How to Fix a Tombstoned Domain Controller

How to Fix a Tombstoned Domain Controller Leave a comment

Gadgets

Learn this information to discover ways to repair a tombstoned Lively Listing Area Controller, a DC that has not replicated to different DCs for a interval over the Tombstone Lifetime.

Step 0: Overview Downside Background and Overview

Once you run dcdiag, different DCs within the area report that the offending DC final synched on a date over the tombstone lifetime, which is 180 days by default.

Here’s a pattern log entry I acquired after I ran dcdiag:

Final replication acquired from <area controller title> at 2022-09-08 06:09:58. WARNING:  This latency is over the Tombstone Lifetime of 180.

I ran the dcdiag command on April 10, 2025. This implies the offending area controller had not synced with different DCs for over 2 years! When this occurs, we are saying that the DC has been “tombstoned,” which signifies that it has data older that the AD Forest’s Tombstone Lifetime.

As a part of the primary steps to troubleshoot and repair the issue, I carried out the next actions:

  1. Confirmed that every one required firewall ports between the tombstones DC and the FSMO position DC are open.
  2. Enabled DNS Debug logging. Then, after 24 hours, verified that the server is simply speaking with itself, and has not accepted any incoming shopper requests.
  3. Enabled netlogon debug logging. After 24 hours, verified that the server didn’t reply to any logon or different occasion requests.

As soon as these duties had been carried out, I had strong proof to substantiate that the DC was damaged. On this state of affairs, the one answer was to demote the DC, carry out metada clear up after which, re-promote the DC.

Within the remaining sections of this information, I’ve defined the detailed steps I used to perform these duties.

Step 1: Take away the DNS Server Position from the DC

This have to be carried out first. In any other case, the DC demotion activity (Step 2) fails. 

#Open PowerShell as administrator
Uninstall-WindowsFeature -Identify DNS

Restart the server to finish the removing of the DNS position.

Step 2: Take away the International Catalog Position from the DC

If the server is badly damaged, you have to take away the International Catalog position from the DC. In any other case, the DC demotion may also fail.

  1. Open Lively Listing Websites and Companies by way of Server Manager (hyperlink opens in a brand new browser tab).
  2. Then, navigate to the DC’s website and increase it, then increase Servers and click on the server title. On the small print blade, right-click NTDS Settings, and choose Properties.
  1. After that, clear the International Catalog test field, choose Sure to the warning message, and at last, choose OK.
clear the Global Catalog check box, select Yes to the warning message, and choose OK

Step 3: Demote the Server as a Area Controller

#1. Save the password to make use of as native Administrator password. On the cred immediate, enter Administrator because the username after which, the password you wish to use because the server's native Administrator password submit its demotion as a DC
$password = Get-Credential
#2. Demote the Server as a DC
Uninstall-ADDSDomainController -LocalAdministratorPassword $password.password -Affirm:$false -NoRebootOnCompletion -ForceRemoval -SkipPreChecks

See the outcomes of the instructions under:

Save the password to use as local Administrator password. At the cred prompt, enter Administrator as the username and then, the password you want to use as the server's local Administrator password post its demotion as a DC
Uninstall-ADDSDomainController -LocalAdministratorPassword $password.password -Confirm:$false -NoRebootOnCompletion -ForceRemoval -SkipPreChecks

Restart the server to finish the demotion.

Demoting the server doesn’t take away the Lively Listing Area Companies (AD DS) position. So, we might not must reinstall it.

After demoting the DC, earlier than re-proting it, you have to carry out a metadata cleanup of the DC utilizing ntdsutil.

Comply with the steps under to finish this activity.

  1. Decide the FSMO position holder by working the command under from any Area Controller.
netdom question fsmo
  1. Signal into the DC that holds the FSMO roles and open the command prompt as administrator. Then, run the next ntdsutil instructions within the order supplied. 
#1. Kind ntdsutil and press enter. Then, on the ntdsutil immediate, sort metadata cleanup and press enter
ntdsutil: metadata cleanup
#2. On the metadata cleanup: immediate, execute the followin instructions
metadata cleanup: connections
metadata cleanup: connect with server <domain_fsmo-role-holder>
metadata cleanup: q
#3. Then, on the metadata cleanup: immediate, sort choose operation goal, then press enter key. 
metadata cleanup: choose operation goal
#4. On the choose operation goal: immediate, run the next instructions so as:
choose operation goal: record domains
choose operation goal: choose area <enter quantity for the area the place the failed DC resides>
choose operation goal: record websites
choose operation goal: choose website <enter the location variety of the failed DC>
choose operation goal: record servers in website
choose operation goal: choose server <enter variety of the server>
choose operation goal: q
#5. On the metadata cleanup: immediate, execute take away chosen server
metadata cleanup: take away chosen server
Then, on the Server Take away Affirmation Dialog, verify that the DC you wish to take away is displayed, then choose Sure. 
#6. Give up metadata cleanup and ntdsutil by executing the q command in each prompts
On the metadata cleanup: prompt, execute remove selected server
  1. Go online to the FSMO position DC and pressure replication by working the command under from a command immediate opened as administrator.
repadmin /syncall <domain_fsmo-role-holder> /Aped

Give up the repadmin command by urgent any key.

  1. Then, monitor the progress of the replication by working the command under. Exchange the textual content in daring with the Distinguished Name of the server you’re cleansing its metadata.
repadmin /showobjmeta * "<enter the Distinguished Identify of the server right here>"

Don’t proceed with the following steps till each DC stories that it could actually’t discover the area controller you’ve simply faraway from the area. If all DCs report “Listing object not discovered,” then you possibly can proceed to Step 5 under.

