asked on

using adsi edit to change tombstone date

Hi,
We have a domain controller at a remote office site that has gone into tombstone after not replicating for 5months and someone had explained to me that i could use adsi edit in mmc snap ins to change the value of the tombstone. I actually saw where the entry is under cn=configuration,dc=forestrootdomainname,cn=services and cn=windows NT and after right clicking cn=directoryservice properties i located the tombstoneLifetime under attributes column but did not want to proceed without confirmation of what date i should enter and also if i should even do this since i could also do the dcpromo /forceremoval on the tombstoned domain controller. Problem is that nobody in that remote site is computer savvy so if i do the adsi edit route i could do it without their help. I already know the exact date of the last successful replication with that server and also very few changes have been made to active directory since that last replication so it seems this would be a good option. Would i also still have to remove lingering objects after this step or would it not be necessary? Thanks.

Tony Massa

You cannot change the tombstone value of an object that has been removed from the other DCs. It us is not editable. You can only change the tombstone lifetime of deleted objects in the forest. This will not help fir objects that have already exceeded the current lifetime.

You have to demote, metadata cleanup, and repromote the DC.
http://books.google.com/books?id=9QoLAAAAQBAJ&pg=PA578&lpg=PA578&dq=tombstone+lifetime+domain+controller+demote&source=bl&ots=QheWpotI3_&sig=eaElzzKlO7wm0WfyuwY9bp-Sj2Y&hl=en&sa=X&ei=5KiXUvraCovmoAS2xYCACA&ved=0CB4Q6AEwBg#v=onepage&q=tombstone%20lifetime%20domain%20controller%20demote&f=false

dankyle67

ASKER

Can I do the metadata cleanup first or do I have to do the demote first? I will have to do a dcpromo / forceremoval since it didn't allow me to do a normal dcpromo demote the first time I tried it but do I have to disconnect the server from the LAN?

Tony Massa

Doesn't matter as the demotion won't be replicated to the other DCs anyway. You can just demote then metadata cleanup. After all of the DCs have replicated the metadata cleanup, you can repromote the DC.

dankyle67

ASKER

Ok but do I have to disconnect the failed dc LAN cable prior to running the dcpromo /forceremoval? I want to get that server promoted as fast as possible after I demote it so that's why I was thinking of doing all the metadata stuff ahead of time so that all that would be left for the person I'm giving instructions at that remote site to do would be to demote then promote it and hopefully the primary domain controller in the main office will allow the replication to occur.

Tony Massa

You dont have to disconnect and can do either in parallel. They are independent steps, so if you have a large domain/convergence time, you can can metadata first if you like.

dankyle67

ASKER

ok thanks for confirmin that. Also, since the other machines and users on this remote site have been using the failed domain controller to log into the domain and for some reason they are accessible thru the tombstoned dc, will i have to rejoin their pcs to the domain after the promotion is successful and replication has taken place? Currently they get trust relationsip errors when loggging in so i guess this is due to fact that they are not able to access a working domain controller

ASKER CERTIFIED SOLUTION

Tony Massa

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dankyle67

ASKER

thanks again for the good info.