DC with Infrastructure master is tombstoned

Question

Description:
Hi We have one of the domain controllers that is holding an Infrastructure Master FSMO role in tombstone state. We need a recovery plan.
Error message below:

".local PDCXXX.local RID pool manager XXXlocal Infrastructure master XXX.local Replication Summary Start Time: 2022-02-11 19:20:19 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XXX 10m:20s 0 / 15 0 XXX 04m:09s 0 / 5 0 XXX>60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. "

When I try to transfer the FSMO infrastructure operation master role to another server the error message displayed "The requested FSMO operation failed. The current FSMO holder could not be contacted. The currnet operations master cannot be contacted to perform the transfer. Under some circumstances, a forced transfer can be performed. Do you want to attempt a forced transfer?"

Also we see the DC replication issue with one of the DC which is holds a infrastructure master role as well, see the error. "C:\Windows\system32>repadmin /replsum Replication Summary Start Time: 2022-02-11 18:27:12 Beginning data collection for replication summary, this may take awhile: ......... Source DSA largest delta fails/total %% error XX 11m:34s 0 / 15 0 XXX11m:03s 0 / 5 0 XXX >60 days 9 / 15 60 (8614) The directory service cannot replicate with this server because the time since the last replication w ith this server has exceeded the tombstone lifetime. LXXX11m:34s 0 / 15 0 XXX 11m:34s 0 / 20 0 Experienced the following operational errors trying to retrieve replication info rmation: 58 - XXX "

My thoughts are moving the FSMO infrastructure master role forcefully by seizeing the role is the right thing in this instance but my fear is that it might put the server out of domain. Now the machine is critical and we cannot take this machine out of domain.

The domain is Windows 2012

Please advice..

Answer 1

cannot really go ahead without more gurantee..

Ha, that's a funny one. There aren't any.

Will I be able to forcibly demote the DC and then rejoin it

No one knows. If you can get it to workgroup mode then I don't see a problem with rejoining the domain but in order to do that it will need a successful demotion as first step.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

I will see what MSFT will say.. unless someone else here has another say on this.

Answer 3

HI All, than you so much for your great suggestions.

I've persisted in fixing the replication issue rather and I've applied the following article steps from Microsoft

https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/replication-error-8614

I've applied the following sectinos in particular:

"Check for and remove lingering objects if they're present.

The point of the 8614 error replication quarantine is to check for lingering objects and remove them, if present, in each locally held partition before setting Allow Replication with divergent and corrupt partner to 1 in the registry of the destination DC, even if you think that all destination DCs in the forest are running in strict replication consistency.

Removing lingering objects is beyond the scope of this article. For more information, see the following articles:

Information about lingering objects in a Windows Server Active Directory forest.

Event ID 1388 or 1988: A lingering object is detected

Repadmin syntax is shown here:

TABLE 2SyntaxOnline help (Windows Server 2008 and later)c:\>repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID> <NC> [/advisory_mode]c:\>repadmin /help:removelingeringobject
Evaluate setting strict replication on destination DCs.

Strict mode replication prevents lingering objects from being reanimated on destination DCs that have used garbage collection to create, delete, and reclaim intentionally deleted objects.

The registry key for strict replication:

Path: HKEY_LOCAL_MACHINE\system\ccs\services\ntds\parametersSetting: Strict Replication Consistency <- not case sensitive>Type: reg_dwordValue: 0 | 1
Repadmin syntax for enabling and disabling strict replication on a single or multiple DCs is as follows:

TABLE 3SyntaxOnline help (Windows Server 2008 and later)Enable on a single DCEnable on all DCs in forestEnable on all GCs in forestrepadmin /regkey <DSA_LIST> <{+|-}key> [value [/reg_sz]]Repadmin /help:regkeyrepadmin /regkey <fully qualified computer name> +strictrepadmin /regkey * +strictrepadmin /regkey gc: +strict
Set Allow replication with divergent and corrupt partner to 1 on the 8614 DC.

After any lingering objects are removed, disable the time-based replication quarantine:

Registry method：

Registry path: HKEY_LOCAL_MACHINE\system\ccs\services\ntds\parametersRegistry setting: Allow replication with divergent and corrupt partner <- Not case sensitive》Registry value: 0 = disallow, 1 = allow
Repadmin method：

TABLE 4SyntaxOnline help (Windows Server 2008 and later)Enable on a single DCEnable on all DCs in forestEnable on all GCs in forestrepadmin /regkey <DSA_LIST> <{+|-}key> [value [/reg_sz]]Repadmin /help:regkeyrepadmin /regkey dc01.contoso.com +allowDivergentrepadmin /regkey * +allowDivergentrepadmin /regkey GC: +allowDivergent
"
After that I've run the command REPADMIN /SYNCALL and repadmin /replicate brokenDC.mydomain.suffix workingDC.mydomain.suffix dc=mydomain,dc=local /force

And all the erros of the replications were gone and the DCs do not display any tombstone state any longer.

Thank you all !