Solved

Tombstoned Domain Controller

Posted on 2010-09-09
7
793 Views
Last Modified: 2012-05-10
Hi Experts,

We have two domain controllers in two different states.

Sydney has the Primary Domain Controller which is running all the DC roles (2003)

Melbourne has the secondary Domain Controller (2008) which has been disconnected from the VPN for over a year (due to another IT firm)

We wish to demote the Melbourne DC the best way possible.

During this Tombstone period - the IP configuration has changed from 192.168.0.x/192.168.1.x to 172.20.x.x/172.30.x.x in both states.

We now have the VPN back up and running (and have a PPTP VPN connection worst case)

What would be the best way to demote the secondary DC in Melbourne?

I was hoping not to use the force command if possible... but open to suggestions.

Thanks!
0
Comment
Question by:bossagroup
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33643889
By the last sentence you sort of know what you have to do...you are past the tombstone lifetime so

dcpromo /forceremoval  at the end of that it will be part of a workgroup

Then the metadata cleanup  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you want you can then join the machine back to the domain and promote it again

...if you can't get to the machine to do the /forceremoval then you can just do a metadata cleanup

I can't stress enough how important it is to try and get a second DC up as soon as you can.  Just think if that one goes down hard

Thanks
Mike
0
 
LVL 14

Assisted Solution

by:Kaffiend
Kaffiend earned 250 total points
ID: 33643908
I would just use the force command.

It's really not difficult to clean up after that.

If the VPN is working, change DHCP scope to use only the good DC for DNS.
Seize FSMO roles
Do a dcpromo /forceremoval on the DC that's tombstoned.
Then, clean up metadata (with ntdsutil), clean up your DNS zone, and clean up the AD Sites and Services.
(Take you a half day, if you read slow.  If you already know what you're doing, it'll take less than 2 hours, and that's including the time it takes to do the dcpromo)

For good measure, change the name of the server.  Then, dcpromo to make it a DC again.

0
 
LVL 7

Expert Comment

by:rsimsee
ID: 33643963
I've never heard of keeping 2 DC's apart for so long, but I would assume that they're not going to play well together anymore.

Are there users / workstations in Melbourne?

Were users / workstations in Melbourne using the Melbourne DC while the VPN was down?  

You're saying that the VPN is back up, does that also mean that the Melbourne DC and the Sydney DC are able to talk to each other again?  If so, how did that go? If not, is it simply because of the IP changes?

If there are users / workstations in Melbourne and the VPN is back up, how is thier access working since the reintegration?

Bottom line...  if you already have the two DC's connected you can try dcpromo, it will either work or it will fail and tell you why.  If you can fix the why, you can try dcpromo again.  If you can't fix they why and all of your clients are working ok, bring out the ax and start chopping.  

If you do have to chop, I would recommend shutting down Melbourne DC for at least a week or month after you've made that call just to make sure something important isn't still living there that will be missed.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:bossagroup
ID: 33644159
Yeah I know - it wasn't our choice - client wanted to try a different service that we didn't provide and it failed - so now we are left with a Tombstoned DC

VPN is currently offline - but configured - Melbourne has its own file server - we planned to keep the VPN offline until we decommission the DC in Melbourne in case of any other problems. Yes - the users in Melbourne were still using this Tombstoned DC... as you could imagne it's been causing all types of headaches for the client. Unfortunately the other mob made a real mess of things..

So not sure if they are communicating yet - Looks like the forceremoval is the way to go..
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 34003285
How did you make out?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34636979
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question