r4kieta
asked on
Domain Controller reached tombstone, need to demote, clean AD, promote new server.
Good Afternoon Experts Exchang-ians,
Thru combination of dcdiag, repadmin, ADSiEdit I found that one of my clients servers past its tombstone time and became disconnected.
The Forest has around 20 DCs, one DC for each physical location, main site has two DCs.
Each physical AD Site replicates to either of main site DCs using only 1 link to either of them.
Entire env is virtual so creating new servers wont be a problem.
Originally domain was at Windows Server 2003 where tombstone interval was originally default and at 60 days (as far as the documents i found had true source), then we migrated all domain controllers to Windows 2008 R2 Standard, once they were all at 2008 we raised the Domain Functional Level to 2008 R2. Tombstone was still 60 days instead of 180 days because we migrated from 2003 to 2008 as far i understood from tech notes that value wouldn't change if original value was 60 days.
I have came across several articles where there were two suggestions either to
a. HKLM\System\CurrentControl
b. demote forcefully, clean AD database, promote again and let it replicate.
So questions:
a. I already know that the better option is to demote, clean, promote although want to see if anyone had any luck with a?
Going forward with demotion plan.
b. Would it be better to create new 2008 R2 VM with different name and IP or is it safe to use the same server that we will be demoting with same name and IP. I just want to avoid any corruption later.
c. For b. i am looking for in depth information explaining all processes involved and their explanation so I can be prepared in case if or if else i missed something in plan below; from anyone's experience. Thanks
d. Once forcefully demoting how would other sites know of demotion it tombstone is reached? Manual cleanup does the trick or there is still some background processes that take place even though tombstoned?
The plan is to ("theoretically")(found that if 2008+ made it easy):
a. setup new vm with new name and new IP on the same ESXi hosts where affected vm is hosted, join as member server to domain.com at that site.
a.1. Export DHCP settings and scopes to bak file.
b. forcefully demote remote domain controller which has passed the tombstone interval, connect to the affected DC via RDP > cmd > Run as Administrator > dcpromo /forceremoval (that DC does not host any operation masters roles, although it is a GC and DNS). By the way all remote DCs are GCs and DNS server to offload authentication and name resolution requests.
c. once completes Remove Active Directory Domain Services Role from Server manager, reboot.
d. on the Main Site DC clean up metadata
d.1. Under Active Directory Users and Computers > domain.com > Domain Controllers > select affected DC > Right Click > Delete > YES.
d.1.a. Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
d.2. Under Active Directory Sites and Services > go to the remote site where the affected domain controller was > Expand Site > Expand Servers > Expand DC_name > Right Click on NTDS settings > Delete,
d.3 Under Active Directory Sites and Services > go to the remote site where the affected domain controller was > Expand Site > Expand Servers > Right Click on the DC_name > Delete.
d.4. Under Active Directory Sites and Serices > go to the site where that affected DC was replicating from > Expand Site > Expand Servers (pick the replication partner of affected server) > Expand NTDS Settings > Right Click on tombstoned/ affected server > Delete.
d.5. Remove old DNS entries from DNS server.
e. Wait for full replication to all domain controllers in the Domain.
f. After replication is over promote new server AS AD, GC, DNS, DHCP.
Did i miss anything?
g. For some reason if the demotion process fails follow this guide:
http://support.microsoft.com/kb/216498
h. Link i used to come up with the plan
https://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/
Thanks
Thru combination of dcdiag, repadmin, ADSiEdit I found that one of my clients servers past its tombstone time and became disconnected.
The Forest has around 20 DCs, one DC for each physical location, main site has two DCs.
Each physical AD Site replicates to either of main site DCs using only 1 link to either of them.
Entire env is virtual so creating new servers wont be a problem.
Originally domain was at Windows Server 2003 where tombstone interval was originally default and at 60 days (as far as the documents i found had true source), then we migrated all domain controllers to Windows 2008 R2 Standard, once they were all at 2008 we raised the Domain Functional Level to 2008 R2. Tombstone was still 60 days instead of 180 days because we migrated from 2003 to 2008 as far i understood from tech notes that value wouldn't change if original value was 60 days.
I have came across several articles where there were two suggestions either to
a. HKLM\System\CurrentControl
b. demote forcefully, clean AD database, promote again and let it replicate.
So questions:
a. I already know that the better option is to demote, clean, promote although want to see if anyone had any luck with a?
Going forward with demotion plan.
b. Would it be better to create new 2008 R2 VM with different name and IP or is it safe to use the same server that we will be demoting with same name and IP. I just want to avoid any corruption later.
c. For b. i am looking for in depth information explaining all processes involved and their explanation so I can be prepared in case if or if else i missed something in plan below; from anyone's experience. Thanks
d. Once forcefully demoting how would other sites know of demotion it tombstone is reached? Manual cleanup does the trick or there is still some background processes that take place even though tombstoned?
The plan is to ("theoretically")(found that if 2008+ made it easy):
a. setup new vm with new name and new IP on the same ESXi hosts where affected vm is hosted, join as member server to domain.com at that site.
a.1. Export DHCP settings and scopes to bak file.
b. forcefully demote remote domain controller which has passed the tombstone interval, connect to the affected DC via RDP > cmd > Run as Administrator > dcpromo /forceremoval (that DC does not host any operation masters roles, although it is a GC and DNS). By the way all remote DCs are GCs and DNS server to offload authentication and name resolution requests.
c. once completes Remove Active Directory Domain Services Role from Server manager, reboot.
d. on the Main Site DC clean up metadata
d.1. Under Active Directory Users and Computers > domain.com > Domain Controllers > select affected DC > Right Click > Delete > YES.
d.1.a. Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
d.2. Under Active Directory Sites and Services > go to the remote site where the affected domain controller was > Expand Site > Expand Servers > Expand DC_name > Right Click on NTDS settings > Delete,
d.3 Under Active Directory Sites and Services > go to the remote site where the affected domain controller was > Expand Site > Expand Servers > Right Click on the DC_name > Delete.
d.4. Under Active Directory Sites and Serices > go to the site where that affected DC was replicating from > Expand Site > Expand Servers (pick the replication partner of affected server) > Expand NTDS Settings > Right Click on tombstoned/ affected server > Delete.
d.5. Remove old DNS entries from DNS server.
e. Wait for full replication to all domain controllers in the Domain.
f. After replication is over promote new server AS AD, GC, DNS, DHCP.
Did i miss anything?
g. For some reason if the demotion process fails follow this guide:
http://support.microsoft.com/kb/216498
h. Link i used to come up with the plan
https://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.