Easy methods to Repair a Tombstoned Area Controller

Learn this information to discover ways to repair a tombstoned Energetic Listing Area Controller, a DC that has not replicated to different DCs for a interval over the Tombstone Lifetime.

Step 0: Assessment Downside Background and Overview

While you run dcdiag, different DCs within the area report that the offending DC final synched on a date over the tombstone lifetime, which is 180 days by default.

Here’s a pattern log entry I obtained once I ran dcdiag:

Final replication obtained from <area controller title> at 2022-09-08 06:09:58. WARNING:  This latency is over the Tombstone Lifetime of 180.

I ran the dcdiag command on April 10, 2025. This implies the offending area controller had not synced with different DCs for over 2 years! When this occurs, we are saying that the DC has been “tombstoned,” which signifies that it has information older that the AD Forest’s Tombstone Lifetime.

As a part of the primary steps to troubleshoot and repair the issue, I carried out the next actions:

1. Confirmed that each one required firewall ports between the tombstones DC and the FSMO function DC are open.
2. Enabled DNS Debug logging. Then, after 24 hours, verified that the server is barely speaking with itself, and has not accepted any incoming shopper requests.
3. Enabled netlogon debug logging. After 24 hours, verified that the server didn’t reply to any logon or different occasion requests.

As soon as these duties have been carried out, I had strong proof to substantiate that the DC was damaged. On this state of affairs, the one answer was to demote the DC, carry out metada clear up after which, re-promote the DC.

Within the remaining sections of this information, I’ve defined the detailed steps I used to perform these duties.

Step 1: Take away the DNS Server Position from the DC

This have to be carried out first. In any other case, the DC demotion activity (Step 2) fails.

#Open PowerShell as administrator
Uninstall-WindowsFeature -Title DNS

Restart the server to finish the elimination of the DNS function.

Step 2: Take away the International Catalog Position from the DC

If the server is badly damaged, it’s essential to take away the International Catalog function from the DC. In any other case, the DC demotion may even fail.

1. Open Energetic Listing Websites and Companies through Server Supervisor (hyperlink opens in a brand new browser tab).
2. Then, navigate to the DC’s web site and broaden it, then broaden Servers and click on the server title. On the main points blade, right-click NTDS Settings, and choose Properties.

3. After that, clear the International Catalog verify field, choose Sure to the warning message, and eventually, choose OK.

Step 3: Demote the Server as a Area Controller

#1. Save the password to make use of as native Administrator password. On the cred immediate, enter Administrator because the username after which, the password you need to use because the server's native Administrator password put up its demotion as a DC
$password = Get-Credential
#2. Demote the Server as a DC
Uninstall-ADDSDomainController -LocalAdministratorPassword $password.password -Verify:$false -NoRebootOnCompletion -ForceRemoval -SkipPreChecks

See the outcomes of the instructions beneath:

Restart the server to finish the demotion.

Demoting the server doesn’t take away the Energetic Listing Area Companies (AD DS) function. So, we’d not must reinstall it.

After demoting the DC, earlier than re-proting it, it’s essential to carry out a metadata cleanup of the DC utilizing ntdsutil.

Observe the steps beneath to finish this activity.

1. Decide the FSMO function holder by working the command beneath from any Area Controller.

netdom question fsmo

2. Signal into the DC that holds the FSMO roles and open the command immediate as administrator. Then, run the next ntdsutil instructions within the order offered.

#1. Kind ntdsutil and press enter. Then, on the ntdsutil immediate, kind metadata cleanup and press enter
ntdsutil: metadata cleanup
#2. On the metadata cleanup: immediate, execute the followin instructions
metadata cleanup: connections
metadata cleanup: connect with server <domain_fsmo-role-holder>
metadata cleanup: q
#3. Then, on the metadata cleanup: immediate, kind choose operation goal, then press enter key. 
metadata cleanup: choose operation goal
#4. On the choose operation goal: immediate, run the next instructions so as:
choose operation goal: listing domains
choose operation goal: choose area <enter quantity for the area the place the failed DC resides>
choose operation goal: listing websites
choose operation goal: choose web site <enter the location variety of the failed DC>
choose operation goal: listing servers in web site
choose operation goal: choose server <enter variety of the server>
choose operation goal: q
#5. On the metadata cleanup: immediate, execute take away chosen server
metadata cleanup: take away chosen server
Then, on the Server Take away Affirmation Dialog, verify that the DC you need to take away is displayed, then choose Sure. 
#6. Stop metadata cleanup and ntdsutil by executing the q command in each prompts

3. Go browsing to the FSMO function DC and power replication by working the command beneath from a command immediate opened as administrator.

repadmin /syncall <domain_fsmo-role-holder> /Aped

Stop the repadmin command by urgent any key.

