sherlock1
asked on
Domain controller exceeded the tombstone lifetime & how to fix
Hi Experts,
We have a Windows server that's a domain controller that has been tombstoned, this has now gone over the 60 days tombstone lifetime. We would like to get the DC back up and running as normal and in order to do this I believe this will need a force removal from the domain?. I think a dcpromo /forceremoval needs to be done to demote the DC to a member server
Is my understanding correct?, any other recommended key steps required?
There are other DC servers in the environment that are working fine.
Thanks
We have a Windows server that's a domain controller that has been tombstoned, this has now gone over the 60 days tombstone lifetime. We would like to get the DC back up and running as normal and in order to do this I believe this will need a force removal from the domain?. I think a dcpromo /forceremoval needs to be done to demote the DC to a member server
Is my understanding correct?, any other recommended key steps required?
There are other DC servers in the environment that are working fine.
Thanks
yes dcpromo /forceremoval is correct, but then you will need to clean up AD, through AD computers and users, and also check domains and trusts, you might need yo use ntdsutil to remove the old DC manually.
what is your domain tombstone life?
can you check below value on other healthy domain controller?
navigate to properties of below DN from configuration container
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configur ation,DC=d omain,DC=c om
check Tombstomelife attribute value ?
If its showing 180 or 60, that value is tombstone lifetime period
anyways, what is you domain controller version?
can you check below value on other healthy domain controller?
navigate to properties of below DN from configuration container
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configur
check Tombstomelife attribute value ?
If its showing 180 or 60, that value is tombstone lifetime period
anyways, what is you domain controller version?
ASKER
Thanks for feedback.
Checking the DN the tombstone lifetime period is 60 and the Domain controller is running Windows Server 2012 R2
Checking the DN the tombstone lifetime period is 60 and the Domain controller is running Windows Server 2012 R2
60 days is the time frame.
you can start by forceremoval and then right click the server AD users and computers, and click delete, youll get some warnings just click yes and the server should be out of AD. wait a short period i.e 20-30 mins and then re-join the DC back.
you can start by forceremoval and then right click the server AD users and computers, and click delete, youll get some warnings just click yes and the server should be out of AD. wait a short period i.e 20-30 mins and then re-join the DC back.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for further feedback Mahesh/ sharjeel
In regards to forcing replication. I guess a full replication is needed? and I suspect doing via command prompt or powershell would be better option such as the following command Repadmin /syncall Source-DC /APed ?
(source-DC being the server in which the AD object was deleted from)
Ensure that server object also gets deleted from domain.com/system/frs or dfsr-gloval Settings container - do you mean via AD users and computes console?
Sounds like its a little risky using the same server name even if all the cleanup related steps are done
Thanks
In regards to forcing replication. I guess a full replication is needed? and I suspect doing via command prompt or powershell would be better option such as the following command Repadmin /syncall Source-DC /APed ?
(source-DC being the server in which the AD object was deleted from)
Ensure that server object also gets deleted from domain.com/system/frs or dfsr-gloval Settings container - do you mean via AD users and computes console?
Sounds like its a little risky using the same server name even if all the cleanup related steps are done
Thanks
Yes, you are correct
ASKER
Correct to both :-) i.e yes to AD uses and computers for the server object also gets deleted from domain.com/system/frs or dfsr-gloval Settings container and yes to a full replication needed ie Repadmin /syncall Source-DC /APed ?
Thanks
Thanks
Command should be run from elevated command prompt
Repadmin /syncall /AdePq
If server object still present in above location after force removal process, delete it manually
Repadmin /syncall /AdePq
If server object still present in above location after force removal process, delete it manually
ASKER
Thanks a lot for you advice on this, great help