Active Directory - Ideas on Tombstoned Domain Controllers

Hi guys so i've been welcomed into a new environment with a number of Domain controllers, all currently physical, however in the past they have added Virtual ones. All the virtual servers were taken offline for some reason and are well past the tombstone period. As such, its creating all sorts of errors when other DC's try to contact these offline servers. They do however have intent on re-introducing them into AD at a later date.

My question is, aside from do a meta cleanup and removing them from AD, are there any other options for handling a situation like that.

Thanks in advance
Raymond BrooksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior EngineerCommented:
It's a fairly straightforward process.  Here is my OneNotes on the subject.  I just did one of these and it was pretty easy.

Forcing removal of tombstoned Domain Controller

Clean Up Server Metadata

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph MoodyBlogger and wearer of all hats.Commented:
Follow Scotts advice. You will have to do the metadata cleanup and remove them from AD.
Scott CSenior EngineerCommented:
The biggest challenge I ran into was my client forget their local Admin password.  I reset it using this procedure.

Resetting Administrator Password in Windows 2008 R2/ 2012 R2
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Will SzymkowskiSenior Solution ArchitectCommented:
The tombstone lifetime for 2003 SP2 and up is 180 days (6 monhts). Are you 100% sure that these DC's have been offline for that long? If they are NOT pasted the tombstoned period, then it would be much better to demote these DC's gracefully (if they are no longer needed).

If you are correct in the fact they are tombstoned additional steps need to be taken to ensure that all of the DC's remnants are removed from Active Directory. Do the following..

- perform metadata cleanup (as you have originally posted)
- check and remove any DC computer objects that still reside in AD Sites and Services
Note: metadata cleanup does NOT remove these objects
- open DNS manager > expand the folder delete any records that reference the old domain controllers (right click delete).
Note: metadata cleanup does not remove DNS records so make sure that you go through all of the SRV records located in the folder. If you see any delete them
- once you have performed all of the above steps check your AD replication and DC Health using the below commands...

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

Once you have verified that all should be good.

Raymond BrooksAuthor Commented:
Oh i'm 100% sure lol.

Thanks again guys.
Raymond BrooksAuthor Commented:
Ok silly question, I see force removal is being done on the tombstoned DC, what if the DC no longer exists, can i skip the force removal part?

And if the server does exist, putting it should'nt create an issue since its tombstoned right o_O, as in its not supposed to contact the healthy DC's anyway.
Scott CSenior EngineerCommented:
Yes, if the DC no longer exists, you can skip the force removal and just clean up the metadata.

Once you do the force removal and clean up the metadata, you can then join it back as a member server then promote it again.

@Will...Yes the lifetime is 180 days, however, if the server was upgraded from before 2003 SP2 or earlier and the lifetime was never manually changed, it will still be at the old default value of 60 days.

In the case I mentioned, the are running on 2008 R2, but they upgraded from 2000 back in the day and never changed the value.
Raymond BrooksAuthor Commented:
So another question popped up, currently the virtual dc's are on a host that's been down for maintenance (for a reallly long time), lets say i cleanup AD, then they rebuild the host and all those vm's come back online, still thinking they are DC's, would that have any impact on the Domain? It shouldn't right, considering they they don't exist in AD any more.

Or am i mistaken?
Scott CSenior EngineerCommented:
Actually once you remove the metadata, those machines will no longer have computer accounts, so they won't be able to log into the domain.

So, no, there won't be any impact.
Raymond BrooksAuthor Commented:
Thats what i thought, thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.