE - CHILD PDC
    RID - CHILD PDC
    PDC - CHILD PDC



    Friday, May 12, 2017 6:47 AM
  • Can we assume this happened more than 180 days ago (Tombstone livetime)? If yes, the only thing you can do with domain_b is "decommission it".


    To add one thing: Decommisioning the root domain will not be a solution. A child without root is kinda "lost". You will loose your Enterprise and Schema admins - and this WILL create issues sooner or later. Also you might loose your ForestDNSZones master. (Personally, I never did this, so I cannot provide a comprehensive list of what will break :-))

    This happened nearly 6 years ago at this point so yeah, Tombstoned like crazy. We cannot decomission the child domain as it is the only domain we are using. That being said, I am building an entirely new domain which will be rolled out in the next 45 days, no migration of users, just a complete fresh start. However, I need this environment to function until then and it seems to be circling the drain VERY quickly now.
    Friday, May 12, 2017 6:51 AM
  • This happened nearly 6 years ago at this point so yeah, Tombstoned like crazy.

    Nobody noticed until now? Time to implement monitoring :-)

    We cannot decomission the child domain as it is the only domain we are using.

    Then I'd setup a fast response action plan. If this domain dies, you seem to be out of business, and since its root domain is lost, you cannot really do anything to restore some kind of health.

    For a starter and to have "some" data, you might export the AD via ldifde or csvde. Maybe there are some Powershell scripts in the gallery that can do more, never searched for that.

    Friday, May 12, 2017 8:40 AM
  • Seems like all messed up and its been 6 years. I think the plan which you are going with now by building the complete new domain will be the only option.

    Seizing the role and then demoting the DCs and promoting back from existing domain will not resolve the entire issues based on the details you have provided. Anyhow, make sure you have complete system state backup of these DCs. 

    Friday, May 12, 2017 9:16 AM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 15, 2017 11:22 AM
    Moderator