Solved

Tombstone DC's

Posted on 2013-05-24
6
422 Views
Last Modified: 2013-05-24
Hello Experts,

I need some advice.
I have a testing lab that has 3 2008 Domain Controllers.
I have not been monitoring this domain but 2 of the DC's have stopped replicating and now are past the tombstone time limits.  These Domain controllers are up but it looks like some time in December they stopped replicating and now DNS is having a lot of issues and I need to remove them.

I cannot log into them because their DNS will not work to validate my credentials, I have tried to reset the local admin password, that won't work either.  Both of these Domain controllers did not hold any of the FSMO roles.  I want to demote them but since they are still live it's giving me issues.  Should I just power them off and force removal from the one still living?  I'm not sure how to do it since they are still detected on the network.....

Any advice is appreciated.  I did try to force replication by a change in the registry and changing the tombstone date but that didn't work.  

thank you,

Karen
0
Comment
Question by:klsphotos
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:CITG_Carl
ID: 39194357
Good afternoon,

if you turn the domain controllers off, you will have to manually clear out the schema using ADSIEDIT.msc and in DNS. The process takes around an hour, but you need to be really careful.

Have you reset your admin password since Decemeber? If so try logging into these domain controllers using the older password.

If you can log into the DC's dcpromo them out, and then back in if required

Cheers
0
 

Author Comment

by:klsphotos
ID: 39194384
I haven't changed my password, it's not doing any authentication properly because DNS is not working right due to the replication.  They won't let me in with the same password I always had.  I can get into the one with the FSMO roles still working but not the other two.
0
 
LVL 3

Accepted Solution

by:
CITG_Carl earned 500 total points
ID: 39194391
Is the issue with the replication DNS related? Are the remote DC's using themselves as a DNS server?

If you cannot log in, you will have to remove them from the schema manually

http://support.microsoft.com/kb/555846
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:klsphotos
ID: 39194411
Yes, the DNS is not working on these two Domain Controllers.  I can see the DNS, it's running from the one that is but it has not synched since December.  It's on looks like it's running but it's not so AD isn't working to authenticate me to get into them.  If I do a repadmin /showrepl all comes back successful, but it's not....
0
 

Expert Comment

by:userPrincipalName
ID: 39195047
Dont bother trying to resurrect a tombstoned DC.  

Your best course of action is to remove it from the domain manually using ntdsutil.  It will take you about 10 minutes (less if you are comfortable with the process) and is well documented.
http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
0
 

Author Comment

by:klsphotos
ID: 39195054
I removed the failed domain controllers from Sites and Services, DNS, DHCP scope and did a meta data clean up and removed from the Schema.  

Did I miss anything?  From all of these links it looks like I got it and the meta data clean up is only showing the one server, the one I am on which is what I want.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question