We help IT Professionals succeed at work.

Replication issues with Server 2003 Active Directory - exceeded tombstone lifetime

Alex Appleton
Alex Appleton used Ask the Experts™
So here is the issue:

We have an active directory domain with three servers having the domain controller role.  Lets call them server1, server2 and server3.  Now all are Windows Server 2003, with server2 being an Exchange server as well (and yes I know this is not a recommended setup).  The site had an extended power failure, and when server1 came back up its time was off (figuring a faulty motherboard battery).  So, the date was actually 2005 on this server, and being that it holds the PDC role it updated the time on server2 as well - but for some reason server3 still maintained the correct time.  We noticed this a day or so later and updated the time manually as the Windows Time service would not automatically do this due to the drastic change.  

Now, we are having replication issues between the domain controllers due to the drastic time change between replications.  When attempting to manually replicate we are presented with an error "...The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

So, I know the proper fix is to demote and then promote the effected domain controllers, but I am concerned about server2 in that it is also an Exchange server.  I found a workaround here: http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx but since I have never ran into this issue before I am wondering if anyone has any insight.  
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
DCpromo is your best course of action in my opinion.   Exchange should not be negatively impacted by the removal of the Domain Controlloer functionality (assuming you properly transfer any roles it might have).   You might have to force the removal and do a Metadata cleanup activity and rejoin the server to the domain though (considering it will not replicate correctly)


Also you should probably set a Public NTP time source for your PDCe using the net time /setsntp command.  This will prevent the server from losing its proper time settings.
Chris DentPowerShell Developer
Top Expert 2010


You can't transfer roles if the tombstone lifetime has been exceeded. And I do not recommend you use DCPromo on Server2 because the operation is not supported once Exchange is installed. That is, it is not guaranteed to work and there are some pretty major known issues with the operation.

Worst case I would treat Server2 as the boss, and rebuild everything else around that.

Which servers are failing to replicate? All of them?

Do you have the ability to move exchange to another server?  if so tranfer the exchange server to that new server, Uninstall exchange from Server 2, then DCpromo the server.   You can then reinstalled exchange and move the Exchange function back.  IF you want server 2 to be both exchange and DC remember to dcpromo back to a DC before you reinstall Exchange.  

No matter which road you choose your going to orphan objects on servers that cannot replicate.  You will have to use DCPromo /Forceremoval to remove the DC, perform the metadata cleanup, rejoin it to the domain and repromote it.  

Remember to use NTDSutil to seize the roles on the server you are going to keep!
Business Technology Analyst
All 3 servers were failing to replicate.  I threw the dice and did the registry change, it seems to have resolved the issue.  Of course, now the DC's are replicating I put the setting back to default value.  

Now for NTP that was suggested:  I do have the PDC role holder (server1) set to sync with an external pool, however since the time difference was so great it didn't actually sync.  Go figure!

Anyways, I'll monitor for a few days and see what happens.
Make sure you check for orphaned objects or conflict objects in your directory!  Glad to hear that the replication is working again.