For the avoidance of doubt, the above command should solely return elements of the consequence that claims “Listing object not discovered.” If it rertuns a desk, you have to wait till the command now not returns a desk.

Step 5: Reinstall the DNS Server Position on the Server

In Step 1, we eliminated the DNS Server position. Earlier than selling it to a DC, you have to reinstall this position with the next steps:

  1. Check in to the server as native administrator – enter .administrator within the username area – and use the password you laid out in Step 3 if you demoted the server as a DC.
  2. Execute the command under to reinstall the DNS Server position, together with all sub-features and administration instruments, and restart the server if required. 
#Open PowerShell as administrator
Set up-WindowsFeature -Identify DNS -IncludeAllSubFeature -IncludeManagementTools -Restart
#see the screenshots under for the progress and results of the command
Reinstall the DNS Server Role on the Server 1
Reinstall the DNS Server Role on the Server 2

Step 6: Repromote the Server to a Area Controller

Whereas nonetheless signed in to the server with the native administrator account and PowerShell opened as administrator, execute these instructions to advertise the server to a DC.

I ran this command a number of occasions and it stored failing with error, “An Lively Listing area controller for the area “FQDN” couldn’t be contacted.” There was an issue with the DNS title decision. 

#1. Generate the required parameters. Once you run this command, PowerShell will immediate you to enter creds - enter the area username (domainnameusername) and the password with permissions to advertise a server to a Dc. 
#The command additionally prompts you to "Enter the area to advertise into" - enter the FQDN of the area
$HashArguments = @{
Credential = (Get-Credential)
DomainName = (Learn-Host "Enter the area to advertise into")
InstallDns = $true
}
#2. Promote the server to a DC and configure the server as a DNS server. This command will immediate you to enter the SafeModeAdministratorPassword (the Listing Service Restore Mode, DSRM password)
Set up-ADDSDomainController @HashArguments

The screenshots under present the inputs and outcomes of the instructions.

Step 7: Configure the DC in Websites and Companies

  1. Log in to the server along with your area credentials and open Lively Listing Websites and Companies from the Server Supervisor Instruments menu.
Log in to the server with your domain credentials and open Active Directory Sites and Services from the Server Manager Tools menu.
  1. Within the Lively Listing Websites and Companies console, navigate to the server’s website and increase it. Then, increase Server > <the DC’s server title> and left-click NTDS Settings.
  2. Within the particulars blade, verify that the replication connection was mechanically generated. If it has not been generated, run the command under to generate it.
repadmin /kcc
  1. After that, confirm that the server’s subnet is related to the location. To do that, right-click the location and select Properties. The server’s subnet needs to be displayed within the Subnets part of the Normal tab – see the second screenshot under for reference.

I included the ipconfig command consequence within the second screenshot to check the server’s subnet with the subnet displayed in its website’s Subnet in AD SS console.

To do this, right-click the site and choose Properties
The server's subnet should be displayed in the Subnets section of the General tab - see the second screenshot below for reference.

Step 8: Carry out Handbook Replication and Confirm Success

  1. Whereas nonetheless signed in to the server, open PowerShell or CMD as administrator and run the next command:
repadmin /syncall <enter the title of the FSMO DC right here> /Aped

Look ahead to the replication command to finish, then press Q earlier than continuing to the following step.

In my case, my command returned an error, as one of many DCs couldn’t be contacted. Nonetheless, this didn’t cease me from continuing to the following step.

  1. Confirm that the repadmin command was profitable by executing the PowerShell command under:
Get-ADReplicationPartnerMetadata -Goal $env:userdnsdomain -Scope Area | Choose-Object Server, LastReplicationAttempt, LastReplicationSuccess, PartnerType

Relying on the variety of DCs and websites in your setting, the command will take some time to finish.

In my case, the above command did not contact some DCs. Additional troubleshooting confirms that the AD ports required to copy and work had been blocked from the DC the place I ran the Get-ADReplicationPartnerMetadata command.

Get-ADReplicationPartnerMetadata -Target $env:userdnsdomain -Scope Domain | Select-Object Server, LastReplicationAttempt, LastReplicationSuccess, PartnerType

To repair the issue, I requested that the SecOps crew open these ports. As soon as the ports had been opened, I re-ran Get-ADReplicationPartnerMetadata, and there have been no extra failures.

Step 9: Rerun DCDIAG to Test for Replication Errors

Lastly, rerun dcdiag within the DC you simply repaired and on the FSMO position DC to test for replication errors.

Conclusion

The Home windows Lively Listing Area Controllers are designed to frequently replicate and replace the AD database. Nonetheless, in uncommon situations, one DC might cease replicating.

If this occurs and you’ve got confirmed that every one required AD ports are opened, the final step to repair the DC is to demote it, carry out metadata clean-up of its objects from the AD database, and at last re-promote it to a DC.

On this information, I outlined the detailed steps to repair a tombstoned AD DC by following the above steps.

답글 남기기

Amazon Disclosure
This site is a participant in the amazon services LLC associates program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com. amazon, the amazon logo, amazon supply, and the amazon supply logo are trademarks of amazon.com, inc. or its affiliates. as an amazon associate, we earn affiliate commissions from qualifying purchases.
© Copyright - All Rights Reserved