Solved

Tombstoned Domain Controller

Posted on 2010-09-09
7
797 Views
Last Modified: 2012-05-10
Hi Experts,

We have two domain controllers in two different states.

Sydney has the Primary Domain Controller which is running all the DC roles (2003)

Melbourne has the secondary Domain Controller (2008) which has been disconnected from the VPN for over a year (due to another IT firm)

We wish to demote the Melbourne DC the best way possible.

During this Tombstone period - the IP configuration has changed from 192.168.0.x/192.168.1.x to 172.20.x.x/172.30.x.x in both states.

We now have the VPN back up and running (and have a PPTP VPN connection worst case)

What would be the best way to demote the secondary DC in Melbourne?

I was hoping not to use the force command if possible... but open to suggestions.

Thanks!
0
Comment
Question by:bossagroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33643889
By the last sentence you sort of know what you have to do...you are past the tombstone lifetime so

dcpromo /forceremoval  at the end of that it will be part of a workgroup

Then the metadata cleanup  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you want you can then join the machine back to the domain and promote it again

...if you can't get to the machine to do the /forceremoval then you can just do a metadata cleanup

I can't stress enough how important it is to try and get a second DC up as soon as you can.  Just think if that one goes down hard

Thanks
Mike
0
 
LVL 14

Assisted Solution

by:Kaffiend
Kaffiend earned 250 total points
ID: 33643908
I would just use the force command.

It's really not difficult to clean up after that.

If the VPN is working, change DHCP scope to use only the good DC for DNS.
Seize FSMO roles
Do a dcpromo /forceremoval on the DC that's tombstoned.
Then, clean up metadata (with ntdsutil), clean up your DNS zone, and clean up the AD Sites and Services.
(Take you a half day, if you read slow.  If you already know what you're doing, it'll take less than 2 hours, and that's including the time it takes to do the dcpromo)

For good measure, change the name of the server.  Then, dcpromo to make it a DC again.

0
 
LVL 7

Expert Comment

by:rsimsee
ID: 33643963
I've never heard of keeping 2 DC's apart for so long, but I would assume that they're not going to play well together anymore.

Are there users / workstations in Melbourne?

Were users / workstations in Melbourne using the Melbourne DC while the VPN was down?  

You're saying that the VPN is back up, does that also mean that the Melbourne DC and the Sydney DC are able to talk to each other again?  If so, how did that go? If not, is it simply because of the IP changes?

If there are users / workstations in Melbourne and the VPN is back up, how is thier access working since the reintegration?

Bottom line...  if you already have the two DC's connected you can try dcpromo, it will either work or it will fail and tell you why.  If you can fix the why, you can try dcpromo again.  If you can't fix they why and all of your clients are working ok, bring out the ax and start chopping.  

If you do have to chop, I would recommend shutting down Melbourne DC for at least a week or month after you've made that call just to make sure something important isn't still living there that will be missed.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:bossagroup
ID: 33644159
Yeah I know - it wasn't our choice - client wanted to try a different service that we didn't provide and it failed - so now we are left with a Tombstoned DC

VPN is currently offline - but configured - Melbourne has its own file server - we planned to keep the VPN offline until we decommission the DC in Melbourne in case of any other problems. Yes - the users in Melbourne were still using this Tombstoned DC... as you could imagne it's been causing all types of headaches for the client. Unfortunately the other mob made a real mess of things..

So not sure if they are communicating yet - Looks like the forceremoval is the way to go..
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 34003285
How did you make out?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34636979
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question