Solved

2003 AD Child to Parent DC Replication is Tombstoned

Posted on 2009-05-06
2
755 Views
Last Modified: 2012-05-06
We have a domain, child.parent.edmondok.com for example (parent.edmondok.com would be the example parent domain), whose 2 domain controllers (CDDC001 and CDBKU01) are not replicating to the 2 parent domain controllers (PD01 and PD02).  Something happened back in Febuary 2008, and now CDDC001 and CDBKU01 are tombstoned (tombstone lifetime set to 60 days).  Shows what happens when you bury your head in projects and don't check maintenance.  It apparently isn't causing any issues, as the two domains don't have much interaction.  We are upgrading to 2008, and I would like to get this taken care of before doing so.
I have read on other threads that there are two things we can do to resolve this.  The most often recommended is to forcibly demote the DCs using dcpromo /forceremoval and then cleanup the metadata.
As both the child.parent.edmondok.com domain controllers are tombstoned, I'm not sure I should demote them both.
The other option is to run repadmin /removelingeringobjects on all the DCs (with the correct parameters including servername and serverGUID) and then force replication by modifying the "Allow Replication With Divergent and Corrupt Partner" reg key in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" to 1.  After replication I would set it back.
I believe the second option would be best in my case due to both child DCs having been tombstoned and just want to get verification that it is the best option.
Thanks for all comments and answers.
0
Comment
Question by:Edmondadm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
Abhay Pujari earned 250 total points
ID: 24315610
I think you are right, 2nd options suits you. But my point is if you do not need Child DCs then go for option 1. This is upto you how do you want to get this done.
0
 

Author Closing Comment

by:Edmondadm
ID: 31578475
As the child domain was a must for security reasons, I went for option 2 with a slight modification.  Since the child domain is a small domain and there were very few changes made to it, I just forced replication without removing lingering objects.  The reason for this was that I wasn't sure if anything was added to the child domain (new users, etc), but only one user had been deleted that still showed in the parent domain.  Forcing replication may have added that user back, but ensured I kept any changes that were made to the child domain that the parent domain wasn't aware of.  I'm not entirely sure that is how it works, but didn't want to take a chance.  All is working now.  Thanks.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question