Sometimes the worst happens and you have a Domain Controller that might completely break on you with no way of fixing it. This happened to me recently with an old Domain Controller that was still on physical equipment, whereas most of our servers these days are on AWS and Azure.

Domain Controller Tombstone

However, the failure of this Domain Controller did bring up a problem where it had obviously not been demoted before being removed suddenly from the Domain. If you work in IT, you’ll know this as Tombstoning.

This means that your Domain has a Domain Controller in it that it wants to use, but it is not there anymore. This can have a serious impact on your Domain going forward. So, you’ll need to clean up the Domain manually, but only do this if the affected Domain Controller is absolutely unretrievable.

FSMO Roles

Note: If you have FSMO roles on the affected Domain Controller, you should seize those on another Domain Controller in your Domain first.

There are plenty of guides out there on how to do this, but I’ll add one onto my site shortly. For now, here are a few YouTube videos on how to seize the roles on different Server Operating Systems.

Windows Server 2022 – Seize the FSMO Roles

Windows Server 2012 R2 – Seize the FSMO Roles

Transfer FSMO Roles to New Server

Tombstone Clean Up

When you are completely sure that you will have to take the plunge and manually remove the Domain Controller records from your Domain, you should follow this steps – carefully and pay attention to whatever feedback you get on-screen.

First of all, open up an elevated command prompt. Then run the following commands, in this exact order.

• ntdsutil
• metadata cleanup
• connections
• connect to server <Your Working DC Here>
• q
• select operation target
• list domains
• select domain 0
• list sites
• select site <number of site>
• list servers in site
• select server <number of server>
• quit
• remove selected server

Once you have stepped through these commands, you should now see that your broken Domain Controller has been removed as a functioning server and you can delete from Active Directory.

Final Steps

You should really now look at running a health check for your Domain Controllers to ensure that everything is working as it should.

In an elevated command prompt, run the following command:

repadmin /replsummary

This will give you a breakdown of your Domain Controller statuses and you should no longer see the broken one.

FAQ

What is a Domain Controller?

A Domain Controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It manages user accounts, enforces security policies, and stores a directory database that includes user information and network resources.

What does it mean when a Domain Controller is Tombstoned?

Tombstoning occurs when a Domain Controller is removed from a domain without proper demotion. The domain still contains references to the now non-existent DC, which can lead to various issues within the domain.

What are FSMO roles?

FSMO (Flexible Single Master Operations) roles are specialized domain controller tasks in a Windows Server environment that need to be handled by specific domain controllers. There are five FSMO roles: Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master.

How can I seize FSMO roles from a failed Domain Controller?

Seizing FSMO roles involves using tools like NTDSUtil to transfer these roles to a functioning Domain Controller. There are many resources online, including YouTube tutorials, that provide step-by-step guides for different versions of Windows Server.

Why is it important to clean up a tombstoned Domain Controller?

Failing to clean up a tombstoned Domain Controller can lead to replication issues, authentication problems, and other inconsistencies within the domain, affecting network stability and security.

How do I manually remove a tombstoned Domain Controller from Active Directory?

You can use the NTDSUtil command-line tool to perform metadata cleanup. This process involves connecting to a working Domain Controller, selecting the affected domain and site, and then removing the references to the tombstoned Domain Controller.

Glossary

Active Directory (AD): A directory service developed by Microsoft for Windows domain networks. It stores information about objects on the network and makes this information easy for administrators and users to find and use.

Domain: A group of computers and devices on a network that are administered as a unit with common rules and procedures.

Domain Controller (DC): A server that handles security authentication requests within a Windows Server domain.

Flexible Single Master Operations (FSMO) Roles: Specialized domain controller tasks that are crucial for the smooth operation of an Active Directory domain. The five FSMO roles are Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master.

Metadata Cleanup: The process of removing data from Active Directory that references a failed or removed Domain Controller.

NTDSUtil: A command-line tool used for various Active Directory management tasks, including metadata cleanup and FSMO role management.

Tombstoning: The state of a Domain Controller that has been removed improperly from a domain, leaving behind references in the Active Directory that need to be manually cleaned up.