Dude, where's my Forest Root?
Let's look at a hypothetical worst-case scenario:
ü Your AD infrastructure contains one root domain and one or more child domains.
ü You've lost all the DC's in the Root domain due to hardware failure (Example: putting all DC’s in the root domain on the same SAN)
ü There are no usable System State backups of the DC's in the Root domain available
. ...i.e. you’ve gotten into a situation where you can't recover the forest root domain using any means.
How will this affect AD operations?
In short; Your forest needs to be migrated into a new forest if you’ve lost all DC’s in the forest root domain and can’t recover from a backup.
Off the top of my head, I can think of at least the following bad things which happen when you’ve lost your forest root:
· The Schema Admins and Enterprise Admins groups are gone; you will not be able to make any changes to their membership. However, as long as you have at least one GC in one of the child domains and a user in the child domain was a member of either group you should still get a Sid for the group into your access token when you log on with a user that is already a member of either group.
· Transitive trusts between child domains break, you’ll need to replace these with direct shortcut trusts to restore access from one child domain to another
· Forest trusts will break completely and no new ones can be established (forest trusts are between two forest roots, of which at least one side is now vaporized)
· DCPromo of new DC’s into the child domain may fail *(see notes below)
· DNS Resolution may fail unless the DNS servers in the child domains contain zones other than their own and/or have been configured to resolve external queries outside of the forest.
If your scenario was an empty forest root and all users and services were in a single child domain and no forest trust was in use, losing the forest root may not become immediately visible to the end-users.
Once the forest root is gone however, migrating to a new AD infrastructure is the only long-term alternative.
This would be a good time to:
a) Review the AD Backup and Disaster Recovery strategy
b) Reconsider putting all DC’s on the same physical hardware (effectively introducing a single point of failure for a distributed service)
c) If you were thinking about restructuring the AD infrastructure at some time, then now is the right time to do it.
The initial recommendation for forest root domains when Windows 2000 was released was made based on being able to separate and protect the Enterprise Admins and Schema Admins groups from the Domain Admins in the child domains. This is a valid general security measure that will prevent normal membership changes to those groups but is in itself not enough to fully protect them from a rogue admin in the child domain with physical access to a DC being able to raise their permissions enough to add themselves to either group as described in MS02-001.
Microsoft has the tool ADMT available to assist customers with migrating/restructuring an AD infrastructure. Exchange has built-in tools for mailbox migrations using the Exchange Migration Wizard.
Choosing a Forest Root Domainhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbd_ads_xsfl.mspx?mfr=true
Recovering Your Active Directory Forest
http://technet.microsoft.com/en-us/library/cc757662.aspx
Forest Recovery Procedures
http://technet.microsoft.com/en-us/library/cc781218.aspx
Restructuring Active Directory Domains Between Forests
http://technet.microsoft.com/en-us/library/cc786927.aspx
ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains
http://www.microsoft.com/downloads/details.aspx?FamilyID=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en
Active Directory Migration Tool version 3.1
http://www.microsoft.com/downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en
What Are Domain and Forest Trusts?
http://technet.microsoft.com/en-us/library/cc757352.aspx
How to use the Exchange Migration Wizard to migrate mailboxes from an Exchange organization
http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
Microsoft Security Bulletin MS02-001Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data
http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx