none
DC offline for 2 months, best way to handle?

    Question

  • Hi all,

    One of our branch offices moved recently and due to this, their domain controller has been offline since 12th May this year.  We are planning on reconnecting it as the new office WAN link is up and running.  I've done some quick research and there seems to be a 60 day time period that can cause problems in this situation.  Is there anything I need to do before reconnecting the DC to the network?  The DC is a Windows 2003 server on a domain that's at Windows 2003 functional level.  Thanks.

    Monday, July 11, 2011 1:18 AM

Answers

  • Hi Astatine,

    Thanks for your question.

    If a domain controller has disconnected for longer than the number of days in the tombstone lifetime, it is recommended by the following, otherwise, it is possible that a long-term disconnection can result in a deleted object being reintroduced into the directory.

    1. Move the server from the corporate network to a private network.

    2. Either forcefully remove Active Directory or reinstall the operating system.

    3. Remove the server metadata from Active Directory so that the server object cannot be revived. See KB 555846.

    Reconnecting a Domain Controller After a Long-Term Disconnection
    http://technet.microsoft.com/en-us/library/cc786630(WS.10).aspx


    Brent Hu
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2011 2:30 AM
  • The best and easy option is to install a new DC using DCPROMO process – select additional DC for an existing domain.

    Make sure to remove the old DC reference from AD using metadata cleanup - http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, July 11, 2011 2:36 AM
  • Run below cmd to find the tombstone value of the forest, whether it is set at 60 or 180 days.

    adfind -config -f name=”directory service” tombstonelifetime

    http://www.joeware.net/freetools/tools/adfind/index.htm

    http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

    If, the DC is within tombstone value & there is no error you can connect this DC w/o any issue, but if you see lot of error events like to tombstone has passed, then demotion is best option.

    Demotion can be either gracefully or force removal which also requires a metadata cleanup.

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/


    Regards  


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Monday, July 11, 2011 4:18 AM
  • any DC/GC can be disconnected from other DCs/GCs for as long as the period of the tombstonelifetime. If it has been disconnected for LONGER THAN the tombstone lifetime, DO NOT reconnect it! In that last case fore demote it not connected to the network (see: http://blogs.dirteam.com/blogs/jorge/archive/2006/12/02/Uninstalling-Active-Directory-_2D00_-Demoting-a-DC.aspx) and clean its metadata on some other RWDC
     
    the value of the tombstonelifetime depends on what the OS was when the forest was build and any manual actions after that
     
    Operating System of first DC in AD forest tombstoneLifetime (days)
    Windows 2000 Server 60, same as NOT SET
    Windows Server 2003 w/o SP 60, same as NOT SET
    Windows Server 2003 SP1/2 180
    Windows Server 2003 R2 (SP1) 60, same as NOT SET
    Windows Server 2003 R2 SP2 180
    Windows Server 2008 and higher 180
     
    To determine the tombstone lifetime, you can try the following
    ADFIND –s base –b “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB” tombstonelifetime
     
    EXAMPLE--------------------------------------------------
    11-Jul-2011  7:36:01.12
    [R1FSRWDC1] C:\>ADFIND -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB" tombstonelifetime
     
    AdFind V01.41.00cpp Joe Richards (joe@joeware.net) February 2010
     
    Using server: R1FSRWDC1.ADCORP.LAB:389
    Directory: Windows Server 2008 R2
     
    dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
    >tombstoneLifetime: 180
     
     
    1 Objects returned
     
    11-Jul-2011  7:36:27.54
    [R1FSRWDC1] C:\>

    ----------------------------------------------------------------

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Astatine" wrote in message news:8c74df53-8042-423c-a801-7a7f38fdde7f...

    Hi all,

    One of our branch offices moved recently and due to this, their domain controller has been offline since 12th May this year.  We are planning on reconnecting it as the new office WAN link is up and running.  I've done some quick research and there seems to be a 60 day time period that can cause problems in this situation.  Is there anything I need to do before reconnecting the DC to the network?  The DC is a Windows 2003 server on a domain that's at Windows 2003 functional level.  Thanks.


