Enterprise Admin is gone!

T

TChristn

We are having a difficult problem.

The original domain created in the forest is gone. A new domain has been
created in the forest, and FSMO roles have been seized successfully for the
new domain.

The new domain in the same forest does not have an Enterprise Admins
security group. The original domain controller of the old domain is long
gone. I now want to perform certain actions like authorize a DHCP server,
etc. The domain admin group and the administrator account does not have
this power, only Enterprise Admins can perform this action.

How do I create a new Enterprise Admins security group for the forest? How
do I set up their security rights, and what security rights should they
have?

Thanks

TCX
 
J

Joe Richards [MVP]

You are screwed. You need the original forest root domain, it is the one domain of a forest that can't ever be removed
and have a successful forest. I am surprised you are not seeing all sorts of kerberos errors when it is chasing the
trust lines...
 
T

TChristn

What if I restored the DC from the original forest domain from backup. Then
used the MoveTree utility to move the Enterprise Admins and Schema Admins to
the new domain? What other objects must be moved to complete a migration of
a forest root domain?


Joe Richards said:
You are screwed. You need the original forest root domain, it is the one
Click to expand...
domain of a forest that can't ever be removed
and have a successful forest. I am surprised you are not seeing all sorts
Click to expand...
of kerberos errors when it is chasing the
 
T

TChristn

Gotcha. So if there's a merger between two companies and there's a
corporate name change... they're pretty much out of luck if they are on a
Windows 2000 platform unless they want to rebuild their forest from the
ground up.
 
J

Joe Richards [MVP]

It is good to try and make a generic forest root or one that you *know* won't get changed. Since you don't have to
follow the name space for the children (i.e. create multiple trees) that shouldn't be an issue.

In W2K3 there is a domain rename option, but I am not at a point I would recommend anyone do it.

--
Joe Richards
www.joeware.net
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD design question....again 4
Remove the Root Domain in the Forest 5
root domain lost 2
adding enterprise admins group to every workstation local admin group 1
Enterprise Admins 2
Confused 5
Forest root restoration after domains physically relocated 1
Active Directory Problem 2

Top