Solved

Tombstone DC's

Posted on 2013-05-24
6
425 Views
Last Modified: 2013-05-24
Hello Experts,

I need some advice.
I have a testing lab that has 3 2008 Domain Controllers.
I have not been monitoring this domain but 2 of the DC's have stopped replicating and now are past the tombstone time limits.  These Domain controllers are up but it looks like some time in December they stopped replicating and now DNS is having a lot of issues and I need to remove them.

I cannot log into them because their DNS will not work to validate my credentials, I have tried to reset the local admin password, that won't work either.  Both of these Domain controllers did not hold any of the FSMO roles.  I want to demote them but since they are still live it's giving me issues.  Should I just power them off and force removal from the one still living?  I'm not sure how to do it since they are still detected on the network.....

Any advice is appreciated.  I did try to force replication by a change in the registry and changing the tombstone date but that didn't work.  

thank you,

Karen
0
Comment
Question by:klsphotos
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:CITG_Carl
ID: 39194357
Good afternoon,

if you turn the domain controllers off, you will have to manually clear out the schema using ADSIEDIT.msc and in DNS. The process takes around an hour, but you need to be really careful.

Have you reset your admin password since Decemeber? If so try logging into these domain controllers using the older password.

If you can log into the DC's dcpromo them out, and then back in if required

Cheers
0
 

Author Comment

by:klsphotos
ID: 39194384
I haven't changed my password, it's not doing any authentication properly because DNS is not working right due to the replication.  They won't let me in with the same password I always had.  I can get into the one with the FSMO roles still working but not the other two.
0
 
LVL 3

Accepted Solution

by:
CITG_Carl earned 500 total points
ID: 39194391
Is the issue with the replication DNS related? Are the remote DC's using themselves as a DNS server?

If you cannot log in, you will have to remove them from the schema manually

http://support.microsoft.com/kb/555846
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:klsphotos
ID: 39194411
Yes, the DNS is not working on these two Domain Controllers.  I can see the DNS, it's running from the one that is but it has not synched since December.  It's on looks like it's running but it's not so AD isn't working to authenticate me to get into them.  If I do a repadmin /showrepl all comes back successful, but it's not....
0
 

Expert Comment

by:userPrincipalName
ID: 39195047
Dont bother trying to resurrect a tombstoned DC.  

Your best course of action is to remove it from the domain manually using ntdsutil.  It will take you about 10 minutes (less if you are comfortable with the process) and is well documented.
http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
0
 

Author Comment

by:klsphotos
ID: 39195054
I removed the failed domain controllers from Sites and Services, DNS, DHCP scope and did a meta data clean up and removed from the Schema.  

Did I miss anything?  From all of these links it looks like I got it and the meta data clean up is only showing the one server, the one I am on which is what I want.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question