Turn on that Scary DC



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


Stephen Mathews here; now tell me, do you have a domain controller you’re afraid to turn on? Maybe it lost power and nobody noticed for a couple months or you don’t trust your AD restore procedures; perhaps a troubled DC keeps deleting your DNS records – whatever happened, I’m going to show you how to power it on without allowing it to replicate.

The end goal is to disable replication on the troubled DC. This is done very simply by using the repadmin commands:

repadmin /options +DISABLE_INBOUND_REPL

repadmin /options +DISABLE_OUTBOUND_REPL

To disable replication on the troubled machine you must have either local or remote access. The local commands are above, to disable replication remotely use the same commands and add the server name. However, the server must be reachable via the network – the same network that replication runs over. You could try hammering the troubled DC with the commands during its startup and you may block replication before the DC starts, but let’s go with a more proactive method. We’ll block replication on its partners first.

The first step to finding the DC’s replication partners is to check the Connections tab inside NTDS Settings within Active Directory Sites and Services. In the below example my 2 “DFS” servers are indeed Domain Controllers, with SNY-DFS-VM02 is my troubled DC that needs replication blocked.

We have two connection fields: “Replicate From” and “Replicate To”; we also have two ways to block replication: Inbound and Outbound. We’re going to disable Outbound replication on the “Replicate From” servers and disable Inbound replication on the “Replicate To” servers. We can do this remotely using repadmin:

repadmin /options <Replicate From> +DISABLE_OUTBOUND_REPL

repadmin /options <Replicate To> +DISABLE_INBOUND_REPL

You can see this in the below screenshot that the “Current DSA Options” grow from 1 option “IS_GC” to 3 options “IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL”

Now that all the partners have their replication blocked, we can turn on the troubled DC and block its replication the same way. Once you’ve confirmed the troubled DC is blocked, go ahead and reverse your changes for the partners.

We’ll do one final check to verify the troubled DC is not replicating. Voila, it reports that “The destination server is currently rejecting replication requests.”

After walking you through the GUI, I’ll share with you how I did it with PowerShell. I use Get- ADReplicationConnection to check all the Replication Connections for any that match the troubled DC in the ReplicateFromDirectoryServer or ReplicateToDirectoryServer properties. Once I have those, I do some string parsing to pull out the server names. Then I write the repadmin command for both the source and target servers and store them in an array. After I get all the commands, I need to move the troubled DC repadmin commands to the end of the array (no easy way there, I ended up creating 3 arrays). Finally, I execute the commands with the output in the below screenshot. The script waits for the troubled DC to become reachable – this is when you turn on the troubled DC. Once it blocks the replication on the troubled DC, it reverses the changes on its replication partners.

$DCtoBlock = “sny-dfs-vm02″

$Commands = @()

Get-ADReplicationConnection -Filter * |

Where-Object {

($_.ReplicateFromDirectoryServer -match $DCtoBlock) -or

($_.ReplicateToDirectoryServer -match $DCtoBlock)

} |

ForEach-Object {

$Source = $_.ReplicateFromDirectoryServer.Split(‘,’)[1].Replace(‘CN=’,””)

$Target = $_.ReplicateToDirectoryServer.Split(‘,’)[0].Replace(‘CN=’,””)

$Commands += “repadmin /options $Source DISABLE_OUTBOUND_REPL

$Commands += “repadmin /options $Target DISABLE_INBOUND_REPL”


$Commands = $Commands | Select-Object -Unique | Sort-Object

$TailCmds = $Commands | Select-String -Pattern $DCtoBlock

$Commands = $Commands | Select-String -Pattern $DCtoBlock -NotMatch

$Commands += $TailCmds

foreach ($Action in @{‘+’=$true;’-‘=$null}.GetEnumerator()) {

foreach ($Command in $Commands) {

$Option = $Command.ToString().Split()[-1]

$CmdString = $Command.ToString().Replace($Option,”$($Action.Name)$Option”)

If (!(($CmdString -match $DCtoBlock) -and ($Action.Name -match ‘-‘))) {

do {


Invoke-Expression -Command $CmdString | Out-Null

$RepAdminOptions = Invoke-Expression -Command $Command.ToString().Replace($Option,””)

} while (($RepAdminOptions | Select-String -Pattern $Option -Quiet) -ne $Action.Value)




Thanks for reading and let’s keep those DCs on eh?