Solved

Active Directory DC offline for 14 days - what should I do?

Posted on 2015-01-09
7
171 Views
Last Modified: 2015-01-09
Hi experts,

I have 4 domain controllers and they are as follows:

DC1     Windows 2003 R2
DC2     Windows 2003 R2

DC3     Windows 2008 R2  (ALL FSMO roles here)
DC4     Windows 2008 R2

Ironically, I was preparing to DCPromo DC1 out of the network later today and attempted to logon via RDP and check it out first.  I couldn't connect.  Turns out I can't do anything with DC1 but ping it.

I went to DC3 and ran repadmin /replsummary and see all 4 DCs come back.  DC2, DC3, and DC4 have a largest delta of about 50 minutes and no fails.  

On the other hand, DC1 has a delta of 14d.13h:52m:43s, 10 fails, error (1727) the remote procedure call failed and did not execute.  

Now, I have to decide whether to shut this server down dirty and power it back up - OR - just turn it off and rip it out of Active Directory manually.  Either way, it is getting retired, but I'd love to do it gracefully via DCPromo.

If I reboot this thing, is it going to mess up my other 3 DC's since it is has been off-line for so long?  

Thanks!
0
Comment
Question by:dpmoney
  • 3
  • 3
7 Comments
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 100 total points
ID: 40540829
14 days is well within the tombstone period and should not cause you any issues. If you can reboot and bring it back up do so, let everything take time to replicate back, then demote.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 40540830
If the server is operable best thing to do is power on the server, the delta's will replicate to this DC (provided all of the services are fine) and then you can gracefully remove the DC from the domain.

I would not do this manually if the DC startup properly. Too much work involved to do it manually with all of the DNS SRV records that are associated to this DC.

Gracefully is the best way if possible.

Will.
0
 

Author Comment

by:dpmoney
ID: 40541150
Oh boy...looks like the RAID card is dead and system won't boot up.  Halts at BIOS screen.  This is an old Dell server.  No longer in warranty.  I guess I could try to get a replacement PCIE RAID card on eBay just to get the thing booted againt, but at that point, it is almost sounding easier to simply remove the domain controller card from Windows 2008 R2's ADUC.  I've read that if you remove a domain controller from ADUC using Windows 2008 or above, it will do the meta clean up for you.  Have you guys heard of that?  How much of a pain will it be if I go this route?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40541164
As long as this DC does not hold any of the roles you should be fine. I would still check the DNS SRV records (because there are a lot of locations) where this DC object could still exists. Also checking sites and services to ensure that the objects have been removed.

Once you have removed the DC from the domain make sure that replication and dcdiag are free of errors as well.
repadmin /replsum
dcdiag /v
dcdiag /dnsall
repadmin /bridgeheads

Will.
0
 

Author Comment

by:dpmoney
ID: 40541182
Thanks, Will.  So just to be 100% clear, you think I should simply head over to ADUC in my Windows 2008 R2 domain controller and remove this old DC1 box from the "domain controllers" section?  

Luckily, this old DC1 box did not have any FSMO roles.  It was just an old DC waiting for demotion.

Should've done it sooner.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40541185
That is correct. Just remember to check and make sure that all remnants have been removed. Even those it should not matter and it should do it automatically, theory does not always work in practicality.

Will.
0
 

Author Closing Comment

by:dpmoney
ID: 40541615
I was able to get a new capacitor soldered on the PERC 5/i RAID controller and the server booted.  I let it all sync than ran DCPromo gracefully out of the domain.  I tried to split the points based on the initial responses and how much additional interaction I had with each contributor.  Thanks!!!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now