Recover Tombstoned Domain Controller

This takes into account that the DC has the wrong hostname.

 
http://projectrelated.com/?p=500
The first step is to allow the other domain controllers in your domain to replicate with Tombstoned DC. To do this follow the steps below:

Click Start, click Run, type regedit, and then click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
In the details pane, create or edit the registry entry as follows:
If the registry entry exists in the details pane, modify the entry as follows:

In the details pane, right-click Allow Replication With Divergent and Corrupt Partner, and then click Modify.
In the Value data box, type 1, and then click OK.
If the registry entry does not exist, create the entry as follows:

Right-click Parameters, click New, and then click DWORD Value.
Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
Double-click the entry. In the Value data box, type 1, and then click OK.

https://community.spiceworks.com/how_to/103538-properly-renaming-a-domain-controller-server-2012r2
#Change tombstoned DC name to what the name is on working DC and make primary
netdom computername wrongname.domain.local /add:server.domain.local
netdom computername wrongname.domain.local /makeprimary:server.domain.local
#restart server
#Remove wrong name
netdom computername server.domain.local /remove:wrongname.domain.local

https://www.itprotoday.com/active-directory/identifying-and-solving-active-directory-replication-problems
#from working DC
repadmin /showobjmeta goodDC “cn=goodDC,ou=domain controllers,dc=usanmgmt,dc=net” > dc1ojbmeta1.txt
repadmin /showobjmeta badDC “cn=goodDC,ou=domain controllers,dc=usanmgmt,dc=net” > dc1ojbmeta2.txt
#Afterward, open the dc1objmeta1.txt and dc1objmeta2.txt files that were created and look at the version differences for dBCSPwd, UnicodePWD, NtPwdHistory, PwdLastSet, and lmPwdHistory. In this case, the dc1objmeta1.txt file lists the version as 19, whereas the version in the dc1objmeta2.txt file is 11. So, comparing these two files reveals that DC2 has old password information for DC1. The Kerberos operation failed because DC1 was unable to decrypt the service ticket presented by DC2.
https://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.

2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files (x86)\windows resource kits\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.

3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.

4. Reset the Server domain controller account password on Server1 (the PDC
emulator).

To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter.

5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.

6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s