Hi everybody
Need some more heads to get an idea :)
Our customer have two domains in forest e.g. DOMAIN.LOCAL and CHILD.DOMAIN.LOCAL
They find that clock on workstations are sometimes skewed, the symptoms were rarely but were, in further investigation the result was: NTDS corruption on primary DC and therefore AD was not reliable, some clients switched to backup DC which resides on VMware host that hasn't hw clock synchronised, - OK time was set to synchro with NTP , primary DC restored from Backup 2 days ago, synchronisation between PRIMARY and SECONDARY DC's is now ok without errors, but deep inspection of eventless showed that DC from CHILD.DOMAIN.LOCAL hasn't been replicated successfully for almost 1 year!!! , so what now?
With so long unreplicated state isn't possible to force replication with partner out of replication period, the result is unpredictable - cannot risk forest corruption , not mentioning lingering objects changes to schema .... on the other side isn't possible demote child domain dc and/or lose the child domain. I'm not sure if is possible to only invoke unidirectional replication of critical data from forest root domain do child domain's DC and then also try allow fix replication to replicate the rest of data from child to parent because both DC's (e.g MASTERDC.DOMAIN.LOCAL and DC.CHILD.DOMAIN.LOCAL) are Global catalogs.