Problem removing metadata for forest root DCs on DC for second Domain

A

atila

Morning Ladies & Gents,
I am trying to workout a Forest recovery strategy for a 2 domain forest.
The Best Practice Guide from MS states that an Admin Acct for each domain in
the forest is required as GCs won't be avialable.
However, for the "child" when using ntdsutil to remove metadata of dead DC's
from the parent domain, an error is thrown: DsRemoveDsServerW error 0x2098
(insufficient access rights to perform operation).
The reason for this I have found is that on the child DC, DSA objects from
the parent domain do not have an ACE for the administrators of the child
domain in thier ACLs!

My problem is: if I cannot logon as a forest root admin to the child domain
DC, how do i remove the metadata for the Forest Root DCs?
The Best practice advice is clean the DCs before hooking them up to each
other.

Any Ideas would be greatly appreciated! (hope you're online JoeR)


Regards,

Austin
 
A

atila

Guys,
Figured the answer to my question out but not what to do about it!
DSA objects are stored in the sites container of the Configuration NC. This
NC is owned by Forest Root DC's and Ent Admins are the only grp that have
Full Control of this container including the ability to delete child
objects.
Now that I think I know the why, how can I prepare a DC for a child domain
for recovery when I cannot logon or runas an Ent Admin as the GCs are not
yet up?
any help/ideas would be greatly appreciated.

Regards,

A
 
A

atila

Guys,
Figured the answer to my question out but not what to do about it!
DSA objects are stored in the sites container of the Configuration NC. This
NC is owned by Forest Root DC's and Ent Admins are the only grp that have
Full Control of this container including the ability to delete child
objects.
Now that I think I know the why, how can I prepare a DC for a child domain
for recovery when I cannot logon or runas an Ent Admin as the GCs are not
yet up?
any help/ideas would be greatly appreciated.

Regards,

A
 
J

Jorge de Almeida Pinto [MVP]

on each first DC you only clean the metadata of the DCs that also belong to
the same domain.
So in the parent domain you only clean the metadata of the parent domain DCs
except for the first DC
So in the child domain you only clean the metadata of the child domain DCs
except for the first DC

When both DCs are connected the metadata cleanup of DCs in both domains will
replicate to both DCs

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
A

atila

Thanks for that Jorge!
Makes sense too.
The best practice guide does not make that fact clear.
We will adjust our documentation to reflect this and will give it a bash in
the labs.

"Jorge de Almeida Pinto [MVP]"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Rebuild Forest Root Domain Controller 3
Remove the Root Domain in the Forest 5
Rebuilt forest root DC, now got repl errors, SIDs? 2
Removing DC from AD (a related replication question) 2
AD2008 Root privileges required to promote child DC? 3
Re-adding a Child Domain into an AD that was destroyed & recreated without reins 1
If the forest root domain dies.. 1
Missing site connector to parent DC 2

Top