I've inherited an Active Directory forest that is laid out very badly. It has a single forest with a domain tree for each site, each with a single domain controller. No domain is a child of any other domain.
Now one of the DCs, lets call it M1 for domain M, had a problem when we were moving the VM from one hypervisor to another so we went back to the working one, it has caused USN rollback, and the 2008r2 DC M1 has detected this. During this fudge up there were 2 DNS entries made in the domain M, that were likely the only things lost during the rollback as no users were active in domain M at the time. Currently DC M1 has had its inbound and outbound replication re-enabled with repadmin /options M1 -DISABLE_INBOUND_REPL
and repadmin /options M1 -DISABLE_OUTBOUND_REPL
and its netlogon service continued after it starts in a paused state with event id 2103.
The solution I'd like is to make a new single domain for all 10 sites and start over. However, apart from the annoyance of netlogon starting in a paused state it seems to be working ok anyway. The questions I have are:
- Any less severe suggestions or would it be just as much work to start again and do it properly?
- If I just delete the registry key
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Not Writable
and ignore the rollback, what will be the effect on the single DC domain in a multi-domain forest?
Because it is a single DC we cannot perform
- demote then promote the DC to replicate from another existing DC as there are none in the same domain to replicate from
- Do a non-authoritative system state restore as this requires a functioning healthy DC to replicate from as well.
Edit: yes we have, or can make a system state backup from an old system image, that is younger than the tombstone lifetime.