0

I added a new domain tree to an existing AD forest which previously contained one domain. Let's call the new domain xyz.com and the existing forest root domain abc.com (the forest is abc.com).

Everything is in the same site.

Each domain has three DCs. The existing domain and forest is at Windows 2008 functionality and the new domain is at 2012 R2.

Replication is only occurring one-way. The new domain xyz.com receives inbound replication from the existing abc.com domain just fine, and it replicates internally just fine. Everything is good there.

The existing domain will not replicate from the new domain. This is because the Configuration partition in the existing domain has no information on the DCs in the new domain. Specifically, in the replica of the Configuration partition on the existing servers, CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=abc,DC=com contains no entries for the new DCs in the new domain. However, the replica of the Configuration partition on the new DCs in the new domain has entries for all DCs in the forest.

The same is true of the other AD partitions, including the ForestDNS partition. Because the DNS is complete in the new domain, I pointed the DNS clients on the DCs in the existing domain to use DNS on the DCs in the new domain. That seems to have gotten me past all DNS created problems.

The two way trust between the domains seems to be working fine. The domains trust each other and users in both domains can login and access resources and be assigned security in either domain.

There are no replication errors... it is simply that the DCs in the existing domain will not replicate from the DCs in the new domain because they are not in the Configuration partition on the existing DCs. They don't "know" about the new DCs.

In other words: If I go in to AD Sites and Services on the existing DC's, the DCs in the new domain are not listed at all. Only the DCs in the original existing domain are shown. So the KCC does not create replication connections for the new DCs in xyz.com to the existing DCs in abc.com.

But on the DCs in the new domain, all servers are listed in Sites and Services and KCC creates the connections and everything replicates fine from abc.com to xyz.com.

Any suggestions on how to fix this? This is like a chicken and the egg.... AD won't replicate because it did not initially replicate.

Starting over is not a good option as both domains are in production use.

Thanks in advance!

Mike
  • 1
  • 1

1 Answers1

0

Manually create a connection object and replicate it manually. then run a repadmin /kcc

Klaus
  • 16
  • 2
  • Klaus, thanks for your reply. I had tried that using repadmin /add. Unfortunately, that didn't work because the server objects for the DCs in the new xyz.com domain do not exist in the replica of the Configuration partition held by the existing DCs in the abc.com domain. This causes the repadmin /add command to fail with errors about not finding the DSN or SPN for the new DC. – Mike Jul 20 '17 at 13:28
  • I see, so even in the domain where you can see all domain controllers, you cannot add that replication object. What you might try is to export the relevant portion of the configuration partition and import it on a dc that does not see your new domain. However, I haven't done it so i don't know what it might break later. – Klaus Jul 26 '17 at 08:37
  • Yes, correct. If I try to add a replication link between a DC in the domain that can see all the servers and a DC in the other domain, it fails. I assume that this is because replication is always a "pull", so even through I enter the command on a DC that can see all the other DCs, the replication is actually initiated on the destination DC that can't see the other DC, so it fails. – Mike Jul 27 '17 at 23:33
  • I also thought about exporting and importing the configuration partition (or at least the relevant part), or somehow manually adding the information. I did try manually adding a server to the site, but I can't set the serverReference attribute. It also caused a CNF with the actual server object in the other domain since I named them the same. Anyway, I think something along the lines of this is the solution, but I don't feel I understand all the implications well enough to do it in my production environment. Can anyone shed some light on if this is doable and what to look out for? – Mike Jul 27 '17 at 23:38
  • this is very strange. However, if you can sign in and access resources across domains there must be something working at least. So, on at least one domain controller on the existing domain, all relevant information should be there even if subsequent replications did not work. so try to find that dc. After you fixed your dns issues, did you restart the netlogon service on all your dc to reregister all srv records? – Klaus Jul 28 '17 at 10:46