DC with Infrastructure master is tombstoned

Question

Description:
Hi We have one of the domain controllers that is holding an Infrastructure Master FSMO role in tombstone state. We need a recovery plan.
Error message below:

".local PDCXXX.local RID pool manager XXXlocal Infrastructure master XXX.local Replication Summary Start Time: 2022-02-11 19:20:19 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XXX 10m:20s 0 / 15 0 XXX 04m:09s 0 / 5 0 XXX>60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. "

When I try to transfer the FSMO infrastructure operation master role to another server the error message displayed "The requested FSMO operation failed. The current FSMO holder could not be contacted. The currnet operations master cannot be contacted to perform the transfer. Under some circumstances, a forced transfer can be performed. Do you want to attempt a forced transfer?"

Also we see the DC replication issue with one of the DC which is holds a infrastructure master role as well, see the error. "C:\Windows\system32>repadmin /replsum Replication Summary Start Time: 2022-02-11 18:27:12 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XX 11m:34s 0 / 15 0 XXX11m:03s 0 / 5 0 XXX >60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. LXXX11m:34s 0 / 15 0 XXX 11m:34s 0 / 20 0 Experienced the following operational errors trying to retrieve replication info rmation: 58 - XXX "

My thoughts are moving the FSMO infrastructure master role forcefully by seizeing the role is the right thing in this instance but my fear is that it might put the server out of domain. Now the machine is critical and we cannot take this machine out of domain.

The domain is Windows 2012

Please advice..

Answer 1

cannot really go ahead without more gurantee..

Ha, that's a funny one. There aren't any.

Will I be able to forcibly demote the DC and then rejoin it

No one knows. If you can get it to workgroup mode then I don't see a problem with rejoining the domain but in order to do that it will need a successful demotion as first step.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

The only solution for a tombstoned domain controller is a rebuild.

You can seize roles to another healthy one.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

then perform cleanup.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

then confirm domain health is 100% before proceeding with rebuild.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

DSPatrick.
The problem I have is that I need to preserve this server as a part of domain still, since there are other critical applications running on this machine. (this is unfortunate and not my design or my work that performed but rather I have inherited).
The links that you have attached shows that the object deletion is involved.. meaning this box will be out of domain completely. So my understanding is that taking off the DC forcibly and cleaning up the metadata will lead to the box being completely out of domain and it will be a part of workgroup. Now.. if this machine can rejoin to the domain not as a DC but just as a domain server then that's fine by me because I have few services which need to work with domain service accounts and as I said this before this box is too critical to be out of domain.
However... if this box has no prospect of rejoining to the domain then this is something I cannot do because it will doom our environment as it is at least working. Can you plase confirm on this point?

So the plan is:

1. Seize the role
2. Take the DC off forcibly and do a metadata cleanup which will lead to the box out of domain
3. The box is joined to the workgroup and out of domain
4. Rejoin this box to the same domain, and NOT as a domain controller.

If the above steps work then it's fine by me.
Please advice and let me know your thoughts

Thanks in advance

Regards

Answer 4

The problem here is this domain controller right now is in limbo state and not really a member. Doing metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Since this one is no longer connected; from it's own perspective it may be unaware hence it will still think of itself as a domain controller and unlikely you can do much with it.

If you can get it to workgroup mode then I don't see a problem with rejoining the domain but in order to do that it will need a successful demotion as first step. Keep in mind right now they're on two separate islands with no connection between them.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 5

I see the issue is that this critical service still runs very well since this box is a part of domain and the authentication works. So the issue is that Metadata clean up will remove this box from DC etc. It's unclear to me if this will completely break this box and unable to even log in and rejoin to the domain etc.
I hear the box needs rebuild etc, but it's not clear what will be the state of the box after the metadata clean up.