root domain lost

[Guest]

We had a forest of three domains each with a single server. We lost the root
forest domain controller. It was then decided to reduce the complexity and
run the domains as individual domains. The original root domain was replaced
with a freestanding domain. We now have problems changing and upgrading the
two remaining domains as it requires the user to be a member of the
enterprise admins and this group no longer exists as the root domain is
missing. I have tried using ADSI edit to take ownership o some of the
containers without any luck.
we actually want to add a windows 2003 server to one of the domains with 2 x
ws2000 servers in it but adprep /forestprep requires user as a member of
enterprise admin and more. using ntdsutil to sieze domain naming master I get
"insufficient access rights to perform the operation" what Now HOW can I
seize the role and or how can I give the domain admiistrator the required
rights

 

[Herb Martin]

We had a forest of three domains each with a single server. We lost the
root
forest domain controller. It was then decided to reduce the complexity and
run the domains as individual domains. The original root domain was
replaced
with a freestanding domain. We now have problems changing and upgrading
the
two remaining domains as it requires the user to be a member of the
enterprise admins and this group no longer exists as the root domain is
missing.

Yes, and even with an Enterprise Admin (which you don't have)
you can never do the upgrade to Win2003 DCs (and maybe other
things which require schema changes) since it requires FULL
Forest-Wide replication before it will run.

Re-installing or removing the root forest domain requires
re-installing or removing all child (and additional tree) domains.
That is, re-installing the entire forest.

I have tried using ADSI edit to take ownership o some of the
containers without any luck.

Likely you will only make things worse if that is possible.

we actually want to add a windows 2003 server to one of the domains with 2
x
ws2000 servers in it but adprep /forestprep requires user as a member of
enterprise admin and more.

Wouldn't work anyway since the missing Domain and DC can
never replicate, and the upgrade preps require full replication.

using ntdsutil to sieze domain naming master I get
"insufficient access rights to perform the operation" what Now HOW can I
seize the role and or how can I give the domain admiistrator the required
rights

Do you have ANY DC-System State Backups from the root
forest domain DC? If you had one you might be able to
restore the Root Forest Domain DC and thus the domain itself.

About your only real course (AFAIK) is to dump the contents
of the domains using LDIFDE.exe (or something similar) and
reload them to a new domain, or try to setup the new domains
first and do a migration of all users.

I can't think of a reason why the External trusts won't work
without the Root Forest domain so the migration is probably
your best bet.

Otherwise:

You are hosed. It is the fault of whoever decided to run a root
domain (or any domain) with ONE DC and no timely backups.

[If not, it is pretty much a given that someone (maybe not you)
didn't care about this forest. Disk drives die -- I am cleaning
out all the junk ones from my disk box tonight in fact so there
is a stack on the desk which are going to the trash -- and many
other things happen to machines, including fire or flood which
practically no small business ever seems to plan to survive.]

 

[Joe Richards [MVP]]

Unless you have a system state backup your forest is toast, it has
stopped breathing, it just hasn't keeled over yet.

Build a new single domain forest, migrate your users over from the two
remaining domains, and then use all three of your DCs as DCs of the
single domain forest.

A little late now, but this is an excellent reason why you should have
multiple DCs for each domain and have backups.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm