2k DC tombstoned

what is the best way to recover a recently tombstoned W2k DC? This DC is a
does not contain any FSMO roles. The domain functional level is 2k Native. It
is a distributed environment conatines 2k and 2k3 DC's. thanks.

Meinolf
Fri May 02 14:59:17 PDT 2008

Hello CK,

Have a look here:
http://support.microsoft.com/kb/298450

http://support.microsoft.com/kb/257288/EN-US/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> what is the best way to recover a recently tombstoned W2k DC? This DC
> is a does not contain any FSMO roles. The domain functional level is
> 2k Native. It is a distributed environment conatines 2k and 2k3 DC's.
> thanks.
>

CK
Fri May 02 15:08:02 PDT 2008

Would the fastest way to do this be to demote it and re-promote the server?

Herb
Fri May 02 15:16:45 PDT 2008


"CK" <CK@discussions.microsoft.com> wrote in message
news:B0CE745E-9F5F-4E15-9EF5-CCE7D886D9F8@microsoft.com...
> Would the fastest way to do this be to demote it and re-promote the
> server?

Doesn't sound like you actually mean "tombstoned" which is a
technical term for a "deleted (properly) but not yet scavenged
record/object".

If the DC is STILL a DC and functional, it should (generally) be
brought online and DCPromo'ed to remove it properly from the
set of DCs and make it an ordinary server.

IF the DC is lost, dead, or cannot be returned to the network
for some other reason then you must use the NTDSUtil
"metadata cleanup" procedure to remove it.

CK
Fri May 02 15:24:15 PDT 2008

I'm not the sharpest tool in the shed but I was under the impression that if
it didn't replicate with the rest of the domain within 60 days it is
tombstoned. When tombstoned, it should stay in the deleted objects for
another 60 days right? If so, that would mean that we can recover it.... I
think.

Herb
Fri May 02 18:23:55 PDT 2008


"CK" <CK@discussions.microsoft.com> wrote in message
news:8A699D92-3A16-4A8D-A50B-0124BE4061F5@microsoft.com...
> I'm not the sharpest tool in the shed but I was under the impression that
> if
> it didn't replicate with the rest of the domain within 60 days it is
> tombstoned.

This interval exceeds the "tombstone" lifetime (default, or one of the
default values) but I would never call it "tombstoned".

You would have been more clear to say it was outside of tombstone
lifetime, or just that it could no longer replicate.

> When tombstoned, it should stay in the deleted objects for
> another 60 days right? If so, that would mean that we can recover it.... I
> think.

DCPromo it with the /forceremoval switch; then cleanup the AD with
NTDSUtil "metadata cleanup".

CK
Fri May 02 23:22:01 PDT 2008

Unfortunately I don't have the option to reinstall the DC as i'm not
physically at the location of the server and it's also being used as a file
server.

I demoted the DC however it still shows up in AD sites and services. When
browsing in ADSIEDIT I can still see the dc in Sites and services there as
well. I tried using NTDSUTIL to remove the metadata however it flipped some
errors:

Transferring / Seizing FSMO roles off the selected server.
LDAP error 0x20(32 (No Such Object).
Ldap extended error message is 0000208D: NameErr: DSID-031001CD, problem
2001 (N
O_OBJECT), data 0, best match of:

'CN=GBRBDC01,CN=Servers,CN=Crawley,CN=Sites,CN=Configuration,DC=slmd,DC=
com'

Win32 error returned is 0x208d(Directory object not found.)
)
Unable to determine the domain hosted by the DC (5). Please use the
connection m
enu to specify it.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=GBRBDC01,CN=Computers,DC=slmd,DC=com".
Deleting subtree under "CN=GBRBDC01,CN=Computers,DC=slmd,DC=com".
The attempt to remove the FRS settings on
CN=GBRBDC01,CN=Servers,CN=Crawley,CN=S
ites,CN=Configuration,DC=slmd,DC=com failed because "Element not found.";
metadata cleanup is continuing.
DsRemoveDsServerW error 0x20e3(The DSA object could not be found.)

What would be the best way to wipe this clean from AD at this point? Can I
delete the entries in ADSIEDIT or would that bring my AD world to an end?

Herb
Sat May 03 06:33:17 PDT 2008


"CK" <CK@discussions.microsoft.com> wrote in message
news:132C49C4-60A3-445B-8AC5-497027192E7B@microsoft.com...
> Unfortunately I don't have the option to reinstall the DC as i'm not
> physically at the location of the server and it's also being used as a
> file
> server.
>
> I demoted the DC however it still shows up in AD sites and services. When

All servers belong in Sites and Services -- it is more critical for DCs
however.

