Tech Note: Tombstone Active Directory Domain Controllers

I have a number of test platforms which I use, and last week I started one which had been offline for a number of months. It consists of two Hyper-V Virtual Machines, each running Windows Server 2012 R2. These servers are configured as ADDC in the same domain and the last time I used them all was working as expected. However, upon firing them up I noticed a few errors with Active Directory Replication, the problem? My Active Directory Domain Controllers were tombstoned.

If an Active Directory Domain Controller has exceeded the tombstone lifetime (set at 180 days by default) it will have issues when it’s brought back on to the network. Replication will fail, so things like users & groups will no longer synchronize. To confirm this is the case run the following command on a good DC.

repadmin / showrepl

Also, a check of the replication status using the AD Replication Status Tool confirmed there were problems.

So, how do you fix this problem, and force a tombstoned DC to replicate Active Directory? Well, a bit of googling and I found the following series of commands.

  • repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra DC=mydomain,DC=intra /force
  • repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra CN=configuration,DC=mydomain,DC=intra /force
  • repadmin /replicate bad-dc.mydomain.intra good-dc.mydomain.intra CN=schema,CN=configuration,DC=mydomain,DC=intra /force

As both my DC’s report as tombstoned, I’ll need to run the commands on each DC, so this is what I did.

On DC1 – CAM-DC1, run the following 5 commands, from an administrative PowerShell prompt.

  • repadmin /replicate CAM-DC2.Cambridge.local CAM-DC1.Cambridge.local “DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC2.Cambridge.local CAM-DC1.Cambridge.local “CN=configuration, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC2.Cambridge.local CAM-DC1.Cambridge.local “CN=schema, CN=configuration, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC2.Cambridge.local CAM-DC1.Cambridge.local “DC=DomainDnsZones, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC2.Cambridge.local CAM-DC1.Cambridge.local “DC=ForestDnsZones, DC=Cambridge, DC=local” /force

On DC2 – CAM-DC2, run te following 5 commands, from an administrative PowerShell prompt.

  • repadmin /replicate CAM-DC1.Cambridge.local CAM-DC2.Cambridge.local “DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC1.Cambridge.local CAM-DC2.Cambridge.local “CN=configuration, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC1.Cambridge.local CAM-DC2.Cambridge.local “CN=schema, CN=configuration, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC1.Cambridge.local CAM-DC2.Cambridge.local “DC=DomainDnsZones, DC=Cambridge, DC=local” /force
  • repadmin /replicate CAM-DC1.Cambridge.local CAM-DC2.Cambridge.local “DC=ForestDnsZones, DC=Cambridge, DC=local” /force

All the commands should complete successfully, and follow up with the following on each DC to fully sync AD.

repadmin /syncall /d /e

Now, rerun the repadmin / showrepl on each DC, results below

CAM-DC2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CAM-DC1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

And finally using the Active Directory Replication Tool, all looks fine.

So there it is, I really enjoy working with Active Directory, and I strongly recommend you setup a test environment and tinker with this stuff, you never know when something like this will come up in the wild. I have seen this happen!

Thanks for reading, enjoy.

TSP Admin