Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Tombstone DC's

Posted on 2013-05-24
6
Medium Priority
?
448 Views
Last Modified: 2013-05-24
Hello Experts,

I need some advice.
I have a testing lab that has 3 2008 Domain Controllers.
I have not been monitoring this domain but 2 of the DC's have stopped replicating and now are past the tombstone time limits.  These Domain controllers are up but it looks like some time in December they stopped replicating and now DNS is having a lot of issues and I need to remove them.

I cannot log into them because their DNS will not work to validate my credentials, I have tried to reset the local admin password, that won't work either.  Both of these Domain controllers did not hold any of the FSMO roles.  I want to demote them but since they are still live it's giving me issues.  Should I just power them off and force removal from the one still living?  I'm not sure how to do it since they are still detected on the network.....

Any advice is appreciated.  I did try to force replication by a change in the registry and changing the tombstone date but that didn't work.  

thank you,

Karen
0
Comment
Question by:klsphotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:CITG_Carl
ID: 39194357
Good afternoon,

if you turn the domain controllers off, you will have to manually clear out the schema using ADSIEDIT.msc and in DNS. The process takes around an hour, but you need to be really careful.

Have you reset your admin password since Decemeber? If so try logging into these domain controllers using the older password.

If you can log into the DC's dcpromo them out, and then back in if required

Cheers
0
 

Author Comment

by:klsphotos
ID: 39194384
I haven't changed my password, it's not doing any authentication properly because DNS is not working right due to the replication.  They won't let me in with the same password I always had.  I can get into the one with the FSMO roles still working but not the other two.
0
 
LVL 3

Accepted Solution

by:
CITG_Carl earned 2000 total points
ID: 39194391
Is the issue with the replication DNS related? Are the remote DC's using themselves as a DNS server?

If you cannot log in, you will have to remove them from the schema manually

http://support.microsoft.com/kb/555846
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:klsphotos
ID: 39194411
Yes, the DNS is not working on these two Domain Controllers.  I can see the DNS, it's running from the one that is but it has not synched since December.  It's on looks like it's running but it's not so AD isn't working to authenticate me to get into them.  If I do a repadmin /showrepl all comes back successful, but it's not....
0
 

Expert Comment

by:userPrincipalName
ID: 39195047
Dont bother trying to resurrect a tombstoned DC.  

Your best course of action is to remove it from the domain manually using ntdsutil.  It will take you about 10 minutes (less if you are comfortable with the process) and is well documented.
http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
0
 

Author Comment

by:klsphotos
ID: 39195054
I removed the failed domain controllers from Sites and Services, DNS, DHCP scope and did a meta data clean up and removed from the Schema.  

Did I miss anything?  From all of these links it looks like I got it and the meta data clean up is only showing the one server, the one I am on which is what I want.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question