I agree with Guido that the FORCEREMOVAL option is the safest one besides reinstalling a DC. However I understand that some apps don't like (or not supprted) the DC there installed on is demoted and again promoted (e.g. Exchange)
There is another way accept replication with a DC that has been disconnected from the network for more than the tombstone lifetime See the user action (option 2 AND 3) mentioned below or see http://www.eventid.net/display.asp?eventid=2042&eventno=3428&source=NTDS%20R eplication&phase=1 NOTE: --> BE VERY CAREFULL WITH THIS AND USE IT AT YOUR OWN RISK! TEST FIRST! Good luck! Jorge I think you may have the following event: ############################ Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 2042 Date: 2004.10.08. Time: 16:04:09 User: NT AUTHORITY\ANONYMOUS LOGON Computer: SERVERSCALA Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source. The reason that replication is not allowed to continue is that the two machine's views of deleted objects may now be different. The source machine may still have copies of objects that have been deleted (and garbage collected) on this machine. If they were allowed to replicate, the source machine might return objects which have already been deleted. Time of last successful replication: 2004-07-11 12:20:39 Invocation ID of source: 0594f6cc-f6bc-0594-b00c-070610bbe605 Name of source: c53993aa-c571-479d-9df8-84aa799c56a1._msdcs.blabla.com Tombstone lifetime (days): 60 The replication operation has failed. User Action: Determine which of the two machines was disconnected from the forest and is now out of date. You have three options: 1. Demote or reinstall the machine(s) that were disconnected. 2. Use the "repadmin /removelingeringobjects" tool to remove inconsistent deleted objects and then resume replication. 3. Resume replication. Inconsistent deleted objects may be introduced. You can continue replication by using the following registry key. Once the systems replicate once, it is recommended that you remove the key to reinstate the protection. Registry Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner ############################ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: maandag 14 februari 2005 20:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery? really depends on how much issues you'd want afterwards - if you have another DC in your domain, why is it so critical to bring this one back? Sounds like you have some Apps on it that you need to keep - but you should be able to get rid of AD. If so, the safest method is to demote it forcefully via "DCPROMO /forceremoval" (need Win2k SP4 or Win2003), then do a metadata cleanup on another DC (removing that server-object). If this was a FSMO role-holder, you'll need to seize the roles to another DC (can also be done via NTDSutil). Afterwards you're ready to re-promote it to a DC. Doable, but very risky is to increase the tombstone lifetime in the forest to a large enough number (on another working DC _and_ the broken DC), but you're asking for trouble if you're going to do this (poltergeists etc.). BTW, Win2003 SP1 will increase the default Tombstone Lifetime (for new forests) to 180 days to avoid more potential issues of this kind. Not so great for the size of the DIT, but likely less issues with recovery... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, February 14, 2005 6:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] suggestions for tombstoned DC recovery? One of our admins restored a DC from a backup greater than 60 days old. There are no newer backup copies. Replication is not working - "Access denied". Also, the restored DC cannot be dcpromo'd out. Rebuilding the computer from scratch is not an option. Repadmin and nltest operations are unsuccessful. Does anyone have any tricks up their sleeve for getting this once-working DC to "play nice again"? I keep thinking that an nltest with a secure channel reset option, followed by a repadmin operation with a force option using the one good DC as an authoritative source - should be the answer. But it doesn't seem to work. Any help is appreciated! Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
