P
Phil
This one is proving to be tricky to solve;
Single domain forest, 5 child sub-domains, all W2k SP4 in native.
All was well until the root DC HDD failed [I know, it should've been
mirrored/RAID, it is now!]. Without realising the consequences I
rebuilt the DC as the forest root, fresh install, thinking that the GC
on the other DCs would accomplish the regeneration. Wrong...
All 6 DCs host DNS, AD and GC. All point to themselves first, then
the forest DC in TCP/IP. None are forwarding dns lookups as they
are all public dns servers and use the external root servers for any
unresolved queries. The 5 child sub-domains replicate normally
with eachother but none can authenticate with the root DC. I can't
get the AD snap-ins, on childs, to permit config of the root DC, and
from the root DC, the AD snap-in only shows the root domain and
not the child sub-domains. Trying to connect to another DC isn't
possible from the root DC AD snap-ins. From the root DC AD Sites
and Services snap-in, I can't get any of the child DCs to appear so
it seems I have orphaned the root DC of the forest!
The rebuilt root DC knows of all 5 FSMO roles, seize/transfer does
not work due to connectivity/authentication. One of the child DC
also knows of all 5 roles now, i.e. it is Schema Master for the
enterprise despite being on a sub-domain. From this child DC, I am
not able to transfer any roles to the root DC, can't connect... :-(
Analysing the various error messages, and alot of research/reading,
it seems that the root DC now has a new SID from the fresh installation
and no longer authenticates with the others, the trusts can't be re-
established. I really don't want to dcpromo all the child servers down
and back again, surely there is another way? I did try one as a test
and it gave an error message due to not being able to remove the DC
from the forest root [dcpromo as last DC in child domain] so it would
have to be dcpromo /force. I've read that there is a 60 day SID check
or purge, but I don't know if this can help, e.g. shorten the number of
days? KCC error messages talk about failed attempts to replicate
with the root DC but keeping the object and establishing new/temp
links, yet there is no replication or authentication taking place.
I've checked all the 6 DNS servers and they all have the correct SRV
records for all 6 servers. I've tried ntdsutil, netdom and trustdom
but whilst I have got the sub-domains precreated in the AD on the
root DC, they still don't show up in the AD Trust snap-in. I've also
had a look at newSID / SIDwalker, and ldp.exe but I can't see how
or where I can modify the SID, either on the root DC or on the child
DCs. Nothing evident in the registry either. I'd appreciate input as
I'm out of ideas. The old HDD was completely trashed, the only other
form of backup is a dated systemstate file from NT backup utility.
Thanks
Phil
Single domain forest, 5 child sub-domains, all W2k SP4 in native.
All was well until the root DC HDD failed [I know, it should've been
mirrored/RAID, it is now!]. Without realising the consequences I
rebuilt the DC as the forest root, fresh install, thinking that the GC
on the other DCs would accomplish the regeneration. Wrong...
All 6 DCs host DNS, AD and GC. All point to themselves first, then
the forest DC in TCP/IP. None are forwarding dns lookups as they
are all public dns servers and use the external root servers for any
unresolved queries. The 5 child sub-domains replicate normally
with eachother but none can authenticate with the root DC. I can't
get the AD snap-ins, on childs, to permit config of the root DC, and
from the root DC, the AD snap-in only shows the root domain and
not the child sub-domains. Trying to connect to another DC isn't
possible from the root DC AD snap-ins. From the root DC AD Sites
and Services snap-in, I can't get any of the child DCs to appear so
it seems I have orphaned the root DC of the forest!
The rebuilt root DC knows of all 5 FSMO roles, seize/transfer does
not work due to connectivity/authentication. One of the child DC
also knows of all 5 roles now, i.e. it is Schema Master for the
enterprise despite being on a sub-domain. From this child DC, I am
not able to transfer any roles to the root DC, can't connect... :-(
Analysing the various error messages, and alot of research/reading,
it seems that the root DC now has a new SID from the fresh installation
and no longer authenticates with the others, the trusts can't be re-
established. I really don't want to dcpromo all the child servers down
and back again, surely there is another way? I did try one as a test
and it gave an error message due to not being able to remove the DC
from the forest root [dcpromo as last DC in child domain] so it would
have to be dcpromo /force. I've read that there is a 60 day SID check
or purge, but I don't know if this can help, e.g. shorten the number of
days? KCC error messages talk about failed attempts to replicate
with the root DC but keeping the object and establishing new/temp
links, yet there is no replication or authentication taking place.
I've checked all the 6 DNS servers and they all have the correct SRV
records for all 6 servers. I've tried ntdsutil, netdom and trustdom
but whilst I have got the sub-domains precreated in the AD on the
root DC, they still don't show up in the AD Trust snap-in. I've also
had a look at newSID / SIDwalker, and ldp.exe but I can't see how
or where I can modify the SID, either on the root DC or on the child
DCs. Nothing evident in the registry either. I'd appreciate input as
I'm out of ideas. The old HDD was completely trashed, the only other
form of backup is a dated systemstate file from NT backup utility.
Thanks
Phil