Just a quick note to let everyone know that it appears that I got it all work, and in only an afternoon, at that. I know, I was as shocked as you are. LOL
A quick recap (not a full HOWTO): We have a parent/child domain environment, 3 DCs in the parent, 7 DCs in the child, spread across 4 sites. (the parent domain is empty, all users and resources are in the child; that was the recommended config when it was first built, like a dozen years ago). I have 1 DC in each domain that is a VM. I cloned each DC, and (in VMware) assigned it to a private virtual switch (i.e., a switch that has no physical adapters assigned to it), so the only things they could communicate with are other VMs on this same switch. This effectively isolates them. ----- First, seize all FSMO roles in the parent, wait a bit, do the same on the child DC. I did it from the command line. (there are lots of web search examples) Next, clean up the metadata of all those DCs that no longer exist in this environment. There is a script in the Technet Gallery to do this, but it is not set up for a parent/child environment, so I did it manually. With Win2008 R2, it's easy, using the ADUC and Sites and Services GUI. (you can also do it from CLI). -- make sure when deleting DCs to check off "DC is permanently offline, and can no longer be demoted using DCPROMO". What I didn't do: remove the now empty sites and subnets (i have lots of subnets, as we have lots of remote offices). I just left them there and empty. Next, the hardest and longest part (for me) - cleaning up DNS. You have to clean up the "Name Servers" tab on your zone. And delete any records in each sub-zone (such as _msdcs, _tcp, etc). that refer to the non-existent DCs. And do the same for all reverse zones. -- this is what took a while; I have like 60 subnets across all my sites, and I had to edit each reverse zone. If I had decided to delete all the sites and subnets earlier, I wouldn't have had so much to do in the reverse zones. I suppose I could have done it with a script, using dnscmd deleting records for every zone. And if I had to do it again, I would have set that up. And that was pretty much it. Replication is working (repadmin /replsummary shows only 2 DCs, and no failures in replication); dnslint shows no DNS errors. Event logs show no errors since yesterday afternoon, when I did all this. Still have to clean up some stuff - time sync, mostly. Not sure how to set it, since it will have no connectivity to any NTP server ... And external forwarders on DNS on the parent domain. Anyways, just a high level overview. Looks like I have a clone of my environment (almost completely) set up. Now I can add Win2012 servers, and practice upgrading the AD from Win2008 R2 to Win2012 R2. And the beauty of VMs is that I can snapshot before trying the upgrade, and roll back if it errors out. (have to roll back ALL servers in this cloned domain, but there will never be more then like 2 DCs in each domain, and a workstation to test logging in, etc).
