I have a forest with 5 sites, 10 DC's. Two of the DC's in one site had not replicated in over 60 days. However, througout this time, the DC's continued to authenticate users, and computer accounts in this site. So, we decided to fix this problem by promoting new DC's, and removing these "bad" ones from AD. I'd noticed that BrokenDC1 had active computer accounts on it that no other DC in the forest knew about. So, I procedded to add a "NewDC1" to the domain. Then, I went to promote it, but during the dcpromo process where I tried to point it to replicate with a known good DC, it failed, and it would only allow me to replicate with BrokenDC1. So, what I believe happenned was that when I added NewDC1 to the domain, BrokenDC1 was the DC that authenticated me in. Thus, the computer account for NewDC1 now only existed on BrokenDC1. So, I went ahead and promoted NewDC1 against BrokenDC1. It promoted fine, however, it left me in the same place I was before as NewDC1 now has all of the information that BrokenDC1 had, but NewDC1 cannot replicate to other DC's in the forest. It's as if NewDC1 is on it's own island. It thinks it's a functioning DC in the forest, but none of the other DC's recognize it.
The reason why I don't want to simply demote and then repromote NewDC1 is that this guy is the only DC that knows about 2 SQL clusters in that site. Demoting it, and repromoting will clean this information out. So, at this point, it is not an option as this will require us to rebuild the clusters, and is not something that we are considering as the downtime required to do this would be considerable to our clients.
So, I ask... is there any way to perhaps force this DC to communicate with the others in the forest. I was reading that renaming it and perhaps resetting the security channel may do the trick... but wanted to see if there were other options out there.
Is there a way to maybe extract the computer objects off of this DC, and trasnsfer them to a known good one?
Please advise.
Thanks in advance!