J
Jean-Marie
I have a forest with 4 domains (domain.com /
child1.domain.com / child2.domain.com /
child3.domain.com). The goal was to remove
child3.domain.com.
The child3.domain.com only has 1 DC. I've deleted
computers and users accounts which were not used anymore,
wait replication to root DC and launched dcpromo on
child3's DC to demote it (specifying it's the last DC in
the domain) and seem to be successful:
[INFO] Request for demotion of domain controller
[INFO] Replicating off local changes to server <ROOT DC>
[INFO] This machine is no longer a domain controller
[INFO] The attempted domain controller operation has
completed
The demotion was replicated to the root domain DC (Event
Logs):
"The consistency checker deleted connection object
CN=<DC>, CN=NTDS Settings .."
The problem is I did that more than 1 month ago and this
child domain still appears in the Active Directory
Domains and Trusts MMC:
- # domain.com
- # child1.domain.com
- # child2.domain.com
- # child3.domain.com
I found in the MS KB several articles close to my problem
and tried first this one: HOW TO: Remove Orphaned Domains
from Active Directory (230306).
It did not work because when I run the command: "remove
selected domain" with ntdsutil I receive this
error:"DsRemoveDsDomainW error 0x20ab (The cross
reference for the specified naming context could not be
found)".
Then I tried this one: Removing Non-Existent Domain with
ntdsutil.exe Generates DsRemoveDsDomainW Error. Error
Message (235416).
The resolution proposed in this article is to use Ldp.exe
or Adsiedit. When I try to remove child3 in
CN=Partitions, I receive this error: A referral was
returned from the server. I suppose it's because there is
no child3 site anymore.
I also tried: HOW TO: Remove Data in Active Directory
After an Unsuccessful Domain Controller Demotion (216498)
but the demotion was correct and ntdsutil can't help me.
The article: You Cannot Use ADSI Edit or Ldp.exe to
Remove a Domain (274424) doesn't work because the
child3's DC is not a DC anymore so I can't transfer FSMO
roles to the root domain DC.
The very strange thing is there is no child3 remaining
data in Active Directory Sites and Services but in Active
Directory Users and Computers, if I manually search
child3's DC name choosing Entire Directory, I find it:
ntds://child3.domain.com/Domain Controllers/<DC NAME>
and another server in the deleted domain:
ntds://child3.domain.com/Computers/<SRV NAME>
If I try to delete these objects, I receive: A referral
was returned from the server.
Last thing, I found that the Tombstone Lifetime is by
default 60 days. I changed this setting to 30 but I still
get my "Phantom DC". I do not want to wait 30 days more
because we need to migrate to new Windows Servers 2003
and want to avoid migrating "Phantom" or unwanted objects
to the new servers.
Is there any solution for this weird situation???
Thanks a lot!
child1.domain.com / child2.domain.com /
child3.domain.com). The goal was to remove
child3.domain.com.
The child3.domain.com only has 1 DC. I've deleted
computers and users accounts which were not used anymore,
wait replication to root DC and launched dcpromo on
child3's DC to demote it (specifying it's the last DC in
the domain) and seem to be successful:
[INFO] Request for demotion of domain controller
[INFO] Replicating off local changes to server <ROOT DC>
[INFO] This machine is no longer a domain controller
[INFO] The attempted domain controller operation has
completed
The demotion was replicated to the root domain DC (Event
Logs):
"The consistency checker deleted connection object
CN=<DC>, CN=NTDS Settings .."
The problem is I did that more than 1 month ago and this
child domain still appears in the Active Directory
Domains and Trusts MMC:
- # domain.com
- # child1.domain.com
- # child2.domain.com
- # child3.domain.com
I found in the MS KB several articles close to my problem
and tried first this one: HOW TO: Remove Orphaned Domains
from Active Directory (230306).
It did not work because when I run the command: "remove
selected domain" with ntdsutil I receive this
error:"DsRemoveDsDomainW error 0x20ab (The cross
reference for the specified naming context could not be
found)".
Then I tried this one: Removing Non-Existent Domain with
ntdsutil.exe Generates DsRemoveDsDomainW Error. Error
Message (235416).
The resolution proposed in this article is to use Ldp.exe
or Adsiedit. When I try to remove child3 in
CN=Partitions, I receive this error: A referral was
returned from the server. I suppose it's because there is
no child3 site anymore.
I also tried: HOW TO: Remove Data in Active Directory
After an Unsuccessful Domain Controller Demotion (216498)
but the demotion was correct and ntdsutil can't help me.
The article: You Cannot Use ADSI Edit or Ldp.exe to
Remove a Domain (274424) doesn't work because the
child3's DC is not a DC anymore so I can't transfer FSMO
roles to the root domain DC.
The very strange thing is there is no child3 remaining
data in Active Directory Sites and Services but in Active
Directory Users and Computers, if I manually search
child3's DC name choosing Entire Directory, I find it:
ntds://child3.domain.com/Domain Controllers/<DC NAME>
and another server in the deleted domain:
ntds://child3.domain.com/Computers/<SRV NAME>
If I try to delete these objects, I receive: A referral
was returned from the server.
Last thing, I found that the Tombstone Lifetime is by
default 60 days. I changed this setting to 30 but I still
get my "Phantom DC". I do not want to wait 30 days more
because we need to migrate to new Windows Servers 2003
and want to avoid migrating "Phantom" or unwanted objects
to the new servers.
Is there any solution for this weird situation???
Thanks a lot!