[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Tombstoned Domain Controller

Posted on 2010-09-09
7
Medium Priority
?
807 Views
Last Modified: 2012-05-10
Hi Experts,

We have two domain controllers in two different states.

Sydney has the Primary Domain Controller which is running all the DC roles (2003)

Melbourne has the secondary Domain Controller (2008) which has been disconnected from the VPN for over a year (due to another IT firm)

We wish to demote the Melbourne DC the best way possible.

During this Tombstone period - the IP configuration has changed from 192.168.0.x/192.168.1.x to 172.20.x.x/172.30.x.x in both states.

We now have the VPN back up and running (and have a PPTP VPN connection worst case)

What would be the best way to demote the secondary DC in Melbourne?

I was hoping not to use the force command if possible... but open to suggestions.

Thanks!
0
Comment
Question by:bossagroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 33643889
By the last sentence you sort of know what you have to do...you are past the tombstone lifetime so

dcpromo /forceremoval  at the end of that it will be part of a workgroup

Then the metadata cleanup  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you want you can then join the machine back to the domain and promote it again

...if you can't get to the machine to do the /forceremoval then you can just do a metadata cleanup

I can't stress enough how important it is to try and get a second DC up as soon as you can.  Just think if that one goes down hard

Thanks
Mike
0
 
LVL 14

Assisted Solution

by:Kaffiend
Kaffiend earned 1000 total points
ID: 33643908
I would just use the force command.

It's really not difficult to clean up after that.

If the VPN is working, change DHCP scope to use only the good DC for DNS.
Seize FSMO roles
Do a dcpromo /forceremoval on the DC that's tombstoned.
Then, clean up metadata (with ntdsutil), clean up your DNS zone, and clean up the AD Sites and Services.
(Take you a half day, if you read slow.  If you already know what you're doing, it'll take less than 2 hours, and that's including the time it takes to do the dcpromo)

For good measure, change the name of the server.  Then, dcpromo to make it a DC again.

0
 
LVL 7

Expert Comment

by:rsimsee
ID: 33643963
I've never heard of keeping 2 DC's apart for so long, but I would assume that they're not going to play well together anymore.

Are there users / workstations in Melbourne?

Were users / workstations in Melbourne using the Melbourne DC while the VPN was down?  

You're saying that the VPN is back up, does that also mean that the Melbourne DC and the Sydney DC are able to talk to each other again?  If so, how did that go? If not, is it simply because of the IP changes?

If there are users / workstations in Melbourne and the VPN is back up, how is thier access working since the reintegration?

Bottom line...  if you already have the two DC's connected you can try dcpromo, it will either work or it will fail and tell you why.  If you can fix the why, you can try dcpromo again.  If you can't fix they why and all of your clients are working ok, bring out the ax and start chopping.  

If you do have to chop, I would recommend shutting down Melbourne DC for at least a week or month after you've made that call just to make sure something important isn't still living there that will be missed.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:bossagroup
ID: 33644159
Yeah I know - it wasn't our choice - client wanted to try a different service that we didn't provide and it failed - so now we are left with a Tombstoned DC

VPN is currently offline - but configured - Melbourne has its own file server - we planned to keep the VPN offline until we decommission the DC in Melbourne in case of any other problems. Yes - the users in Melbourne were still using this Tombstoned DC... as you could imagne it's been causing all types of headaches for the client. Unfortunately the other mob made a real mess of things..

So not sure if they are communicating yet - Looks like the forceremoval is the way to go..
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 34003285
How did you make out?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34636979
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question