> browsing in ADSIEDIT I can still see the dc in Sites and services there as
> well. I tried using NTDSUTIL to remove the metadata however it flipped
> some
> errors:

Trick is you must "Connect" to a Running/working Server then
SELECT the dead DC (in a Site, for a Domain).



> Transferring / Seizing FSMO roles off the selected server.
> LDAP error 0x20(32 (No Such Object).
> Ldap extended error message is 0000208D: NameErr: DSID-031001CD, problem
> 2001 (N
> O_OBJECT), data 0, best match of:
>
> 'CN=GBRBDC01,CN=Servers,CN=Crawley,CN=Sites,CN=Configuration,DC=slmd,DC=
> com'
>
> Win32 error returned is 0x208d(Directory object not found.)
> )
> Unable to determine the domain hosted by the DC (5). Please use the
> connection m
> enu to specify it.
> Removing FRS metadata for the selected server.
> Searching for FRS members under "CN=GBRBDC01,CN=Computers,DC=slmd,DC=com".
> Deleting subtree under "CN=GBRBDC01,CN=Computers,DC=slmd,DC=com".
> The attempt to remove the FRS settings on
> CN=GBRBDC01,CN=Servers,CN=Crawley,CN=S
> ites,CN=Configuration,DC=slmd,DC=com failed because "Element not found.";
> metadata cleanup is continuing.
> DsRemoveDsServerW error 0x20e3(The DSA object could not be found.)
>
> What would be the best way to wipe this clean from AD at this point? Can I
> delete the entries in ADSIEDIT or would that bring my AD world to an end?
>

CK
Sat May 03 08:28:02 PDT 2008

Pherhaps I wasn't clear, after demoting the DC and using ntdsutil to remove
the metadata, I was still able to see the DC in AD sites and services from
other DC's in the forest. I was unable to remove these through the gui or
using ntdsutil.

So you are confirming that I can use adsiedit to browse to that site and
remove the DC that way? Any drawbacks to this option?

Herb
Sat May 03 09:40:45 PDT 2008


"CK" <CK@discussions.microsoft.com> wrote in message
news:E6A47DAC-DC68-4CD3-AC95-5DD79828A037@microsoft.com...
> Pherhaps I wasn't clear, after demoting the DC and using ntdsutil to
> remove
> the metadata, I was still able to see the DC in AD sites and services from
> other DC's in the forest. I was unable to remove these through the gui or
> using ntdsutil.

IF you removed it through the GUI or ADSIEdit this was (generally)
a BAD MOVE.

NTDSUtil is the correct way.

If that (NTDSUtil) is all you did and it still showed as a DC then likely
replication had not completed.

> So you are confirming that I can use adsiedit to browse to that site and
> remove the DC that way? Any drawbacks to this option?

I avoid that in all cases, but if you have removed the object using the
GUI this may be your only recourse.

There is a procedure (KB article) for removing a DC through ADSIEdit
if it was not properly removed by either/both of DCPromo and
NTDSUtil "metadata cleanup".

I have never personally needed the much more dangerous ADSIedit
method.

Andrei
Sat May 03 12:32:41 PDT 2008

So use the ntdsutil metadata cleanup procedure from a working Domain
Controller.
There's no need to use ADSIEdit.

Regards,
Andrei Ungureanu

"Herb Martin" <news@learnquick.com> a scris în mesaj
news:OIMywxTrIHA.420@TK2MSFTNGP02.phx.gbl...
>
> "CK" <CK@discussions.microsoft.com> wrote in message
> news:E6A47DAC-DC68-4CD3-AC95-5DD79828A037@microsoft.com...
>> Pherhaps I wasn't clear, after demoting the DC and using ntdsutil to
>> remove
>> the metadata, I was still able to see the DC in AD sites and services
>> from
>> other DC's in the forest. I was unable to remove these through the gui or
>> using ntdsutil.
>
> IF you removed it through the GUI or ADSIEdit this was (generally)
> a BAD MOVE.
>
> NTDSUtil is the correct way.
>
> If that (NTDSUtil) is all you did and it still showed as a DC then likely
> replication had not completed.
>
>> So you are confirming that I can use adsiedit to browse to that site and
>> remove the DC that way? Any drawbacks to this option?
>
> I avoid that in all cases, but if you have removed the object using the
> GUI this may be your only recourse.
>
> There is a procedure (KB article) for removing a DC through ADSIEdit
> if it was not properly removed by either/both of DCPromo and
> NTDSUtil "metadata cleanup".
>
> I have never personally needed the much more dangerous ADSIedit
> method.
>

CK
Sat May 03 13:57:01 PDT 2008

I did indeed use ntdsutil from a healthy DC to remove it. The results were
not so bueno (good). I posted the error message earlier. Anyone have the KB
for removing it using ADSIEDIT or any other suggestions?

