?
Solved

Tombstoned Domain Controller

Posted on 2010-09-09
7
Medium Priority
?
801 Views
Last Modified: 2012-05-10
Hi Experts,

We have two domain controllers in two different states.

Sydney has the Primary Domain Controller which is running all the DC roles (2003)

Melbourne has the secondary Domain Controller (2008) which has been disconnected from the VPN for over a year (due to another IT firm)

We wish to demote the Melbourne DC the best way possible.

During this Tombstone period - the IP configuration has changed from 192.168.0.x/192.168.1.x to 172.20.x.x/172.30.x.x in both states.

We now have the VPN back up and running (and have a PPTP VPN connection worst case)

What would be the best way to demote the secondary DC in Melbourne?

I was hoping not to use the force command if possible... but open to suggestions.

Thanks!
0
Comment
Question by:bossagroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 33643889
By the last sentence you sort of know what you have to do...you are past the tombstone lifetime so

dcpromo /forceremoval  at the end of that it will be part of a workgroup

Then the metadata cleanup  http://www.petri.co.il/delete_failed_dcs_from_ad.htm

If you want you can then join the machine back to the domain and promote it again

...if you can't get to the machine to do the /forceremoval then you can just do a metadata cleanup

I can't stress enough how important it is to try and get a second DC up as soon as you can.  Just think if that one goes down hard

Thanks
Mike
0
 
LVL 14

Assisted Solution

by:Kaffiend
Kaffiend earned 1000 total points
ID: 33643908
I would just use the force command.

It's really not difficult to clean up after that.

If the VPN is working, change DHCP scope to use only the good DC for DNS.
Seize FSMO roles
Do a dcpromo /forceremoval on the DC that's tombstoned.
Then, clean up metadata (with ntdsutil), clean up your DNS zone, and clean up the AD Sites and Services.
(Take you a half day, if you read slow.  If you already know what you're doing, it'll take less than 2 hours, and that's including the time it takes to do the dcpromo)

For good measure, change the name of the server.  Then, dcpromo to make it a DC again.

0
 
LVL 7

Expert Comment

by:rsimsee
ID: 33643963
I've never heard of keeping 2 DC's apart for so long, but I would assume that they're not going to play well together anymore.

Are there users / workstations in Melbourne?

Were users / workstations in Melbourne using the Melbourne DC while the VPN was down?  

You're saying that the VPN is back up, does that also mean that the Melbourne DC and the Sydney DC are able to talk to each other again?  If so, how did that go? If not, is it simply because of the IP changes?

If there are users / workstations in Melbourne and the VPN is back up, how is thier access working since the reintegration?

Bottom line...  if you already have the two DC's connected you can try dcpromo, it will either work or it will fail and tell you why.  If you can fix the why, you can try dcpromo again.  If you can't fix they why and all of your clients are working ok, bring out the ax and start chopping.  

If you do have to chop, I would recommend shutting down Melbourne DC for at least a week or month after you've made that call just to make sure something important isn't still living there that will be missed.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:bossagroup
ID: 33644159
Yeah I know - it wasn't our choice - client wanted to try a different service that we didn't provide and it failed - so now we are left with a Tombstoned DC

VPN is currently offline - but configured - Melbourne has its own file server - we planned to keep the VPN offline until we decommission the DC in Melbourne in case of any other problems. Yes - the users in Melbourne were still using this Tombstoned DC... as you could imagne it's been causing all types of headaches for the client. Unfortunately the other mob made a real mess of things..

So not sure if they are communicating yet - Looks like the forceremoval is the way to go..
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 34003285
How did you make out?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34636979
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question