Orphaned Domain Site

Copper Contributor

I have an AD installation that is running on four different locations across the globe. Before I took this job the network in Hungary lost it's VPN connection to the rest of the group, especially with the main office here in the United States. The Hungary operation was allowed to run alone for many years on that orphaned domain, having no connections with the rest of the domain/servers/network. I cannot see any connections to the Hungary domain controllers in any of the various AD settings here in the US, but I do see settings in the Hungary domain controllers looking for the US and other sites. With the US and other sites not acknowledging the Hungary domain nothing is happening, except for expected errors in the Hungary server. 

 

Over the years the Hungary operation has made numerous changes such as user management and other AD maintenance that has taken them a LONG way from the rest of the domain.

We have re-established the VPN connections and I am looking for advise on how to introduce this Hungarian AD domain back into the family where it once held a place. If I demote the Hungarian and bring it back onboard, what would I lose? What do I need to document in Hungary before nuking/demoting those local domain controllers? Such as add news users to the working domain that are found on the Hungarian domain but not in the working? 

 

There is only one domain name shared by all four sites. The DNS for the US/China/Mexico servers do not show any SRV domain controllers for Hungary, but Hungary shows the US the ones, so no AD information is begin shared at this time.  The FSMO Operations Masters are located on a server in the US, never were in Hungary.

 

The Hungary location has probably near 40 PCs to deal with. I will probably use the "Domain Migration" utility from forensit.com to move the existing users to the proper domain.

 

How do I proceed to reunite this fragmented domain without incurring a lot of damage? Any steps that are crucial to be done before others? Such as, ensuring all local Hungary PCs have a local admin user account so I can rejoin the new domain, once the local domain controllers are demoted. If the local controllers are demoted first, would I be able to logon to these PCs again, probably not? What should be done with the local Hungarian DNS servers, nuke those and start over again as well?

 

I inherited this mess and seek the most secure way forward, ensuring workers can come back to work on a Monday morning, logon, and find their files. I realize it'll be a long weekend project. 

3 Replies

If they have been disconnected for years then obviously the tombstone has long exceeded and most likely the roles have been seized on the Hungary side to where each side now has its own roles holder(s). There's not a lot you can do other than pick one side and rebuild the other.

 

 

I was unaware the Hungarian servers would seize control like that, but after a netdom /query you are proven correct, a server in Hungary has claimed all five roles.

No, it is not automatic, someone must do it manually. Probably happened shortly after the sites became disconnected.

 

(please don't forget to mark helpful replies)