I've recently inherited an Active Directory (all DCs Windows 2003) which has been configured with several child domains that are used as test environments for out CRM software. Two of these child domains have been used for testing using dates in the future (2015), throwing them well outside of the Kerberos tolerance for time, and they're flooding my event logs with replication errors such as the following:
Description:
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Schema,CN=Configuration,DC=ad,DC=xxxxxxx,DC=com
Source domain controller:
CN=NTDS Settings,CN=TESTDC001,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=ad,DC=xxxxxxx,DC=com
Source domain controller address:
38e95b2a-35af-4174-84ba-9ab039528cce._msdcs.ad.xxxxxxx.com
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network connectivity is available.
Additional Data
Error value:
5 Access is denied.
I'd also like to upgrade to Windows 2008 at some point, but wouldn't want to attempt any schema updates while I'm not 100% confident on the replication. I'm guessing my only real solution will be to get rid of these child domains.
The child domains are operating as stand alone domains, the DC is up and running and authenticating test users fine. I'm guessing the best solution to this would be to delete the domains (although I'd be happily told otherwise). The clock forwarding appears to have been happening for several years, so I'm assuming I can't just put the clock right (I'm guessing scope for this would be 180days, the same as the tombstone lifetime)
With the replication errors would I be able to dcpromo the child domains DC, select it as the last domain controller in the domain and the child domain would be deleted? Or would I be better off treating the domain as an orphaned domain and use Microsoft's instructions to clear up as such.
Any advice would be much appreciated.
Because you are seeing replication errors there is the possibility that doing a dcpromo would not cleanly remove the child domains.
Doing the metadata cleanup as described in the KB article will remove all traces of the child domain from your parent domain. I would make sure the domain controllers for the child domains are powered down or rebuilt without the active directory role before doing the metadata cleanup.
This all assumes there is nothing in the child domains that needs to be retained.