Orphaned child domain controller information is not replicated to other domain controllers

Applies to: Windows Server 2019Windows Server 2016

Symptoms


A Microsoft Windows Server-based child domain is orphaned from the rest of the forest. This child domain can receive changes that are replicated by domain controllers in the parent (root) domain, but no domain controllers in the root domain or any other child domains have knowledge of the domain controllers in the affected child domain.

When an administrator tries to view the domain controllers in the orphaned child domain from another domain, no domain controllers are displayed. For example, no domain controllers are displayed in the following configuration naming context:

CN=Servers,CN=Site_Name,CN=Sites,CN=Configuration,DC=Domain_Name,DC=com


In this case, Site_Name and Domain_Name are attributes of the orphaned domain.

Cause


This issue may occur if the child domain is orphaned from the parent domain.

Resolution


To resolve this issue, you must create a replication link and then enable one-way authentication instead of two-way authentication. To do this, follow these steps:

  1. On a domain controller in the root domain, add the Replicator Allow SPN Fallback registry value. To do this, follow these steps on the domain controller.
    1. Select Start > Run, and then enter regedt32.
    2. Select the following registry subkey:
       
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    3. Select Edit > New > DWORD Value.
    4. Enter Replicator Allow SPN Fallback.
    5. In the right pane, double-click Replicator Allow SPN Fallback, type 1 in the Value data box, and then select OK.
    6. Restart the domain controller.
  2. Open a Command Prompt window, and run the following commands:
    repadmin /options fully_qualified_domain_name_(FQDN)_of_the_root_domain_controller +DISABLE_NTDSCONN_XLATErepadmin /add CN=Configuration,DC=Domain_Name,DC=Domain_Name FQDN_of_the_root_domain_controller FQDN_of_the_child_domain_controllerrepadmin /showreps
    A successful incoming connection should be displayed for the configuration naming context from the child domain controller.
  3. At the command prompt, run the following command:
    repadmin /options FQDN_of_the_root_domain_controller -DISABLE_NTDSCONN_XLATE
  4. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
    1. Start Registry Editor, and select the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    2. Right-click Replicator Allow SPN Fallback, select Delete, and then select OK.
  5. Force replication between all domain controllers in the root domain. To do this, follow these steps:
    1. On a domain controller in the root domain, select Start > Programs > Administrative Tools > Active Directory Sites and Services.
    2. Expand Sites > Servers, expand your Server_Name folder, and then select NTDS Settings.
    3. If there are other domain controllers in your environment to replicate, they will be listed in the right pane. Right-click the first domain controller in the list, select All Tasks, and then select Check Replication Topology to start the Knowledge Consistency Checker (KCC).

      An incoming connection object from one or more of the child domain controllers is displayed. You may have to update the display by pressing F5.
    4. Repeat step 3 for each domain controller in the root domain.
  6. Allow replication to occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the child domain controllers. This step makes sure that Active Directory Directory Service (AD DS) replication is successful.

The Replication Allow SPN Fallback registry entry enables the domain controller to use one-way authentication if two-way authentication cannot be performed because of a failure to resolve a Service Principal Name (SPN) to a computer account.