Rebuilt forest root DC, now got repl errors, SIDs?

  • Thread starter Thread starter Phil
  • Start date Start date
P

Phil

This one is proving to be tricky to solve;
Single domain forest, 5 child sub-domains, all W2k SP4 in native.
All was well until the root DC HDD failed [I know, it should've been
mirrored/RAID, it is now!]. Without realising the consequences I
rebuilt the DC as the forest root, fresh install, thinking that the GC
on the other DCs would accomplish the regeneration. Wrong...

All 6 DCs host DNS, AD and GC. All point to themselves first, then
the forest DC in TCP/IP. None are forwarding dns lookups as they
are all public dns servers and use the external root servers for any
unresolved queries. The 5 child sub-domains replicate normally
with eachother but none can authenticate with the root DC. I can't
get the AD snap-ins, on childs, to permit config of the root DC, and
from the root DC, the AD snap-in only shows the root domain and
not the child sub-domains. Trying to connect to another DC isn't
possible from the root DC AD snap-ins. From the root DC AD Sites
and Services snap-in, I can't get any of the child DCs to appear so
it seems I have orphaned the root DC of the forest!

The rebuilt root DC knows of all 5 FSMO roles, seize/transfer does
not work due to connectivity/authentication. One of the child DC
also knows of all 5 roles now, i.e. it is Schema Master for the
enterprise despite being on a sub-domain. From this child DC, I am
not able to transfer any roles to the root DC, can't connect... :-(

Analysing the various error messages, and alot of research/reading,
it seems that the root DC now has a new SID from the fresh installation
and no longer authenticates with the others, the trusts can't be re-
established. I really don't want to dcpromo all the child servers down
and back again, surely there is another way? I did try one as a test
and it gave an error message due to not being able to remove the DC
from the forest root [dcpromo as last DC in child domain] so it would
have to be dcpromo /force. I've read that there is a 60 day SID check
or purge, but I don't know if this can help, e.g. shorten the number of
days? KCC error messages talk about failed attempts to replicate
with the root DC but keeping the object and establishing new/temp
links, yet there is no replication or authentication taking place.

I've checked all the 6 DNS servers and they all have the correct SRV
records for all 6 servers. I've tried ntdsutil, netdom and trustdom
but whilst I have got the sub-domains precreated in the AD on the
root DC, they still don't show up in the AD Trust snap-in. I've also
had a look at newSID / SIDwalker, and ldp.exe but I can't see how
or where I can modify the SID, either on the root DC or on the child
DCs. Nothing evident in the registry either. I'd appreciate input as
I'm out of ideas. The old HDD was completely trashed, the only other
form of backup is a dated systemstate file from NT backup utility.

Thanks
Phil
 
When you say you rebuilt the DC as the forest root, what exactly do you mean?

Reading this I think you mean you only had the one DC for the forest root domain
and you loaded a machine with Windows and then promoted it into a Domain
Controller using the same domain name of the old forest root. If this is the
case, it won't work, period.

The ONLY way you can get your old forest root back if you don't have multiple
DCs in the root domain is to restore from a backup. If you don't have multiple
DCs for that domain and you don't have a forest root, you have a lot of work in
store for yourself as you rebuild everything.

You always want multiple DCs in each domain or you want fantastic backups. The
best is to have multiple DCs AND fantastic backups.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


This one is proving to be tricky to solve;
Single domain forest, 5 child sub-domains, all W2k SP4 in native.
All was well until the root DC HDD failed [I know, it should've been
mirrored/RAID, it is now!]. Without realising the consequences I
rebuilt the DC as the forest root, fresh install, thinking that the GC
on the other DCs would accomplish the regeneration. Wrong...

All 6 DCs host DNS, AD and GC. All point to themselves first, then
the forest DC in TCP/IP. None are forwarding dns lookups as they
are all public dns servers and use the external root servers for any
unresolved queries. The 5 child sub-domains replicate normally
with eachother but none can authenticate with the root DC. I can't
get the AD snap-ins, on childs, to permit config of the root DC, and
from the root DC, the AD snap-in only shows the root domain and
not the child sub-domains. Trying to connect to another DC isn't
possible from the root DC AD snap-ins. From the root DC AD Sites
and Services snap-in, I can't get any of the child DCs to appear so
it seems I have orphaned the root DC of the forest!

