Problems with Multiple Domains within Forests

[Guest]

All,

I have encountered a problem with replication that happend about 3 months
ago before I was working for my company. There were multiple domains within
the forest, these had problems and were unsecure so my predecessor decided to
place firewalls inbetween the routes for these DCs. Now I have problems with
the different DC's talking to the other DC's. The Tombstone has expired so I
do not wish to connect the domains back together for fear of a major crash.
Is there any way I can split the domains out and make them seperate with in
interlinking replication paths?

In Event view Directory Service Log I am getting the following errors Event
ID 1265, 1311, 1566 along with WINS and DNS errors.

Does anyone have any Ideas?

thanks in advance for any help.

Kind Regards

Robert

 

[Dave Shaw [MVP]]

No. If the tombstone interval has passed and the DCs have not replicated
with each other for that long a time, your best bet is to perform a forest
recovery, if you have the backups from that far back to do so. If that's
not possible, you are looking at a migration from the current domains into a
new forest.

In Active Directory, each domain in a forest is dependent upon the root
domain. It is not possible for them to continue on as independent roots.

-ds

 

[Paul Bergson]

I would demote the dc's in question and then evaluate how you want to lay
out your network. If you were to repromote (Make sure to open the proper
ports on the firewall) after demoting the dc's they would then be refreshed
with the latest data.

Check out the link below

http://www.microsoft.com/technet/pr.../activedirectory/deploy/confeat/adrepfir.mspx


Best of luck

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge_de_Almeida_Pinto]

All,

I have encountered a problem with replication that happend
about 3 months
ago before I was working for my company. There were multiple
domains within
the forest, these had problems and were unsecure so my
predecessor decided to
place firewalls inbetween the routes for these DCs. Now I
have problems with
the different DC's talking to the other DC's. The Tombstone
has expired so I
do not wish to connect the domains back together for fear of a
major crash.
Is there any way I can split the domains out and make them
seperate with in
interlinking replication paths?

In Event view Directory Service Log I am getting the following
errors Event
ID 1265, 1311, 1566 along with WINS and DNS errors.

Does anyone have any Ideas?

thanks in advance for any help.

Kind Regards

Robert

Take a look at:
*
http://www.eventid.net/display.asp?eventid=1265&eventno=346&source=NTDS KCC&phase=1
*
http://www.eventid.net/display.asp?eventid=1311&eventno=524&source=NTDS KCC&phase=1
*
http://www.eventid.net/display.asp?eventid=1566&eventno=1111&source=NTDS KCC&phase=1

In your case you need to make decisions based upon:
* On what side is the forest root domain (=most important domain in
the forest!)
* On what side is the largest part of the domain/forest
* On what side is the most current information

After you made your choices, demote the DCs in error (with
forceremoval if needed) and cleanup the the metadata
(http://support.microsoft.com/kb/216498 &
http://www.petri.co.il/delete_failed_dcs_from_ad.htm &
http://www.petri.co.il/fix_unsuccessful_demotion.htm) of the demoted
DCs on the good part of the forest. Configure AD replication and FRS
replication over firewalls (http://support.microsoft.com/?id=224196 &
http://support.microsoft.com/?id=319553) and promote new DCs,
configure bridgehead servers on both sides of the firewall and create
custom replication connections between the DCs that must replicate
through the firewall.

Good luck