Toombstoned DC in a separate site does not sync - need to re-sync or remove from Domain.


In a process of working on a different issue I discovered that a remote, not monitored site was not syncing properly for a while and as an effect we have a DC that is now "tombstoned" and is not syncing. The remaining DCs (corporate and one more site) are replicating correctly as far as I can tell.

As that one site is rather problematic to keep around and online reliably, I am thinking about removing that one DC, and possibly removing the site (not decided on the second part). I am not sure what the best procedure to follow at this point would be. Once the replication is broken the "graceful" removal/demotion process might not be possible, although I did not attempt it yet.

I am also not sure what the best practice is for separate sites like that: no local DC or possibly a RODC? That site has seen almost no usage in the last 12 months, and if even there are users/computers there it is a very limited  deployment with under 15 devices. Site is connected by Comcast business broadband over hardware based always-on VPN - when actually "online".

All the DCs are 2012 servers, functional level is 2008 R2.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
If it's tombstoned, delete it from AD.  Metadata cleanup should be Automatic in 2012.  Don't worry about graceful demotion.  If the remote site has file shares, forcefully demoting into a workgroup and then rejoining the domain will restore permissions.  You can optionally extend the tombstone life or just leave it a member server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rr2rAuthor Commented:
Hmm... It is Microsoft, it cannot be that simple, it never is...
Lee W, MVPTechnology and Business Process AdvisorCommented:
It is if you know the product and it was setup properly.  Most people who complain about MS software don't seem to have implemented it properly in the first place.  It works great when people follow best practices and supported methods... less so when they do what they want without care.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

rr2rAuthor Commented:

You are probably right - technology is solid, it is the users who cause issues...  I am just thinking that simply deleting from AD seems very easy when dealing with a DC. For now we have the server blocked from the corporate network, but I have a remote access from my own machine.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I used to setup things in a "hacked" "I like it this way" way... then, especially after working with SBS, I learned best practices and how they REALLY make a difference...
rr2rAuthor Commented:
I don't think that this server was necessarily miss-configured but people running the show here dropped the ball on having the remote site in such state for so long. So now we have the mess to clean up :)

Looking at the AD copy over on that machine I see no new users which we set up in the last several weeks and a bunch of accounts are still listed there which I am sure were wiped from AD in the meantime.

So back to the original question - deleting the object from the "good" DC is all that needs to be done?
rr2rAuthor Commented:
...and the follow up question (I see articles collaborating with the "just delete" approach): a site without a dedicated DC will still function from the AD perspective? I have one member server there now which I would like to keep operational after the DC is gone...
Lee W, MVPTechnology and Business Process AdvisorCommented:
Things will work fine with cached credentials and other sites can provide authentication when the VPN is running.
rr2rAuthor Commented:
OK, Need to wait till next week before doing anything - IT is on hold as far as messing with anything till after Mother's Day. I will update here if anything changes before next week.
rr2rAuthor Commented:
Ready to work on this today and tomorrow. Have access to that machine now via VCenter console but we still have it firewalled off from the rest of the network. Over the weekend I also removed the "Global Catalog" feature, making it just a regular DC for the domain. That seemed to fix some of the weird issues we were seeing in the address books for Lync and Outlook.

Still, the plan is to remove it from the AD "forcefully"  and not have it connected again till after it is demoted. Additionally, that server is running DHCP locally, so we don't want lose that functionality.

Which brings up another question - DCs don't support local accounts, so if we forcefully remove it, how can we gain access later to uninstall features and to join it back to the domain? use cached credentials, and move it to a workgroup from the console?
rr2rAuthor Commented:
Removed the "failed" DC by first uninstalling the services locally and later deleting the metadata out of the AD from a working DC. All seems to be working fine so far. Thanks for the help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.