?
Solved

using adsi edit to change tombstone date

Posted on 2013-11-28
8
Medium Priority
?
593 Views
Last Modified: 2013-11-29
Hi,
We have a domain controller at a remote office site that has gone into tombstone after not replicating for 5months and someone had explained to me that i could use adsi edit in mmc snap ins to change the value of the tombstone.  I actually saw where the entry is under cn=configuration,dc=forestrootdomainname,cn=services and cn=windows NT and after right clicking cn=directoryservice properties i located the tombstoneLifetime under attributes column but did not want to proceed without confirmation of what date i should enter and also if i should even do this since i could also do the dcpromo /forceremoval on the tombstoned domain controller.  Problem is that nobody in that remote site is computer savvy so if i do the adsi edit route i could do it without their help.  I already know the exact date of the last successful replication with that server and also very few changes have been made to active directory since that last replication so it seems this would be a good option.  Would i also still have to remove lingering objects after this step or would it not be necessary?  Thanks.
0
Comment
Question by:dankyle67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39684172
You cannot change the tombstone value of an object that has been removed from the other DCs. It us is not editable. You can only change the tombstone lifetime of deleted objects in the forest. This will not help fir objects that have already exceeded the current lifetime.

You have to demote, metadata cleanup, and repromote the DC.
http://books.google.com/books?id=9QoLAAAAQBAJ&pg=PA578&lpg=PA578&dq=tombstone+lifetime+domain+controller+demote&source=bl&ots=QheWpotI3_&sig=eaElzzKlO7wm0WfyuwY9bp-Sj2Y&hl=en&sa=X&ei=5KiXUvraCovmoAS2xYCACA&ved=0CB4Q6AEwBg#v=onepage&q=tombstone%20lifetime%20domain%20controller%20demote&f=false
0
 

Author Comment

by:dankyle67
ID: 39685523
Can I do the metadata cleanup first or do I have to do the demote first? I will have to do a dcpromo / forceremoval since it didn't allow me to do a normal dcpromo demote the first time I tried it but do I have to disconnect the server from the LAN?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39685588
Doesn't matter as the demotion won't be replicated to the other DCs anyway. You can just demote then metadata cleanup. After all of the DCs have replicated the metadata cleanup, you can repromote the DC.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:dankyle67
ID: 39685601
Ok but do I have to disconnect the failed dc LAN cable prior to running the dcpromo /forceremoval? I want to get that server promoted as fast as possible after I demote it so that's why I was thinking of doing all the metadata stuff ahead of time so that all that would be left for the person I'm giving instructions at that remote site to do would be to demote then promote it and hopefully the primary domain controller in the main office will allow the replication to occur.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 39685674
You dont have to disconnect and can do either in parallel.  They are independent steps, so if you have a large domain/convergence time, you can can metadata first if you like.
0
 

Author Comment

by:dankyle67
ID: 39685693
ok thanks for confirmin that.  Also, since the other machines and users on this remote site have been using the failed domain controller to log into the domain and for some reason they are accessible thru the tombstoned dc, will i have to rejoin their pcs to the domain after the promotion is successful and replication has taken place?  Currently they get trust relationsip errors when loggging in so i guess this is due to fact that they are not able to access a working domain controller
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 39685732
You may have to reset the computer accounts (or rejoin, which is the same thing)

Joeware has a tool which may be able to make the process faster. http://www.joeware.net/freetools/tools/machinepwd/index.htm

I think that you can wait for the DC to be repromoted first before attempting to reset the computer accounts.  The computer accounts may be fine after the DC comes back up.
0
 

Author Comment

by:dankyle67
ID: 39685817
thanks again for the good info.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question