Forum Discussion

Ben Owens's avatar
Ben Owens
Brass Contributor
Nov 24, 2017

Child domain lost - How best to disconnect/disable mailboxes with no writable AD

The root AD forest has multiple sub domains, for example contoso.com is root, child domains, sub1.contoso.com, sub2.contoso.com etc.   Exchange 2016 servers is installed into the root domain, con...
2013
2016
Active Directory
Exchange Server
Ben Owens's avatar
Ben Owens
Brass Contributor
May 27, 2021

GregSmid 

 

From what I recall and checking old emails, I believe we attempted to disable-mailbox with various switched but that resulted in the same issue , e.g. being unable to contact the child domain controller (worth checking though). I don't think ADSI edit was an option for the user object wasn't accessible.

In this instance, I believe the child domain was not recoverable, so we took steps to remove the child domain controller/s and child domain from the forest.  Taking this steps obviously has wider implications and depends on whether you're planning to recover your child domain?

 

If you were to pursue removing the child domain; before doing this, I advise collected the mailbox details to an XML if you can, because you'll likely want to grab the lgeacyexchangedn and proxyaddresses to reapply elsewhere e.g. 'Get-Mailbox -Identity john.smith | Export-clixml c:\temp\jsmithmbxdetails.xml'

As a result, the mailboxes were then disconnected in Exchange and no longer associated to the orphaned AD objects.  I believe you could then connect the disconnected mailbox to another AD object.

 

My notes on the child domain controller and domain removal (obviously use at your own risk and I would recommend testing in a lab first if you're unsure first)....

To Remove Domain Controller

ntdsutil:

type metadata cleanup

type connections
connect to server servernamehere

Type quit

type select operation target

Type list domains 

Type select domain number

Type list sites

Type select site number

Type list servers in site

Type select server number

Type quit

Type remove selected server

Type quit

In Active Directory Users and Computers, expand the domain controllers container. Delete the computer object associated with the failed domain controller.

Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation . Select “This DC is permanently offline…” and click on the Delete button.

AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes to remove the failed server object from DNS.

In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records. If you have reverse lookup zones, also remove the server from these zones.

To remove domain:

ntdsutil:

type metadata cleanup

type connections
connect to server servernamehere

Type quit

type select operation target

Type list domains 

Type select domain number

Type quit

Type remove selected domain



GregSmid's avatar
GregSmid
Copper Contributor
May 27, 2021

Ben OwensOh wow, that is so much more detail than I was expecting or even hoping for... thank you!!

 

In our case, the child DCs are gone legitimately, just apparently not cleaned up properly. Even the parent domain is legacy and probably not long for this world, so I might just wait until it's time to turf the whole thing.

 

Definitely appreciate you taking the time to go back and look up your notes from three years ago though. If I could buy you a beer, I would!

Resources