Removing a child domain from the AD forest

Toughnoodle · 20 Jan 2011 at 12:41

Hiya folks,

I've had someone tinkering with a flat AD forest (1 forest, 1 tree, 1 domain) and they've added a child domain (so we now have parent.local and child1.parent.local). Since then they've wiped the server used to create the child domain. I've followed the steps I've found via google, but they all fail as I don't have access to the DC for the child domain. Even ADSIedit fails to remove the extra partition.

Anyone solved this one before? I can post ntdsutil and ADSIedit error messages if needed.

Toughnoodle · 20 Jan 2011 at 13:24

Yup, but get this error message:

DsRemoveDsDomainW error 0x21a2(The FSMO role ownership could not be verified because its directory partition has not replicated successfully with atleast one replication partner.)

Toughnoodle · 20 Jan 2011 at 13:48

Yup, that's the problem, there's nothing to replicate between the parent and child DCs as the child domain only had 1 DC and I doubt a full replication took place before it was wiped. Errors in the event logs point to a missing child DC.

Found 2 domain(s)
0 - DC=test-group,DC=local
1 - DC=child1,DC=test-group,DC=local

Found 6 Naming Context(s)
0 - CN=Configuration,DC=test-group,DC=local
1 - DC=test-group,DC=local
2 - CN=Schema,CN=Configuration,DC=test-group,DC=local
3 - DC=DomainDnsZones,DC=test-group,DC=local
4 - DC=ForestDnsZones,DC=test-group,DC=local
5 - DC=calis,DC=test-group,DC=local

Name slightly changed to protect my client. ...I think I need a bigger spade, or maybe a pickaxe?

Toughnoodle · 20 Jan 2011 at 16:40

Skidilliplop said:
Ah so am i to understand you have a child domain without a DC in it now?

Yup, exactly.

If I remove the DC from Users & Computers it reappears and similar with Sites & Services. This is all with the server not being available.

I'm starting to think I should create a new child domain with the same details and then demote it properly, but maybe it'd just appear as a second chilld domain with a different SID.

Toughnoodle · 20 Jan 2011 at 17:12

Yup, the server I'm running this from has all 5 roles. I'll try deleting the objects again later tonight.

Toughnoodle · 20 Jan 2011 at 20:32

Skidilliplop said:
You're not supposed to have all 5 roles on one box! Not that I think that is the root cause of this issue.

You do when you've only got 1 rackmount server that is based in the UK and the other DCs are glorified PCs in Turkey

Toughnoodle · 20 Jan 2011 at 20:49

Skidilliplop said:
Yes creating a new one wouldn't work.
I'd try removing the dead server as a replication partner for all DCs that formerly replicated with it. Then on the DC holding the Master copy of the schema try and remove the server from sites and services and then try and remove the domain.

The only replication connections left are between valid DCs in the parent domain. The child domain server and site have been deleted out of Sites & Services and Users & Computers. There's no delete in Domains & Trusts. Tried deleting via ntdsutil and get "DsRemoveDsDomainW error 0x21a2" again. It's like I need to delete the child domain from the forest, but without a util that sanity checks for any existing child domain infrastructure.

Thanks for trying. It's appreciated.

Toughnoodle · 21 Jan 2011 at 12:55

Ah, well, I was feeling guilty that I hadn't mentioned earlier in the week I had to seize 3 of the roles back after the "experimenter" had transferred them to another server.

I think I need the equivalent of an AD pair of pliers and a blow torch.

Toughnoodle · 24 Jan 2011 at 13:26

I didn't. At the time, I used the Users & Computers and Sites & Services to remove the dc (without demotion via dcpromo). The domain and naming context are the only remaining config. I seem to be in an unhandled, dead end state where I can't delete the remaining config for the child domain because it never fully replicated the info needed by ntdsutil.

I'd give the MS support line a call, but the company I'm doing this for is downsizing.