Solved

Tombstone DC's

Posted on 2013-05-24
6
430 Views
Last Modified: 2013-05-24
Hello Experts,

I need some advice.
I have a testing lab that has 3 2008 Domain Controllers.
I have not been monitoring this domain but 2 of the DC's have stopped replicating and now are past the tombstone time limits.  These Domain controllers are up but it looks like some time in December they stopped replicating and now DNS is having a lot of issues and I need to remove them.

I cannot log into them because their DNS will not work to validate my credentials, I have tried to reset the local admin password, that won't work either.  Both of these Domain controllers did not hold any of the FSMO roles.  I want to demote them but since they are still live it's giving me issues.  Should I just power them off and force removal from the one still living?  I'm not sure how to do it since they are still detected on the network.....

Any advice is appreciated.  I did try to force replication by a change in the registry and changing the tombstone date but that didn't work.  

thank you,

Karen
0
Comment
Question by:klsphotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:CITG_Carl
ID: 39194357
Good afternoon,

if you turn the domain controllers off, you will have to manually clear out the schema using ADSIEDIT.msc and in DNS. The process takes around an hour, but you need to be really careful.

Have you reset your admin password since Decemeber? If so try logging into these domain controllers using the older password.

If you can log into the DC's dcpromo them out, and then back in if required

Cheers
0
 

Author Comment

by:klsphotos
ID: 39194384
I haven't changed my password, it's not doing any authentication properly because DNS is not working right due to the replication.  They won't let me in with the same password I always had.  I can get into the one with the FSMO roles still working but not the other two.
0
 
LVL 3

Accepted Solution

by:
CITG_Carl earned 500 total points
ID: 39194391
Is the issue with the replication DNS related? Are the remote DC's using themselves as a DNS server?

If you cannot log in, you will have to remove them from the schema manually

http://support.microsoft.com/kb/555846
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:klsphotos
ID: 39194411
Yes, the DNS is not working on these two Domain Controllers.  I can see the DNS, it's running from the one that is but it has not synched since December.  It's on looks like it's running but it's not so AD isn't working to authenticate me to get into them.  If I do a repadmin /showrepl all comes back successful, but it's not....
0
 

Expert Comment

by:userPrincipalName
ID: 39195047
Dont bother trying to resurrect a tombstoned DC.  

Your best course of action is to remove it from the domain manually using ntdsutil.  It will take you about 10 minutes (less if you are comfortable with the process) and is well documented.
http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
0
 

Author Comment

by:klsphotos
ID: 39195054
I removed the failed domain controllers from Sites and Services, DNS, DHCP scope and did a meta data clean up and removed from the Schema.  

Did I miss anything?  From all of these links it looks like I got it and the meta data clean up is only showing the one server, the one I am on which is what I want.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
remote desktop user rights 5 98
Creating a fool proof Remote Desktop Environment on SBS 2008 R2 32 56
Active Directory permissions 5 45
Group policy and test domains 2 36
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question