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Monday, July 11, 2011 5:38 AM
  • Hello,

    if you are over the tombstone lifetime then the recommended way is to disconnect this machine, demote it with dcpromo /forceremoval, run metadata cleanup to remove all infos from AD database from it.

    After that steps you can use it still as member server and even promote it back to DC AFTER you have checked that the AD database changes are replicated to the other existing DCs with the support tools.

    Personal i would reinstall the server to start complete fresh with it.

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, July 11, 2011 5:52 AM

All replies

  • Do you really want to connect this DC back to the network or are you OK with installing a new DC?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, July 11, 2011 1:27 AM
  • Hi Santhosh,

     

    The preference would be to get it back on the network as management is pushing for the staff there to be back and working ASAP.

    Monday, July 11, 2011 2:01 AM
  • Hi Astatine,

    Thanks for your question.

    If a domain controller has disconnected for longer than the number of days in the tombstone lifetime, it is recommended by the following, otherwise, it is possible that a long-term disconnection can result in a deleted object being reintroduced into the directory.

    1. Move the server from the corporate network to a private network.

    2. Either forcefully remove Active Directory or reinstall the operating system.

    3. Remove the server metadata from Active Directory so that the server object cannot be revived. See KB 555846.

    Reconnecting a Domain Controller After a Long-Term Disconnection
    http://technet.microsoft.com/en-us/library/cc786630(WS.10).aspx


    Brent Hu
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2011 2:30 AM
  • The best and easy option is to install a new DC using DCPROMO process – select additional DC for an existing domain.

    Make sure to remove the old DC reference from AD using metadata cleanup - http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, July 11, 2011 2:36 AM
  • Run below cmd to find the tombstone value of the forest, whether it is set at 60 or 180 days.

    adfind -config -f name=”directory service” tombstonelifetime

    http://www.joeware.net/freetools/tools/adfind/index.htm

    http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

    If, the DC is within tombstone value & there is no error you can connect this DC w/o any issue, but if you see lot of error events like to tombstone has passed, then demotion is best option.

    Demotion can be either gracefully or force removal which also requires a metadata cleanup.

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/


    Regards  


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Monday, July 11, 2011 4:18 AM
  • any DC/GC can be disconnected from other DCs/GCs for as long as the period of the tombstonelifetime. If it has been disconnected for LONGER THAN the tombstone lifetime, DO NOT reconnect it! In that last case fore demote it not connected to the network (see: http://blogs.dirteam.com/blogs/jorge/archive/2006/12/02/Uninstalling-Active-Directory-_2D00_-Demoting-a-DC.aspx) and clean its metadata on some other RWDC
     
    the value of the tombstonelifetime depends on what the OS was when the forest was build and any manual actions after that
     
    Operating System of first DC in AD forest tombstoneLifetime (days)
    Windows 2000 Server 60, same as NOT SET
    Windows Server 2003 w/o SP 60, same as NOT SET
    Windows Server 2003 SP1/2 180
    Windows Server 2003 R2 (SP1) 60, same as NOT SET
    Windows Server 2003 R2 SP2 180
    Windows Server 2008 and higher 180
     
    To determine the tombstone lifetime, you can try the following
    ADFIND –s base –b “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB” tombstonelifetime
     
    EXAMPLE--------------------------------------------------
    11-Jul-2011  7:36:01.12
    [R1FSRWDC1] C:\>ADFIND -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB" tombstonelifetime
     
    AdFind V01.41.00cpp Joe Richards (joe@joeware.net) February 2010
     
    Using server: R1FSRWDC1.ADCORP.LAB:389
    Directory: Windows Server 2008 R2
     
    dn:CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
    >tombstoneLifetime: 180
     
     
    1 Objects returned
     
    11-Jul-2011  7:36:27.54
    [R1FSRWDC1] C:\>

    ----------------------------------------------------------------

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Astatine" wrote in message news:8c74df53-8042-423c-a801-7a7f38fdde7f...

    Hi all,

    One of our branch offices moved recently and due to this, their domain controller has been offline since 12th May this year.  We are planning on reconnecting it as the new office WAN link is up and running.  I've done some quick research and there seems to be a 60 day time period that can cause problems in this situation.  Is there anything I need to do before reconnecting the DC to the network?  The DC is a Windows 2003 server on a domain that's at Windows 2003 functional level.  Thanks.