The rebuilt root DC knows of all 5 FSMO roles, seize/transfer does
not work due to connectivity/authentication. One of the child DC
also knows of all 5 roles now, i.e. it is Schema Master for the
enterprise despite being on a sub-domain. From this child DC, I am
not able to transfer any roles to the root DC, can't connect... :-(

Analysing the various error messages, and alot of research/reading,
it seems that the root DC now has a new SID from the fresh installation
and no longer authenticates with the others, the trusts can't be re-
established. I really don't want to dcpromo all the child servers down
and back again, surely there is another way? I did try one as a test
and it gave an error message due to not being able to remove the DC
from the forest root [dcpromo as last DC in child domain] so it would
have to be dcpromo /force. I've read that there is a 60 day SID check
or purge, but I don't know if this can help, e.g. shorten the number of
days? KCC error messages talk about failed attempts to replicate
with the root DC but keeping the object and establishing new/temp
links, yet there is no replication or authentication taking place.

I've checked all the 6 DNS servers and they all have the correct SRV
records for all 6 servers. I've tried ntdsutil, netdom and trustdom
but whilst I have got the sub-domains precreated in the AD on the
root DC, they still don't show up in the AD Trust snap-in. I've also
had a look at newSID / SIDwalker, and ldp.exe but I can't see how
or where I can modify the SID, either on the root DC or on the child
DCs. Nothing evident in the registry either. I'd appreciate input as
I'm out of ideas. The old HDD was completely trashed, the only other
form of backup is a dated systemstate file from NT backup utility.

Thanks
Phil
 
Thanks Joe, you're exactly right and your response was my worst fear
and it explains alot. Double up on DCs then... Thanks again.
When you say you rebuilt the DC as the forest root, what exactly do you
mean?

Reading this I think you mean you only had the one DC for the forest
root domain and you loaded a machine with Windows and then promoted it
into a Domain Controller using the same domain name of the old forest
root. If this is the case, it won't work, period.

The ONLY way you can get your old forest root back if you don't have
multiple DCs in the root domain is to restore from a backup. If you
don't have multiple DCs for that domain and you don't have a forest
root, you have a lot of work in store for yourself as you rebuild
everything.

You always want multiple DCs in each domain or you want fantastic
backups. The best is to have multiple DCs AND fantastic backups.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


This one is proving to be tricky to solve;
Single domain forest, 5 child sub-domains, all W2k SP4 in native.
All was well until the root DC HDD failed [I know, it should've been
mirrored/RAID, it is now!]. Without realising the consequences I
rebuilt the DC as the forest root, fresh install, thinking that the GC
on the other DCs would accomplish the regeneration. Wrong...

All 6 DCs host DNS, AD and GC. All point to themselves first, then
the forest DC in TCP/IP. None are forwarding dns lookups as they
are all public dns servers and use the external root servers for any
unresolved queries. The 5 child sub-domains replicate normally
with eachother but none can authenticate with the root DC. I can't
get the AD snap-ins, on childs, to permit config of the root DC, and
from the root DC, the AD snap-in only shows the root domain and
not the child sub-domains. Trying to connect to another DC isn't
possible from the root DC AD snap-ins. From the root DC AD Sites
and Services snap-in, I can't get any of the child DCs to appear so
it seems I have orphaned the root DC of the forest!

The rebuilt root DC knows of all 5 FSMO roles, seize/transfer does
not work due to connectivity/authentication. One of the child DC
also knows of all 5 roles now, i.e. it is Schema Master for the
enterprise despite being on a sub-domain. From this child DC, I am
not able to transfer any roles to the root DC, can't connect... :-(

Analysing the various error messages, and alot of research/reading,
it seems that the root DC now has a new SID from the fresh installation
and no longer authenticates with the others, the trusts can't be re-
established. I really don't want to dcpromo all the child servers down
and back again, surely there is another way? I did try one as a test
and it gave an error message due to not being able to remove the DC
from the forest root [dcpromo as last DC in child domain] so it would
have to be dcpromo /force. I've read that there is a 60 day SID check
or purge, but I don't know if this can help, e.g. shorten the number of
days? KCC error messages talk about failed attempts to replicate
with the root DC but keeping the object and establishing new/temp
links, yet there is no replication or authentication taking place.

I've checked all the 6 DNS servers and they all have the correct SRV
records for all 6 servers. I've tried ntdsutil, netdom and trustdom
but whilst I have got the sub-domains precreated in the AD on the
root DC, they still don't show up in the AD Trust snap-in. I've also
had a look at newSID / SIDwalker, and ldp.exe but I can't see how
or where I can modify the SID, either on the root DC or on the child
DCs. Nothing evident in the registry either. I'd appreciate input as
I'm out of ideas. The old HDD was completely trashed, the only other
form of backup is a dated systemstate file from NT backup utility.

Thanks
Phil
 
Back
Top