Go Premium for a chance to win a PS4. Enter to Win


2003 AD Child to Parent DC Replication is Tombstoned

Posted on 2009-05-06
Medium Priority
Last Modified: 2012-05-06
We have a domain, child.parent.edmondok.com for example (parent.edmondok.com would be the example parent domain), whose 2 domain controllers (CDDC001 and CDBKU01) are not replicating to the 2 parent domain controllers (PD01 and PD02).  Something happened back in Febuary 2008, and now CDDC001 and CDBKU01 are tombstoned (tombstone lifetime set to 60 days).  Shows what happens when you bury your head in projects and don't check maintenance.  It apparently isn't causing any issues, as the two domains don't have much interaction.  We are upgrading to 2008, and I would like to get this taken care of before doing so.
I have read on other threads that there are two things we can do to resolve this.  The most often recommended is to forcibly demote the DCs using dcpromo /forceremoval and then cleanup the metadata.
As both the child.parent.edmondok.com domain controllers are tombstoned, I'm not sure I should demote them both.
The other option is to run repadmin /removelingeringobjects on all the DCs (with the correct parameters including servername and serverGUID) and then force replication by modifying the "Allow Replication With Divergent and Corrupt Partner" reg key in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" to 1.  After replication I would set it back.
I believe the second option would be best in my case due to both child DCs having been tombstoned and just want to get verification that it is the best option.
Thanks for all comments and answers.
Question by:Edmondadm
LVL 11

Accepted Solution

Abhay Pujari earned 750 total points
ID: 24315610
I think you are right, 2nd options suits you. But my point is if you do not need Child DCs then go for option 1. This is upto you how do you want to get this done.

Author Closing Comment

ID: 31578475
As the child domain was a must for security reasons, I went for option 2 with a slight modification.  Since the child domain is a small domain and there were very few changes made to it, I just forced replication without removing lingering objects.  The reason for this was that I wasn't sure if anything was added to the child domain (new users, etc), but only one user had been deleted that still showed in the parent domain.  Forcing replication may have added that user back, but ensured I kept any changes that were made to the child domain that the parent domain wasn't aware of.  I'm not entirely sure that is how it works, but didn't want to take a chance.  All is working now.  Thanks.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question