[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Tombstoned Domain Controller

Posted on 2010-09-09
7
Medium Priority
?
810 Views
Last Modified: 2012-05-10
Hi Experts,

We have two domain controllers in two different states.

Sydney has the Primary Domain Controller which is running all the DC roles (2003)

Melbourne has the secondary Domain Controller (2008) which has been disconnected from the VPN for over a year (due to another IT firm)

We wish to demote the Melbourne DC the best way possible.

During this Tombstone period - the IP configuration has changed from 192.168.0.x/192.168.1.x to 172.20.x.x/172.30.x.x in both states.

We now have the VPN back up and running (and have a PPTP VPN connection worst case)

What would be the best way to demote the secondary DC in Melbourne?

I was hoping not to use the force command if possible... but open to suggestions.

Thanks!
0
Comment
Question by:bossagroup
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 33643889
By the last sentence you sort of know what you have to do...you are past the tombstone lifetime so

dcpromo /forceremoval  at the end of that it will be part of a workgroup

Then the metadata cleanup  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you want you can then join the machine back to the domain and promote it again

...if you can't get to the machine to do the /forceremoval then you can just do a metadata cleanup

I can't stress enough how important it is to try and get a second DC up as soon as you can.  Just think if that one goes down hard

Thanks
Mike
0
 
LVL 14

Assisted Solution

by:Kaffiend
Kaffiend earned 1000 total points
ID: 33643908
I would just use the force command.

It's really not difficult to clean up after that.

If the VPN is working, change DHCP scope to use only the good DC for DNS.
Seize FSMO roles
Do a dcpromo /forceremoval on the DC that's tombstoned.
Then, clean up metadata (with ntdsutil), clean up your DNS zone, and clean up the AD Sites and Services.
(Take you a half day, if you read slow.  If you already know what you're doing, it'll take less than 2 hours, and that's including the time it takes to do the dcpromo)

For good measure, change the name of the server.  Then, dcpromo to make it a DC again.

0
 
LVL 7

Expert Comment

by:rsimsee
ID: 33643963
I've never heard of keeping 2 DC's apart for so long, but I would assume that they're not going to play well together anymore.

Are there users / workstations in Melbourne?

Were users / workstations in Melbourne using the Melbourne DC while the VPN was down?  

You're saying that the VPN is back up, does that also mean that the Melbourne DC and the Sydney DC are able to talk to each other again?  If so, how did that go? If not, is it simply because of the IP changes?

If there are users / workstations in Melbourne and the VPN is back up, how is thier access working since the reintegration?

Bottom line...  if you already have the two DC's connected you can try dcpromo, it will either work or it will fail and tell you why.  If you can fix the why, you can try dcpromo again.  If you can't fix they why and all of your clients are working ok, bring out the ax and start chopping.  

If you do have to chop, I would recommend shutting down Melbourne DC for at least a week or month after you've made that call just to make sure something important isn't still living there that will be missed.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:bossagroup
ID: 33644159
Yeah I know - it wasn't our choice - client wanted to try a different service that we didn't provide and it failed - so now we are left with a Tombstoned DC

VPN is currently offline - but configured - Melbourne has its own file server - we planned to keep the VPN offline until we decommission the DC in Melbourne in case of any other problems. Yes - the users in Melbourne were still using this Tombstoned DC... as you could imagne it's been causing all types of headaches for the client. Unfortunately the other mob made a real mess of things..

So not sure if they are communicating yet - Looks like the forceremoval is the way to go..
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 34003285
How did you make out?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34636979
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question