Fixing a Tombstoned Domain Controller

After struggling for quite a while to get the right commands to fix a domain controller we thought it a good idea to post the steps we had to take.

I know a lot of people would say that the best way is to dcpromo the DC out of the domain, do a meta data cleanup and then dcpromo it in again. Sometimes this method is not possible like in instance were your DC is also an Exchange server. Then you would first have to migrate the Exchange to another server before fixing the broken DC.

Always first and foremost is to make sure you have a system state backup of a healthy DC in case something goes wrong.

The first step is to allow the other domain controllers in your domain to replicate with Tombstoned DC. To do this follow the steps below:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. In the details pane, create or edit the registry entry as follows:

    If the registry entry exists in the details pane, modify the entry as follows:

    1. In the details pane, right-click Allow Replication With Divergent and Corrupt Partner, and then click Modify.
    2. In the Value data box, type 1, and then click OK.

    If the registry entry does not exist, create the entry as follows:

    1. Right-click Parameters, click New, and then click DWORD Value.
    2. Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
    3. Double-click the entry. In the Value data box, type 1, and then click OK.
The next step would be to clear lingering objects that is residing on the Tombstoned DC.
Lingering objects are objects that are residing on the Tombstoned DC. This happens for instance when an Object is deleted on a working DC, the object is then tombstoned for 180 days. Then after the 180 days the object is removed completely. Now the tombstoned DC if it was still replicating normally it would detected that the object is tombstoned on another DC and place the same object residing in its database also in a tombstoned state.
Now when you bring the Tombstoned DC back into replication it will have that object in its database but the domain would not know about it as its removed the object completely. This can create inconsistencies in your domain.
To remove these lingering objects is a 2 step process which is described below:
1. First you need to view the lingering objects to make sure you are not deleting anything important.
You run this command:
Repadmin /removelingeringobjects ServerWithLingeringObjects CleanServerGUID NamespaceContainingLingeringObject /advisory_mode
Ex:
Repadmin /removelingeringobjects DC95 a4bcd546-5e94-2330-b4d0-f218b16dc0f6 DC=Test,DC=Com
The server that throws the error is actually the clean server (CleanServerGUID). The GUID of this server can be located in DNS. Expand Forward Lookup Zones and click in the _msdcs.DOMAIN.NAME zone. In this zone there are CNAME records that point all DCs in the domain to their GUIDs. Copy the GUID of the server that threw the error.
After running this the lingering objects will be listed in the Event Logs so you can have a look there.
2. To remove the lingering objects run the exact same command but remove the /Advisory_mode
3. Reboot the domain controllers and see if the replication starts.

7 thoughts on “Fixing a Tombstoned Domain Controller

  1. Thank you. I had this issue today. Did exactly what wrote and it fixed our tombstoned domain controller. replication between domain controllers is working.

  2. Do you add the ‘Allow Replication With Divergent and Corrupt Partner’ on the tombstoned DC or the clean DC, or both?

  3. Hi Mark a bit late but in case anyone else find this. You only have to on the clean DC. This just allows the clean DC to ignore the Tombstone and start replication.

  4. LIFESAVER!!!!!!
    We had a power failure and when our two DC’s came back up, one had a bad CMOS battery and set the clock back to 2007. Even after correcting the time, people were having problems with accessing network shares. DNS wasn’t connecting with AD. Apparently, the clock error caused the DC to tombstone. This fix looks like it did the trick.

  5. Life saver. It worked. In my case we had a power outage BIOS battery died and server time was back to its production time. DC tombstone we knew there were no mayor changes during the time the server lost is communication. Performed above steps. We good now.

  6. Hey,

    I dont see where I can remove a server from the replication group is it a case where i would have to remove the group and build a new 1?

Leave a Reply

Your email address will not be published. Required fields are marked *