Hi guys,
i came across the following issue:
Imagine a standard enterprise environment with a forest. The root domain is called contoso.com and there is a subdomain called company.contoso.com. There are also subdomains of company.contoso.com, but they are not important for the problem description.
The functional level of the forest is Windows 2003-interim & the domain level of the root domain is Windows 2003, as is the domain level of all subdomains. All Domain Controllers are Windows 2003 SP2.
There have been people in the environment with too many rights, that used to promote DCs and then also just decommission them without properly demoting them. This left several unreachable domain controllers in both the root domain & the subdomain.
I cleared all those DCs that are no longer available, which made company.contoso.com stable and reliable. All DCs within the subdomain are properly talking to each other and replicating fine.
Then i discovered the main issue here. The replication in the root domain is broken. The is only one domain controller left in the root domain, nevertheless the server is suffering from USN rollback. Digging deeper i found out that the domain controllers have been virtualized years ago, but no one ever cared about the root domain. So i found out that replication stopped in 2006 when obv. the last healthy domain controller was removed from the root domain.
So i have basically a crippled root domain with a crippled domain controller. I am not able to set the forest level to 2003 native, as the domain controller says that the domain contoso.com is still Windows 2000. This is not correct, i have checked msDS-Behaviour-Version and nTMixedDomain. They are properly set to 2 & 0.
My idea was to introduce a new installed 2003 server and promote it to a DC. Then get rid of the broken one. Unfortunately the broken DC is not replicating. Due to USN rollback the netlogon service goes constantly to paused state & of course both inbound& outbound replication are disabled. Even when i reenable the replication it is just a matter of seconds before they get disabled again. I also tried to introduce a new 2012R2 DC, but that fails of course due to the forest level not beeing 2003.
So i am a little stuck here. Any thoughts about how to continue to troubleshoot ?
I have a final idea:
Install a new forest with the same name contoso.com and set up a trust with company.contoso.com.
The question would be, how can i convince company.contoso.com that the new installed forest and domain are its parent ?