Removing a child domain from the AD forest

[Toughnoodle]

Hiya folks,

I've had someone tinkering with a flat AD forest (1 forest, 1 tree, 1 domain) and they've added a child domain (so we now have parent.local and child1.parent.local). Since then they've wiped the server used to create the child domain. I've followed the steps I've found via google, but they all fail as I don't have access to the DC for the child domain. Even ADSIedit fails to remove the extra partition.

Anyone solved this one before? I can post ntdsutil and ADSIedit error messages if needed.

 

[BluBallz]

Have you tried the steps in this this article?

http://support.microsoft.com/kb/230306

 

[Toughnoodle]

Yup, but get this error message:

DsRemoveDsDomainW error 0x21a2(The FSMO role ownership could not be verified because its directory partition has not replicated successfully with atleast one replication partner.)

 

[Skidilliplop]

Well based on that error it kind of tells you your next step. Make sure you don't have any replication issues with your schema master.
Grab a spade and run eventvwr

 

[Toughnoodle]

Yup, that's the problem, there's nothing to replicate between the parent and child DCs as the child domain only had 1 DC and I doubt a full replication took place before it was wiped. Errors in the event logs point to a missing child DC.

Found 2 domain(s)
0 - DC=test-group,DC=local
1 - DC=child1,DC=test-group,DC=local

Found 6 Naming Context(s)
0 - CN=Configuration,DC=test-group,DC=local
1 - DC=test-group,DC=local
2 - CN=Schema,CN=Configuration,DC=test-group,DC=local
3 - DC=DomainDnsZones,DC=test-group,DC=local
4 - DC=ForestDnsZones,DC=test-group,DC=local
5 - DC=calis,DC=test-group,DC=local

Name slightly changed to protect my client. ...I think I need a bigger spade, or maybe a pickaxe?

 

[Skidilliplop]

Ah so am i to understand you have a child domain without a DC in it now?

 

[Toughnoodle]

Ah so am i to understand you have a child domain without a DC in it now?

Yup, exactly. If I remove the DC from Users & Computers it reappears and similar with Sites & Services. This is all with the server not being available.

I'm starting to think I should create a new child domain with the same details and then demote it properly, but maybe it'd just appear as a second chilld domain with a different SID.

 

[Skidilliplop]

Yes creating a new one wouldn't work.

Are you deleting the server on the DC that holds the Schema Master role? There are certain schema changes that have to be made on the master node.
I'd try removing the dead server as a replication partner for all DCs that formerly replicated with it. Then on the DC holding the Master copy of the schema try and remove the server from sites and services and then try and remove the domain.

 

[Toughnoodle]

Yup, the server I'm running this from has all 5 roles. I'll try deleting the objects again later tonight.

 

[Skidilliplop]

You're not supposed to have all 5 roles on one box! Not that I think that is the root cause of this issue.

 

[ethos]

You're not supposed to have all 5 roles on one box! Not that I think that is the root cause of this issue.

Nothing wrong with that in a small environment (there are some caveats).

 

[Toughnoodle]

You're not supposed to have all 5 roles on one box! Not that I think that is the root cause of this issue.

You do when you've only got 1 rackmount server that is based in the UK and the other DCs are glorified PCs in Turkey

 

[Toughnoodle]

Yes creating a new one wouldn't work.
I'd try removing the dead server as a replication partner for all DCs that formerly replicated with it. Then on the DC holding the Master copy of the schema try and remove the server from sites and services and then try and remove the domain.

The only replication connections left are between valid DCs in the parent domain. The child domain server and site have been deleted out of Sites & Services and Users & Computers. There's no delete in Domains & Trusts. Tried deleting via ntdsutil and get "DsRemoveDsDomainW error 0x21a2" again. It's like I need to delete the child domain from the forest, but without a util that sanity checks for any existing child domain infrastructure.

Thanks for trying. It's appreciated.

 

[Skidilliplop]

If the domain still exists you might be able to try and put it back and promote a DC to cover it, then remove it properly. But I'd prefer to do this on a test server than a live DC covering other domains.

Re the 5 roles. There was a element of sarcasm in that statement

 

[Toughnoodle]

Ah, well, I was feeling guilty that I hadn't mentioned earlier in the week I had to seize 3 of the roles back after the "experimenter" had transferred them to another server.

I think I need the equivalent of an AD pair of pliers and a blow torch.

 

[img]

DId you do the steps to remove the dc with ntdsutil first? And then remove child domain. Ive done this a few times and ms support for any errors has fixed it.

 

[Toughnoodle]

I didn't. At the time, I used the Users & Computers and Sites & Services to remove the dc (without demotion via dcpromo). The domain and naming context are the only remaining config. I seem to be in an unhandled, dead end state where I can't delete the remaining config for the child domain because it never fully replicated the info needed by ntdsutil.

I'd give the MS support line a call, but the company I'm doing this for is downsizing.

 

[Nutbusta]

Make sure that your infrastructe master is not a GC and that all your FMSO roles are in the parent domain. Use

Netdon query fsmo

run dcdiag & netdiag from the resource kit and look for errors. It'll give you a lot of information that should point you (or us) in the right direction.