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Monday, July 11, 2011 5:38 AM
  • Hello,

    if you are over the tombstone lifetime then the recommended way is to disconnect this machine, demote it with dcpromo /forceremoval, run metadata cleanup to remove all infos from AD database from it.

    After that steps you can use it still as member server and even promote it back to DC AFTER you have checked that the AD database changes are replicated to the other existing DCs with the support tools.

    Personal i would reinstall the server to start complete fresh with it.

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, July 11, 2011 5:52 AM
  • I've used the various methods of checking the timestone lifetime and it returns no value, so I'm assuming it's the default or something (which in my case is 60 days based on the information here and elsewhere).  With the /forceremove use of dcpromo, do I run that on the problem DC or on a DC in the functioning part of the network?  Thanks.
    Monday, July 11, 2011 6:40 AM
  • Hi,

    Actually you don't have to run dcpromo /forceremoval from the problematic DC, you can reinstall operating system directly as this DC will be not connected to corporate network anymore, meanwhile, make sure to perform metadata cleanup to remove all of data from Active directory and also you may need to seize the FSMO to alternative DC by using Ntdsutil.exe.
    Brent Hu Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, July 11, 2011 7:21 AM
  • DCPROMO /FORCEREMOVAL is always used on problematic DC to demote it forcefully(Never use it on healthy or working DC), when graceful demotion doesn't work. You can either directly reinstall the OS suggested by Brent or run DCPROMO /FORCEREMOVAL on problem DC suggested by Meinolf, both will work here.

    The common post job is performing metadata cleanup to remove references of problem DC post removal of DC from the network or dcpromo /forceremoval.Also, remove references of removed DC, because few still remain esp in DNS after metadata cleanup also. Use below link to get rid of references & performing metadata cleanup.

    Metadata Cleanup of a Domain controller

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/


    Regards  


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, July 11, 2011 7:35 AM
  • I've used the various methods of checking the timestone lifetime and it returns no value, so I'm assuming it's the default or something (which in my case is 60 days based on the information here and elsewhere).  With the /forceremove use of dcpromo, do I run that on the problem DC or on a DC in the functioning part of the network?  Thanks.


    Hello,

    /forceremoval is done on the problem DC if required. But as Brent Hu stated if you like to reinstall this step is not needed.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, July 11, 2011 7:40 AM
  • no value = NOT SET = 60 days
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Astatine" wrote in message news:d8956090-e7db-4d69-a5c1-833f180fda93...
    I've used the various methods of checking the timestone lifetime and it returns no value, so I'm assuming it's the default or something (which in my case is 60 days based on the information here and elsewhere).  With the /forceremove use of dcpromo, do I run that on the problem DC or on a DC in the functioning part of the network?  Thanks.

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Monday, July 11, 2011 7:57 AM
  • Jorge - I thought if it's not set, it's 60 days for the Windows 2000 domains. That's changed to 180 in Windows 2003 past SP1?

     

    http://support.microsoft.com/kb/198793


    -= F1 is the Key =-
    Monday, July 11, 2011 10:09 AM
  • even an AD forest with W2K3, W2K8 or W2K8R2 can have NOT SET
     
    the reason is that the domain was upgraded from a state where it was NOT SET and therefore 60 days
     
    the logic behind it is: what was the OS of the very first DCs in the AD forest? The answer to that question will give you a hint for the default tombstonelifetime value
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "S. Pidgorny" wrote in message news:617add7d-4b43-4f67-9b70-b3cb9b60e958...

    Jorge - I thought if it's not set, it's 60 days for the Windows 2000 domains. That's changed to 180 in Windows 2003 past SP1?

     

    http://support.microsoft.com/kb/198793


    -= F1 is the Key =-

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Monday, July 11, 2011 11:53 AM
  • I suspect the original OS of the first DC would've been 2000 or vanilla 2003, as the company has been around for a while.  So I'll work on the premise of the value being the default for those conditions, ie. 60 days.
    Monday, July 11, 2011 11:13 PM
  • Hi,

    I'm wondering if the information is helpful or if there is any update on this issue, please feel free to let us know.

    Brent
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 13, 2011 1:51 AM