4. Then, monitor the progress of the replication by working the command beneath. Substitute the textual content in daring with the Distinguished Title of the server you’re cleansing its metadata.

repadmin /showobjmeta * "<enter the Distinguished Title of the server right here>"

Don’t proceed with the following steps till each DC reviews that it could possibly’t discover the area controller you’ve simply faraway from the area. If all DCs report “Listing object not discovered,” then you possibly can proceed to Step 5 beneath.

For the avoidance of doubt, the above command should solely return elements of the consequence that claims “Listing object not discovered.” If it rertuns a desk, it’s essential to wait till the command not returns a desk.

Step 5: Reinstall the DNS Server Position on the Server

In Step 1, we eliminated the DNS Server function. Earlier than selling it to a DC, it’s essential to reinstall this function with the next steps:

1. Register to the server as native administrator – enter .administrator within the username discipline – and use the password you laid out in Step 3 once you demoted the server as a DC.
2. Execute the command beneath to reinstall the DNS Server function, together with all sub-features and administration instruments, and restart the server if required.

#Open PowerShell as administrator
Set up-WindowsFeature -Title DNS -IncludeAllSubFeature -IncludeManagementTools -Restart
#see the screenshots beneath for the progress and results of the command

Step 6: Repromote the Server to a Area Controller

Whereas nonetheless signed in to the server with the native administrator account and PowerShell opened as administrator, execute these instructions to advertise the server to a DC.

I ran this command a number of occasions and it saved failing with error, “An Energetic Listing area controller for the area “FQDN” couldn’t be contacted.” There was an issue with the DNS title decision.

#1. Generate the required parameters. While you run this command, PowerShell will immediate you to enter creds - enter the area username (domainnameusername) and the password with permissions to advertise a server to a Dc. 
#The command additionally prompts you to "Enter the area to advertise into" - enter the FQDN of the area
$HashArguments = @{
Credential = (Get-Credential)
DomainName = (Learn-Host "Enter the area to advertise into")
InstallDns = $true
}
#2. Promote the server to a DC and configure the server as a DNS server. This command will immediate you to enter the SafeModeAdministratorPassword (the Listing Service Restore Mode, DSRM password)
Set up-ADDSDomainController @HashArguments

The screenshots beneath present the inputs and outcomes of the instructions.

Step 7: Configure the DC in Websites and Companies

1. Log in to the server along with your area credentials and open Energetic Listing Websites and Companies from the Server Supervisor Instruments menu.

2. Within the Energetic Listing Websites and Companies console, navigate to the server’s web site and broaden it. Then, broaden Server > <the DC’s server title> and left-click NTDS Settings.
3. Within the particulars blade, verify that the replication connection was robotically generated. If it has not been generated, run the command beneath to generate it.

repadmin /kcc

3. After that, confirm that the server’s subnet is related to the location. To do that, right-click the location and select Properties. The server’s subnet ought to be displayed within the Subnets part of the Normal tab – see the second screenshot beneath for reference.

I included the ipconfig command consequence within the second screenshot to check the server’s subnet with the subnet displayed in its web site’s Subnet in AD SS console.

Step 8: Carry out Guide Replication and Confirm Success

1. Whereas nonetheless signed in to the server, open PowerShell or CMD as administrator and run the next command:

repadmin /syncall <enter the title of the FSMO DC right here> /Aped

Watch for the replication command to finish, then press Q earlier than continuing to the following step.

In my case, my command returned an error, as one of many DCs couldn’t be contacted. Nonetheless, this didn’t cease me from continuing to the following step.

2. Confirm that the repadmin command was profitable by executing the PowerShell command beneath:

Get-ADReplicationPartnerMetadata -Goal $env:userdnsdomain -Scope Area | Choose-Object Server, LastReplicationAttempt, LastReplicationSuccess, PartnerType

Relying on the variety of DCs and websites in your atmosphere, the command will take some time to finish.

In my case, the above command didn’t contact some DCs. Additional troubleshooting confirms that the AD ports required to copy and work have been blocked from the DC the place I ran the Get-ADReplicationPartnerMetadata command.

To repair the issue, I requested that the SecOps workforce open these ports. As soon as the ports have been opened, I re-ran Get-ADReplicationPartnerMetadata, and there have been no extra failures.

Step 9: Rerun DCDIAG to Test for Replication Errors

Lastly, rerun dcdiag within the DC you simply repaired and on the FSMO function DC to verify for replication errors.

Conclusion

The Home windows Energetic Listing Area Controllers are designed to commonly replicate and replace the AD database. Nonetheless, in uncommon cases, one DC might cease replicating.

If this occurs and you’ve got confirmed that each one required AD ports are opened, the final step to repair the DC is to demote it, carry out metadata clean-up of its objects from the AD database, and eventually re-promote it to a DC.

On this information, I outlined the detailed steps to repair a tombstoned AD DC by following the above steps.