Tombstoned DC that was the Root Certificate Authority


I just discovered a domain controller that was tombstoned about 2 years ago was actually our Root Certificate Authority.   I was wondering what are the steps needed to resolve this so we can set up a new root CA for the domain.  I've tested a few workstations with certutil.exe and all come back with this:

Entry 0:
  Name:                         `LocalCert'
  Organizational Unit:          `'
  Organization:                 `'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `tombstoned-old-Domain-Controller.local\LocalCert'
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `'
  Server:                       `tombstoned-old-Domain-Controller.local'
  Authority:                    `LocalCert'
  Sanitized Name:               `LocalCert'
  Short Name:                   `LocalCert'
  Sanitized Short Name:         `LocalCert'
  Flags:                        `1'
  Web Enrollment Servers:       `'
CertUtil: -dump command completed successfully.

I'd like to setup a new Root CA for the domain and remove the old one but worried what the impacts to users are if I do this during business hours.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Schnell SolutionsSystems Infrastructure EngineerCommented:
You can install your new root CA without any issue and it is not going to impact your users. You can make it during any time.

Removing the PKI information from AD is an independent process and its effect will depend on what have your users done with the certificates. You can leave it there separately and install your new one meanwhile.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott CSenior EngineerCommented:
When you are ready to get rid of the tombstoned DC here are the steps:

Forcing removal of tombstoned Domain Controller

The default tombstone lifetime in Windows Server 2000 – 2003 is 60 days.  In Windows Server 2003 SP1 and above it’s 180 days.  Despite being Windows 2003 R2, the forest came from SBS 2003.  The originally tombstone lifetime doesn’t change when you upgrade so it stayed 60 days.
The first part to fixing the issue was demoting the domain controller back to a standalone server.  Once performed I could fix whatever issues the network had and re-promote at a later stage.
Even though the network was up and the domain controller in question could connect to other domain controllers.  Being tombstoned meant that it wouldn’t talk with the DCs.  Running the command dcpromo on the DC in question would fail when it attempted to communicate with the domain.
To work around the issue the command needed to be run with the /forceremoval switch.
Dcpromo /forceremoval
Below are the steps to perform a force removal.
1. Run dcpromo /forceremoval from the run box.

2. Click next to start the wizard.

3. Confirm the removal.

4. Sent a new administrator password for when the server becomes a standalone server.

5. Confirm the removal of AD without cleaning up the metadata.  This is an important step to note.  Because we are forcing the removal of AD without cleanup up the metadata this is a manual step we will have to perform in our AD environment on a functioning DC.

6. Demotion will now start and removal the server from being a Domain Controller.

7. Click finish and reboot the server to complete the process.

With the server now successfully demoted it can be promoted back to a domain controller using the standard dcpromo command.  Before this can happen, though,  we have to go back to step 5 above and perform a manual metadata cleanup of Active Directory to removal any references to this tombstoned DC.  I’ll be covering this more indepth step in a later post.  Microsoft has a very thorough article on how to perform this process
With the server demoted and a metadata cleanup performed I could happily promote this server back to a DC.   Preventing the issue happening again would mean fixing my monitoring and sorting out any time sync issues… also a post for a later stage.

Metadata cleanup

Clean Up Server Metadata

How to remove data in Active Directory after an unsuccessful domain controller demotion

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

To clean up server metadata by using Active Directory Users and Computers

      1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.
      2. If you have identified replication partners in preparation for this procedure and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers <DomainControllerName>, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK.
      3. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
      4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
      5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion.
      6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
      7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
      8. If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure.

From <>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.