Child domain lost - How best to disconnect/disable mailboxes with no writable AD

Brass Contributor

The root AD forest has multiple sub domains, for example contoso.com is root, child domains, sub1.contoso.com, sub2.contoso.com etc.

 

Exchange 2016 servers is installed into the root domain, contoso.com with prepearealldomains, so allows mailboxes to be associated AD user objects in the child domains.

 

There was a issue encountered resulting in no writable DC for child domain sub1.contoso.com.  In addition the mailbox database which holds the mailboxes for these child domain is not recoverable.

 

At the moment, the rest of Exchange is functioning okay.

 

I want to run Disable-Mailbox, Remove-Mailbox to delete mailbox for the sub1.contoso.com mailbox accounts, or run Set-Mailbox with a -ForwardingSMTPAddress, in order to route emails destined for the child domain users elsewhere.  Unfortunately each of these options require the ability to access the mailbox database in question or a child dc in sub1.contoso.com.

 

Does anyone know how I can set the ForwardingSMTPAddress for these child user accounts mailboxes, or disable/disconnect the mailbox for these users in this scenario?

3 Replies
Hey Ben, sorry to bring up past Exchange trauma, but.... 😛
I'm in a similar situation... child domains are gone but the mailboxes and mailbox DBs still exist. Did you ever figure out what to do? I'd like to get these cleaned up.

@GregSmid 

 

From what I recall and checking old emails, I believe we attempted to disable-mailbox with various switched but that resulted in the same issue , e.g. being unable to contact the child domain controller (worth checking though). I don't think ADSI edit was an option for the user object wasn't accessible.

In this instance, I believe the child domain was not recoverable, so we took steps to remove the child domain controller/s and child domain from the forest.  Taking this steps obviously has wider implications and depends on whether you're planning to recover your child domain?

 

If you were to pursue removing the child domain; before doing this, I advise collected the mailbox details to an XML if you can, because you'll likely want to grab the lgeacyexchangedn and proxyaddresses to reapply elsewhere e.g. 'Get-Mailbox -Identity john.smith | Export-clixml c:\temp\jsmithmbxdetails.xml'

As a result, the mailboxes were then disconnected in Exchange and no longer associated to the orphaned AD objects.  I believe you could then connect the disconnected mailbox to another AD object.

 

My notes on the child domain controller and domain removal (obviously use at your own risk and I would recommend testing in a lab first if you're unsure first)....

To Remove Domain Controller

ntdsutil:

type metadata cleanup

type connections
connect to server servernamehere

Type quit

type select operation target

Type list domains 

Type select domain number

Type list sites

Type select site number

Type list servers in site

Type select server number

Type quit

Type remove selected server

Type quit

In Active Directory Users and Computers, expand the domain controllers container. Delete the computer object associated with the failed domain controller.

Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation . Select “This DC is permanently offline…” and click on the Delete button.

AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes to remove the failed server object from DNS.

In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records. If you have reverse lookup zones, also remove the server from these zones.

To remove domain:

ntdsutil:

type metadata cleanup

type connections
connect to server servernamehere

Type quit

type select operation target

Type list domains 

Type select domain number

Type quit

Type remove selected domain



@Ben OwensOh wow, that is so much more detail than I was expecting or even hoping for... thank you!!

 

In our case, the child DCs are gone legitimately, just apparently not cleaned up properly. Even the parent domain is legacy and probably not long for this world, so I might just wait until it's time to turf the whole thing.

 

Definitely appreciate you taking the time to go back and look up your notes from three years ago though. If I could buy you a beer, I would!