If you ever encounter an error while trying to create a new domain within a forest saying, “The replication operation encountered a database error,” it makes you sweat a bit. Your brain tells you it will be a nightmare to fix, do I have proper backups to make it happen, and the question “why now” shows up.
Of course, one should not panic and try to check what's wrong. In those cases, I usually run Testimo to quickly check relevant tests. While Testimo has more than 70 tests that can help you secure your environment it also is great for debugging or doing quick checks. It can save you a lot of time than trying to go thru your environment manually.
invoke-testimo -Sources DCDFS, DCServices, ForestReplication,DCDiagnostics, DomainLDAP
Within a few minutes, I got a full report that everything is mostly ok. Sure there are some small problems, but generally, replication works, services are up and running, dcdiag doesn't report anything major, and SYSVOL/DFS is mostly ok. In addition, I check some event logs, but nothing really stands out.
Having everything shown as green is great, but still, the issue was there and I couldn't add a new Domain to a Forest. Then it hit me – what is the current patch level of this machine. There it was November 2021 patch installed. The system is up to date, but actually, as you should already be aware that Cummulative Update has a single flaw, where it breaks Kerberos so if the patch is applied to Domain Controller it requires another update to be installed.
While the patch notes don't mention anything related to DB corruption or about blocking the ability to add a new Active Directory Domain to a forest, it seems that November 2021 Windows patches also impact this functionality and can give you a heart attack in the process while doing this on production so if you have Active Directory Database Error make sure to verify your patching level.