Announcement

Collapse
No announcement yet.

DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth ?

    Hello experts,

    we recently started working on server consolidation project for a new customer. The customerís infrastructure we found is relatively small and is briefly described below.

    Headquarter in Europe
    ==================================================
    - About 30 users.
    - One physical server running Windows Server 2003 R2 Standard Edition acting as a file server.
    - One physical server running Windows Server 2003 R2 Standard Edition and Microsoft SQL Server 2005 for a line of business application.
    - One physical server running Windows Server 2003 R2 Standard Edition acting as a Domain Controller.
    - One physical server running Windows Server 2003 R2 Standard Edition acting as a Domain Controller and Global Catalog, holding the Five FSMO roles and running Microsoft Exchange Server 2003.
    ==================================================

    Branch office in Canada (connected to the corporate office by using a persistent site-to-site VPN)
    ==================================================
    - Less than 10 users.
    - One physical server running Windows Server 2003 R2 Standard Edition acting as a file server and a Domain Controller in a child domain.
    - Branch office users only access resources on the local server except for their Microsoft Exchange Server 2003 mailboxes on the Headquarter office.
    ==================================================

    The first problem we're dealing with is the Exchange 2003 database that has reached the 75GB limit. In order to immediately alleviate this problem and create free space to bring the logical size of the database below the limit, we have deleted any unwanted mailboxes and asked some very heavy email users to archive some mail or delete mail that is no longer required. This immediately brought the Exchange 2003 database below the logical limit, so we can now plan to migrate Exchange 2003 to Exchange 2007/2010 without hassle of the Exchange mailbox database being dismounted every morning.
    As a best practice before starting the actual migration to Exchange 2007/2010 running on a new Virtual Machine, we performed an overall Active Directory Assessment and Health Check using the Microsoft Active Directory Topology Diagrammer tool and the Active Directory Replication Status Tool.
    We found out that the following:
    ==================================================
    - Replication between the DCs at the Headquarter shows no error messages.
    - Both DCs at the Headquarter are logging the 8614 error and fail to replicate directory partitions with the Branch office DC in Canada for tombstone lifetime. Last Successful Sync attempt occurred in January 2012.
    - When running DCDiag on the Branch office DC in Canada we also found out that besides unsuccessfully trying to replicate with the two live DCs at the Headquarter, the Branch office DC in Canada is trying to replicate to a third DC at the Headquarter that does not exist anymore.
    - The customer is completely unaware of the reasons why the Branch office DC in Canada failed to replicate directory partitions for such a long time causing tombstone lifetime.
    - Canadian Users do not connect to the Exchange 2003 server at the Headquarter using their corresponding domain users on the child domain. Someone created some additional user accounts on the parent domain in order to create their Exchange 2003 mailbox as if they were Headquarter users.
    ==================================================

    Based on the total number of users and Microsoft applications/platforms being used, I would prefer to plan for minimal downtime and start from scratch at the Headquarter. With regards to the Branch office DC in Canada, I am thinking about initially deploying an additional read-only domain controller (Replica DC) in the new domain on the Headquarter office, let it replicate, make it a Global Catalog Server then move it to the remote branch office and finally change its ip address.
    Otherwise:
    ==================================================
    - Would you try to resolve the tombstone lifetime issue with the Branch office DC in Canada before starting the migration to Exchange 2007/2010 at the Headquarter ?
    - Would you temporarily ignore the tombstone lifetime issue with the Branch office DC in Canada, immediately start the migration to Exchange 2007/2010 at the Headquarter and take care of the tombstone lifetime issue with the Branch office DC in Canada at a later stage ?
    ==================================================
    I would be very grateful if someone could kindly share some thoughts.
    Any help/information will be greatly appreciated.
    Regards,
    Massimiliano

  • #2
    Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

    So are you putting a new Domain In and migrating objects across?

    Personally I would demote the Canada DC and run a metadata cleanup, then you have a nice small source domain to work from, then migrate to new Domain or upgrade and install a new DC in the Branch Office.

    I hate re-ip addressing DC's so again personal preference I would build it in-situ.

    Are you installing an exchange server in the Branch office if so remember
    - Exchange doesn't support RODC's
    - In Exchange 2010 you will need a CAS in the same site.
    * Shamelessly mentioning "Don't forget to add reputation!"

    Comment


    • #3
      Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

      Straighten out ad before you do anythong with exchange. It sounds like you only have a single functioning dc at the moment. Thats scary. Clean up tje metadata for the missing dc. Disk wipe the canada dc and rebuild it. You will need to clean up metadata theee as well. Do yourself a favor by building a tertiary dc somewhere (hq office is as good a place as any).

      Don't overlook your unary roles. In tje off chance one of them was on either failed dc, you will need. To seize them before doing anything else.

      I'm on a smartphone so excuse tje brevity
      Rules of life:
      1. Never do anything that requires thinking after 2:30 PM
      2. Simplicity is godliness
      3. Scale with extreme prejudice


      I occasionally post using a savantphone, so please don't laugh too hard at the typos...

      Comment


      • #4
        Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

        Since Exchange was on a DC, an authoritative restore might be in order since I believe you need to have the matching SID for installing Exchange in recovery mode.

        I agree that you need to get AD sorted first but you may need to restart the restore process to get AD working first and then restore Exchange.

        More info:
        http://msmvps.com/blogs/acefekay/arc...er-server.aspx

        http://blogs.technet.com/b/essential...er-in-ebs.aspx
        (this is about Exchange 2007 but it goes over the problem with the restore process)
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

          To "untombstone" the DC Servers.

          Code:
           
          Windows Registry Editor Version 5.00
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
          "Allow Replication With Divergent and Corrupt Partner"=dword:00000001
          When replication has been restored, change the dword:00000001 back to dword:00000000
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: DC Tombstone lifetime on a 10 users Branch office, 30 users at HQ. Start scracth

            Hello guys,

            first of all thank you for taking the time to reply to my question.

            Based on your replies,I understand that you would highly recommend fixing Active Directory replication before going ahead with the migration to Exchange 2007/2010 at the Headquarter and I fully agree with you. That was my first thought too.

            Please note the following:
            ==================================================
            - The two the DCs at the Headquarter (one physical server running Windows Server 2003 R2 Standard Edition acting as a Domain Controller and another physical server running Windows Server 2003 R2 Standard Edition acting as a Domain Controller and Global Catalog, holding the Five FSMO roles and running Microsoft Exchange Server 2003) are actually fully functioning at the moment. The Active Directory Replication Status Tool shows no replication error messages between these two DCs.
            - From the Branch office Canadian user's perspective the Domain Controller in the child domain is working correctly.
            - Although the overall network configuration is not well documented, I have realised that a third DC used to exist at the Headquarter and that it does not exist anymore. I have also realised that this DC had been successfully demoted at the Headquarter, but I believe that the successful demotion of this Domain controller took place when the Branch office DC in Canada was already failing to replicate with the DCs at the Headquarter. As a result, the Branch office DC in Canada is simply completely unaware of the successful demotion of the third DC that used to exist at the Headquarter.
            ==================================================

            If you need I can provide you with the Active Directory Replication Status Tool errors.

            Based on my understanding the domain partitions of the respective domains should be up-to-date, so it shouldn't be too hard to fix replication and eliminate any lingering objects, however I don’t have a clue how to find and remove lingering objects in Active Directory.

            I hope I have provided you with a better understanding of the current scenario.

            Thank you again for your support.

            Comment

            Working...
            X