Coming soon - Get a detailed view of why an account is flagged as spam!
view details

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

5
Root /Child Domains, Root FSMO changed, child domain not seeing correct Schema & Domain naming roles. Receive access denied during replication
Post Body

So to put it simply, I have a root domain test.local -- not much of anything in it, (old school best practice)

Then a child domain where most of our stuff sits. Two weeks ago, coworker was working on AD upgrade from 2012r2 servers to 2022 servers. We still have one 2012r2 server online in the child domain (apparently coworker who is now on vacay, thought the AD issues he'd seen would be fixed by the upgrade ). Friday of last week we noticed some Replication issues. And actual using issues ie not finding a global catalog..

I started to look into it, and essentially where things stand right this moment.

Root domain has all FSMO roles on one 1server - coworker had moved them all figuring it would fix the issue, and decommed old servers) The child domain, apparently hasn't gotten any of these changes is still trying to talk to the DC's he decommed. the child DC's see the one DC in the root domain that's up but not that it has the fsmo roles.

I also get errors like this in repadmin

The

Error contacting server eff5095f-94d1-4a27-835e-9826f708c6ba._msdcs.XXXXX.YYY (network error): 5 (0x5):

Access is denied.

The root domain is unable to synchronize CN=configuration, DC=XXXX,DC=YYY from (root)  to (child) domains.  But can replicate from Child to root (but I don't believe it's replicating all partitions.)

Update:

Still broken, but I heard from the coworker, apparently a VM that he had been using to decom the old DC's (which the HW box is the last of) came on for about 5 min last week. He thinks he may have had tasks on it to decom the server.. As within 5 min of turning it on DNS had been removed from the HW DC.

The HW DC still has all the child domain roles.. (peachy)-- he just reinstalled DNS and assumed everything was fine. I'm guessing it started doing something with the AD parts as well, and he cut it off partway by powering that server off when he realized the DNS was MIA. -- not that, it helps the situation...but it may explain this:

nltest /sc_change_pwd:xxx.local
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED

works on all other DC's in the child domain and root domain. And this is the DC that has all the roles for the child domain.

Author
Account Strength
100%
Account Age
6 years
Verified Email
Yes
Verified Flair
No
Total Karma
8,278
Link Karma
565
Comment Karma
7,603
Profile updated: 2 days ago
Posts updated: 2 months ago
jkw118

Subreddit

r/activedirectory

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
5 months ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/activedirec...