My primary DC has gone into Tombstone.  New accounts are not able to log onto the domain.

bstrom24
bstrom24 used Ask the Experts™
on
Good evening,
I have a big problem.  My primary DC has gone into Tombstone.  I am not certain how that happend, because all 3 of my DCs show account created less than a week ago.  I am wonderingwhat my best option is for this.  Right now it appears the only DC that is working in DC2.  It gets the new accounts, but the account will not authenticate with the network.  

Any help would be appreciated so much!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Can you run a repadmin /showreps on that box that is tombstoned.

An quick fix for the tombstoned DC (same as rollback fix)

1) Forcefully demote the DC by running dcpromo /forceremoval. This will remove AD from the server without attempting to replicate any changes off. Once it is done and you reboot the server and it will be a standalone serve in a workgroup.

2) Run a metadata cleanup of the DC that was demoted per KB article 216498 on one of the replication partners.

3) If the demoted server held any of the FSMO (Flexible Single Master Operations) roles then use the KB article 255504 to seize the roles to another DC.

4) Once replication has occurred end to end in your environment you can rejoin the demoted server back to the domain then promote to a DC.

Thanks

Mike
I wanted to point out there are a couple of "work arounds" that allow you to disable AD's ability to prevent you from syncing AD databases that are in the tombstone.  These include changes to AD settings in the registry (like enforce database integrity or changing the days for tombstone).

Please do not use them ... follow the advise from mkline71.  It is the BEST way to solve the problem.  I made the mistake of using the workarounds (I had to get the systems running ASAP).  In the end, I had all kinds of strange goofy problems.  Computers not being able to connect to resources, users not being able to log into systems, strange uncool things ...

Author

Commented:
Thank you for the response.  I guess my concern is that is it the primary DC and if anything would be lost.  I have never done this before, so i am very cautious.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
What type of problems may occure here?  I would need to transfer roles from the primary to the secondary for sure.  So, I should do that before I demote, correct?
Top Expert 2013

Commented:
You would have to seize them if you are in a tombstone and you can't replicate so you can demote gracefully.  I'd try the graceful demotion.

Author

Commented:
I apologize, for asking something you already answered.  So if I do a graceful demotion, should I still transfer the roles first or would the demotion take care of transferring to my secondary DC?

I also see in Users and Computers I can change the RID, PDC, and Infrastructure.  I assume this would be the same as using the Ntdsutil utility? I just want to make sure I have checked everything before i move forward with this.  As I am sure you can tell I am very scared at the moment.

Again thank you so much for your help!

Author

Commented:
One more thing, is this going to have an impact on Exchange?
Top Expert 2013

Commented:
Well if you can do a graceful demotion then you can gracefully transfer the FSMO roles but if you can do a graceful demotion you are not in tombstone.

Are the current "good" DCs global catalog servers?  

THanks

Mike

Author

Commented:
It is a Global Catalog server

Author

Commented:
So should I change those roles before i force a removal of the DC or just follow the below steps exactly.  I guess my only other concern would be Exchange.

1) Forcefully demote the DC by running dcpromo /forceremoval. This will remove AD from the server without attempting to replicate any changes off. Once it is done and you reboot the server and it will be a standalone serve in a workgroup.

2) Run a metadata cleanup of the DC that was demoted per KB article 216498 on one of the replication partners.

3) If the demoted server held any of the FSMO (Flexible Single Master Operations) roles then use the KB article 255504 to seize the roles to another DC.

4) Once replication has occurred end to end in your environment you can rejoin the demoted server back to the domain then promote to a DC.

Leon FesterSenior Solutions Architect

Commented:
Your DC is basically dead anyways, so it's does matter if you seize the roles before or after your /forceremove the server.

Confirm that it is dead, in which case dcpromo the server first and then seize the role.
This removes the chances of data replicating.

You won't affect your Exchange environment as Exchange information is stored in Active Directory.

Author

Commented:
Good evening again.  I did not make any changes to this DC last night.  Here is my situation.
DC1 is NOT replicating with DC2
DC1 is replicating with my DR DC
It appears DC1 is half broke, if that is possible?  

Author

Commented:
Thank you!  I did call MS just to be on the safe side, because I have never done a dcpromo on a primary DC before.  It was actually found out, that the secondary was bad.  Thanks for your help!
Top Expert 2013

Commented:
No problem, so Microsoft had you also forcibly remove it?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial