seizing master roles and GC

[Guest]

Because of the wrongly performed test win2003 server insalation in our
w2000server domain we suffered damage on primary DC. we couldn't tranfser
master roles so we decided to kill the server and to seize the roles on
replica.

We couldn't transfer domain naming master since general catalog could not be
promoted on new DC. the reason is one (DC=fserv like) entery which we
couldn't delete because of security - the entery is owned by not existig
domain.

We used NTDSUTIL and ADSIedit and couldn't get rid of it.

As a simptom we have one exra domain (fserv) in AD Domains and Trusts

If anyone knows something about this issue please advise us .

Nedim Hadzibegic
(e-mail address removed)

 

[Jimmy Andersson [MVP]]

I guess you tried to do a metadata cleanup with NTDSUTIL, use ADSIEdit (or
LDP) to look for any connection objects that is left. Also clean up DNS,
remove any trusts and try a metadata cleanup again.

Regards,
/Jimmy

 

[Guest]

Thanx Jimmy,

you are right. We did try a metadata cleanup and ADSIedit. We cleaned a lot
of things. Trusts, servers etc. everithing but a redord of a ghost domain,
wich cannot be removed on any way we know. ADSIEdit shows that the entery is
owned by a nonexisting user.
I cannoy take ownership of object
- cannot delete it
- general catalg cannot start
- domain naming master cannot be seized
- cannot promote DC to primary
- I LOST MY DOMAIN!


Funny,

Thanks for advices
Nedim

 

[Jimmy Andersson [MVP]]

Have you tried to delete it with Ldp?
Is sounds like there is a reference to it somewhere, try to search for the
GUID with Ldp and see what you find.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Guest]

I have just tried to blow the entrie off with LDP and it just says:

Error: Delete: Referral. <10>

I believe that this is security ownership error - the same I had with
ADSIEdit.

The only user who has full right on the record, apart of
S-1-5-21-2712436544-1560754229-2370726782-512
is SYSTEM and it looks like there is no way out.

Nedim

 

[Jimmy Andersson [MVP]]

Have you tried to use DSACLS to restore/set security on the object?

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Guest]

Thanks for helping me !!!!!!!!
I did something like this:

C:>dsacls
\\dbserv\CN=FSERV,CN=Partitions,CN=Configuration,DC=broderinarin,DC=com /P:N
/G administrator@broderinarin:WO;;administrator@broderinarin


No Sid Found for administrator@broderinarin
The trust relationship between the primary domain and the trusted domain
failed.


The command failed to complete successfully.

I think we'r doomed! (C3P0 )

Nedim