Hank
Sun May 04 04:45:56 PDT 2008

Herb Martin wrote:
> "CK" <CK@discussions.microsoft.com> wrote in message
> news:E6A47DAC-DC68-4CD3-AC95-5DD79828A037@microsoft.com...
>> Pherhaps I wasn't clear, after demoting the DC and using ntdsutil to
>> remove
>> the metadata, I was still able to see the DC in AD sites and services from
>> other DC's in the forest. I was unable to remove these through the gui or
>> using ntdsutil.
>
> IF you removed it through the GUI or ADSIEdit this was (generally)
> a BAD MOVE.
>
> NTDSUtil is the correct way.
>
> If that (NTDSUtil) is all you did and it still showed as a DC then likely
> replication had not completed.
>
>> So you are confirming that I can use adsiedit to browse to that site and
>> remove the DC that way? Any drawbacks to this option?
>
> I avoid that in all cases, but if you have removed the object using the
> GUI this may be your only recourse.
>
> There is a procedure (KB article) for removing a DC through ADSIEdit
> if it was not properly removed by either/both of DCPromo and
> NTDSUtil "metadata cleanup".
>
> I have never personally needed the much more dangerous ADSIedit
> method.
>
>

I did run into it recently when I finally cleaned up after a crashed DC.
I did have to use ANSIedit to clean up a couple of entries that
couldn't be removed manually. Don't ask me to remember which ones. I was
going through the cleanup procedure and that was recommended in the
event what I saw happened.

I'm 100% with you on the fact that ANSIedit is *VERY* dangerous and must
be used very carefully.... I was very nervous about pushing the "Enter"
key..... ;-)

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

Herb
Sun May 04 15:45:28 PDT 2008


"Hank Arnold (MVP)" <rasilon@aol.com> wrote in message
news:%23L3puxdrIHA.3804@TK2MSFTNGP02.phx.gbl...
> Herb Martin wrote:
>> "CK" <CK@discussions.microsoft.com> wrote in message
>> news:E6A47DAC-DC68-4CD3-AC95-5DD79828A037@microsoft.com...
>>> Pherhaps I wasn't clear, after demoting the DC and using ntdsutil to
>>> remove
>>> the metadata, I was still able to see the DC in AD sites and services
>>> from
>>> other DC's in the forest. I was unable to remove these through the gui
>>> or
>>> using ntdsutil.
>>
>> IF you removed it through the GUI or ADSIEdit this was (generally)
>> a BAD MOVE.
>>
>> NTDSUtil is the correct way.
>>
>> If that (NTDSUtil) is all you did and it still showed as a DC then likely
>> replication had not completed.
>>
>>> So you are confirming that I can use adsiedit to browse to that site and
>>> remove the DC that way? Any drawbacks to this option?
>>
>> I avoid that in all cases, but if you have removed the object using the
>> GUI this may be your only recourse.
>>
>> There is a procedure (KB article) for removing a DC through ADSIEdit
>> if it was not properly removed by either/both of DCPromo and
>> NTDSUtil "metadata cleanup".
>>
>> I have never personally needed the much more dangerous ADSIedit
>> method.
>
> I did run into it recently when I finally cleaned up after a crashed DC. I
> did have to use ANSIedit to clean up a couple of entries that couldn't be
> removed manually. Don't ask me to remember which ones. I was going through
> the cleanup procedure and that was recommended in the event what I saw
> happened.
>
> I'm 100% with you on the fact that ANSIedit is *VERY* dangerous and must
> be used very carefully.... I was very nervous about pushing the "Enter"
> key..... ;-)

That makes perfect sense.

Funny thing is I practically never use ADSIEdit for ANYTHING --
and some people think I know AD pretty well. <grin>

CK
Mon May 05 08:52:00 PDT 2008

Well gents, I didn't want to use ADSIEDIT either as messing with the registry
has the ability to screw up a single computer, but messing with the domain
can screw the whole company. That said I waited until this morning to take a
look at it and everything seems pretty healthy aside from the fact that in AD
Sites and services I still have to entries under that DC:

NTDS Settings (which is Normal)
NTDS Setting CNF:dd6ead53-da9d-47d3-a019-be224d9a5ed5 (not so normal)

this has indeed replicated to the rest of the domain as it shows up on other
DC's. How detrimental is this and what is the best way to remove it. Funny
thing is this unusual entry has a replication partner. I was thinking that I
should remove the replication partner, but thought I would get some advice
first. I was unable to delete the unusal setting via command line or through
the AD Sites and services GUI. Am I tasked once again with the debate over
using ADSIEDIT? The event log on the DC looks pretty clean so far.

By the way, thanks for all of the help, it's really appreciated.