DC with Infrastructure master is tombstoned

Benaiah 21 Reputation points
2022-02-12T17:42:54.63+00:00

Description:
Hi We have one of the domain controllers that is holding an Infrastructure Master FSMO role in tombstone state. We need a recovery plan.
Error message below:

".local PDCXXX.local RID pool manager XXXlocal Infrastructure master XXX.local Replication Summary Start Time: 2022-02-11 19:20:19 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XXX 10m:20s 0 / 15 0 XXX 04m:09s 0 / 5 0 XXX>60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. "

When I try to transfer the FSMO infrastructure operation master role to another server the error message displayed "The requested FSMO operation failed. The current FSMO holder could not be contacted. The currnet operations master cannot be contacted to perform the transfer. Under some circumstances, a forced transfer can be performed. Do you want to attempt a forced transfer?"

Also we see the DC replication issue with one of the DC which is holds a infrastructure master role as well, see the error. "C:\Windows\system32>repadmin /replsum Replication Summary Start Time: 2022-02-11 18:27:12 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XX 11m:34s 0 / 15 0 XXX11m:03s 0 / 5 0 XXX >60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. LXXX11m:34s 0 / 15 0 XXX 11m:34s 0 / 20 0 Experienced the following operational errors trying to retrieve replication info rmation: 58 - XXX "

My thoughts are moving the FSMO infrastructure master role forcefully by seizeing the role is the right thing in this instance but my fear is that it might put the server out of domain. Now the machine is critical and we cannot take this machine out of domain.

The domain is Windows 2012

Please advice..

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,840 questions
0 comments
Accepted answer
  1. Dave Patrick 426.1K Reputation points MVP
    2022-02-13T00:17:58.107+00:00

    cannot really go ahead without more gurantee..

    Ha, that's a funny one. There aren't any.

    Will I be able to forcibly demote the DC and then rejoin it

    No one knows. If you can get it to workgroup mode then I don't see a problem with rejoining the domain but in order to do that it will need a successful demotion as first step.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments

10 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2022-02-12T23:58:18.813+00:00

    it's not clear what will be the state of the box after the metadata clean up.

    From its perspective nothing changes since there is no active directory connection right now. If you can get it to workgroup mode then I don't see a problem with rejoining the domain but in order to do that it will need a successful demotion as first step. Keep in mind right now they're on two separate islands with no connection between them.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  2. Benaiah 21 Reputation points
    2022-02-13T00:11:36.897+00:00

    DSPatrick
    At this moment, everything is working on this server from the application prospective. The domain authenticaiton on the service for the application works and hundreds of clients are connected to this box and everything is working.
    However as you pointed out on the DC prospective this is broken and the infrastructure master role is dead. We just want to take this server out of DC but it seems that doing so means it will involve deleing the object of this computer from the AD and also it doesn't sound gurantee this box operable after the meatadata clean up.
    So my qustion really is that after the forcible removable of the DC, will this box really become a workgroup machine and can be rejoined to the domain or not.
    I'm not sure if the tombstoned DC can be operable after the metadata clean up.. This I will need really more clear answer..

    0 comments
  3. Benaiah 21 Reputation points
    2022-02-13T00:12:38.287+00:00

    So the question is.. Will I be able to forcibly demote the DC and then rejoin it to the domain and have things be okay. It's a high risk move, and pretty hard to back out of.
    I cannot really go ahead without more gurantee..

    0 comments
  4. Benaiah 21 Reputation points
    2022-02-13T00:16:10.27+00:00

    DSPatrick
    Actually I see what you are pointing to, sorry I'm getting this slowly. So you are saying without successful demotion there will be no coming back.

    0 comments