Problem removing metadata for forest root DCs on DC for second Domain

  • Thread starter Thread starter atila
  • Start date Start date
A

atila

Morning Ladies & Gents,
I am trying to workout a Forest recovery strategy for a 2 domain forest.
The Best Practice Guide from MS states that an Admin Acct for each domain in
the forest is required as GCs won't be avialable.
However, for the "child" when using ntdsutil to remove metadata of dead DC's
from the parent domain, an error is thrown: DsRemoveDsServerW error 0x2098
(insufficient access rights to perform operation).
The reason for this I have found is that on the child DC, DSA objects from
the parent domain do not have an ACE for the administrators of the child
domain in thier ACLs!

My problem is: if I cannot logon as a forest root admin to the child domain
DC, how do i remove the metadata for the Forest Root DCs?
The Best practice advice is clean the DCs before hooking them up to each
other.

Any Ideas would be greatly appreciated! (hope you're online JoeR)


Regards,

Austin
 
Guys,
Figured the answer to my question out but not what to do about it!
DSA objects are stored in the sites container of the Configuration NC. This
NC is owned by Forest Root DC's and Ent Admins are the only grp that have
Full Control of this container including the ability to delete child
objects.
Now that I think I know the why, how can I prepare a DC for a child domain
for recovery when I cannot logon or runas an Ent Admin as the GCs are not
yet up?
any help/ideas would be greatly appreciated.

Regards,

A
 
Guys,
Figured the answer to my question out but not what to do about it!
DSA objects are stored in the sites container of the Configuration NC. This
NC is owned by Forest Root DC's and Ent Admins are the only grp that have
Full Control of this container including the ability to delete child
objects.
Now that I think I know the why, how can I prepare a DC for a child domain
for recovery when I cannot logon or runas an Ent Admin as the GCs are not
yet up?
any help/ideas would be greatly appreciated.

Regards,

A
 
on each first DC you only clean the metadata of the DCs that also belong to
the same domain.
So in the parent domain you only clean the metadata of the parent domain DCs
except for the first DC
So in the child domain you only clean the metadata of the child domain DCs
except for the first DC

When both DCs are connected the metadata cleanup of DCs in both domains will
replicate to both DCs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Thanks for that Jorge!
Makes sense too.
The best practice guide does not make that fact clear.
We will adjust our documentation to reflect this and will give it a bash in
the labs.

"Jorge de Almeida Pinto [MVP]"
 
Back
Top