Category Archives: Windows 2008

Forcing removal of tombstoned Domain Controller

I recently faced a issue scenario where a Domain controller at a remote site became tombstoned after not having replicated with Active Directory for 60 days.  Putting aside how I never noticed this, there was little I could do in this situation.  It’s time had skewed out soo far that it stopped participating with replication.  Whatever the issue, if a domain controller doesn’t communicate / replicate with AD within AD’s tombstone lifetime it will eventually become permanently tombstoned.

The default tombstone lifetime in Windows Server 2000 – 2003 is 60 days.  In Windows Server 2003 SP1 and above it’s 180 days.  Despite being Windows 2003 R2, the forest came from SBS 2003.  The originally tombstone lifetime doesn’t change when you upgrade so it stayed 60 days.

The first part to fixing the issue was demoting the domain controller back to a standalone server.  Once performed I could fix whatever issues the network had and re-promote at a later stage.

Even though the network was up and the domain controller in question could connect to other domain controllers.  Being tombstoned meant that it wouldn’t talk with the DCs.  Running the command dcpromo on the DC in question would fail when it attempted to communicate with the domain.

To work around the issue the command needed to be run with the /forceremoval switch.

Dcpromo /forceremoval

Below are the steps to perform a force removal.

1. Run dcpromo /forceremoval from the run box.

2. Click next to start the wizard.

3. Confirm the removal.

4. Sent a new administrator password for when the server becomes a standalone server.

5. Confirm the removal of AD without cleaning up the metadata.  This is an important step to note.  Because we are forcing the removal of AD without cleanup up the metadata this is a manual step we will have to perform in our AD environment on a functioning DC.

6. Demotion will now start and removal the server from being a Domain Controller.

7. Click finish and reboot the server to complete the process.

With the server now successfully demoted it can be promoted back to a domain controller using the standard dcpromo command.  Before this can happen, though,  we have to go back to step 5 above and perform a manual metadata cleanup of Active Directory to removal any references to this tombstoned DC.  I’ll be covering this more indepth step in a later post.  Microsoft has a very thorough article on how to perform this process

With the server demoted and a metadata cleanup performed I could happily promote this server back to a DC.   Preventing the issue happening again would mean fixing my monitoring and sorting out any time sync issues… also a post for a later stage.

 

Appendix

Metadata cleanup
How to remove data in Active Directory after an unsuccessful domain controller demotion 

Redirecting name resolution of a single host for an external DNS zone

Redirecting, changing, forwarding, adding… all valid ways of trying to achieve the same thing.  You need to create an A host record for an external DNS zone without becoming  authoritative for the whole zone.

A perfect scenario is you have a limited VPN connection between yourself and a partner company.  You need to access their Intranet server.  The partner company only publishes the Intranet address (http://intranet.company.com) to their Internal DNS server and not to the Internet.

One of the most obvious things you might try and do is create a new zone within DNS called company.com.  Then to create an A host record called intranet.  This will work, of course, but with a nasty side effect.  It will make you the authoritative name server for the zone.  Any other records that this zone has published on the internet won’t work.  For example if you tried http://www.company.com it wouldn’t resolve to the partner company’s website.  Sure, you could create one to one mappings of each A host record the partner company uses, assuming you know what they are, which you probably don’t.

A more appropriate way is to still create a zone but include the host within the full zone name.  In our above scenario the zone company.com now becomes intranet.company.com.  We then create an A host record with a blank name that points to the Intranet’s IP.  In essence we are stay we are the authoritative name server but only for this one specific host.

Below I run through the basic steps to create a zone assume some level of knowledge of zone creation.

Step 1

Within DNS create a New Zone

Step 2.

Proceed through the wizard till you get to Zone Name.  Type the full DNS name of the record you want to create.  In this example we are creating intranet.company.com

Step 3.

Continue through the wizard and complete the creatation of the zone.  Select the zone and select New Host (A or AAAA).  Leave the Name blank and enter in the IP address of the host you wanting to create / redirect and Add Host.  In this case we are using a private IP of 10.10.10.1.

The end result is a zone that looks similar to below within DNS (click for enlargment).  intranet.company.com will now resolve to 10.10.10.1 while all other published records for company.com will continue to correctly resolve to there respective external addresses.

Windows Server 2008 stops responding and hangs at the “Applying Computer Settings” stage of the logon process

I was recently faced with a Windows 2008 Server that became stuck on the “Applying Computer Settings…” screen of the logon process.  It would sit at this stage for close to an hour before it would finally reach the logon prompt.

Worse yet once logged in the Event Log showed no errors.  A check of the services showed that Netlogon was in a stopping state and a handful of other services did not start.

  • Print Spooler
  • Terminal Services
  • Server service
  • Remote Registry
  • Windows Management Instrumentation (WMI)
  • Distributed Transaction Coordinator

Booting into Safe Mode seemed fine.  It would boot up fast and log straight in.  Of course most services are stopped in Safe Mode so didn’t shed much light.

I didn’t have much to work off.  I had been removing and applying new certificates for OCS 2007 just prior to removing the computer from the domain and putting it into a Workgroup.  A subsequent reboot led to the hung logon process.

After some digging around I finally came across an MS KB which matched what I was experiencing.   The key note of the article was that this issue typically occurs after a server certificate is applied.

Microsoft provides a Hotfix and a Workaround for this issue.  The Hotfix updates 2 or 3 files depending on your OS version.  The Workaround is a registry change and was the solution I took.  The registry change makes HTTP.sys depend on crytosvc service to be started first.  The quick backup and change of the reg keys and reboot got me back up and running.

Appendix.

Reg Fix

  1. Click Start, type regedit in the Start Search box, and then press ENTER.
  2. Locate and then click the following registry subkey:
  3. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTP
  4. On the Edit menu, point to New, and then click Multi-string Value.
  5. Type DependOnService, and then press ENTER.
  6. Right-click DependOnService, and then click Modify.
  7. In the Value data box, type CRYPTSVC, and then click OK.
  8. Exit Registry Editor.
  9. Restart the computer.

Microsoft KB Article

http://support.microsoft.com/kb/2379016