Hey everyone, I'm reaching out for some help with an Active Directory issue. I haven't worked much with AD lately as I've been focused more on Entra. My client has a problem where a domain controller (DC) lost communication with most of the other DCs after someone shut down some firewalls. They tried to fix it by creating their own replication links, but now it's a bit of a mess. The tombstone lifetime has expired, and this isolated DC can receive changes but can't send them back to the rest of AD. They've fixed the firewall issues and DCs can communicate now, but they need me to resolve the broken one. I'm thinking of moving the isolated DC's subnets to a different site first to avoid authentication problems, then forcing a demotion of the isolated DC, doing a metadata cleanup to remove it from AD, and recreating the site before re-promoting it. Does that sound like a solid plan? I could try to clean up the conflicting objects too, but I'm concerned it might be riskier and more complicated. Thanks for any insights!
5 Answers
You don’t need to recreate the site or any site links. Those are pretty much independent of the DC itself. Just focus on cleaning up the metadata.
Shut it down and delete it. Once you perform the metadata cleanup, you’ll get rid of the issues. Just be aware that some workstations might still think they can use that bad DC, so keep an eye on them.
Honestly, treating the isolated DC as a failed one and just rebuilding it from scratch is the simplest route. Just go straight to the metadata cleanup and remove it from AD.
Make sure to check that this DC isn’t holding any FSMO roles before you delete it. If it is, you’ll need to seize those roles to avoid issues.
Thankfully, it doesn’t hold any roles, so you're good to go!
I had a similar issue a while back with a DC affected by a bad battery. The easiest solution was to just delete it and do a cleanup manually. It took some time but was way smoother than trying to fix the existing dead DC. Then, just set up a new DC correctly without the hassle.
That's right, just keep in mind that may cause some temporary clutter until it's all sorted.