Cannot delete child domain

[Jean-Marie]

I have a forest with 4 domains (domain.com /
child1.domain.com / child2.domain.com /
child3.domain.com). The goal was to remove
child3.domain.com.

The child3.domain.com only has 1 DC. I've deleted
computers and users accounts which were not used anymore,
wait replication to root DC and launched dcpromo on
child3's DC to demote it (specifying it's the last DC in
the domain) and seem to be successful:

[INFO] Request for demotion of domain controller
[INFO] Replicating off local changes to server <ROOT DC>
[INFO] This machine is no longer a domain controller
[INFO] The attempted domain controller operation has
completed

The demotion was replicated to the root domain DC (Event
Logs):

"The consistency checker deleted connection object
CN=<DC>, CN=NTDS Settings .."

The problem is I did that more than 1 month ago and this
child domain still appears in the Active Directory
Domains and Trusts MMC:

- # domain.com
- # child1.domain.com
- # child2.domain.com
- # child3.domain.com

I found in the MS KB several articles close to my problem
and tried first this one: HOW TO: Remove Orphaned Domains
from Active Directory (230306).

It did not work because when I run the command: "remove
selected domain" with ntdsutil I receive this
error:"DsRemoveDsDomainW error 0x20ab (The cross
reference for the specified naming context could not be
found)".

Then I tried this one: Removing Non-Existent Domain with
ntdsutil.exe Generates DsRemoveDsDomainW Error. Error
Message (235416).

The resolution proposed in this article is to use Ldp.exe
or Adsiedit. When I try to remove child3 in
CN=Partitions, I receive this error: A referral was
returned from the server. I suppose it's because there is
no child3 site anymore.

I also tried: HOW TO: Remove Data in Active Directory
After an Unsuccessful Domain Controller Demotion (216498)
but the demotion was correct and ntdsutil can't help me.

The article: You Cannot Use ADSI Edit or Ldp.exe to
Remove a Domain (274424) doesn't work because the
child3's DC is not a DC anymore so I can't transfer FSMO
roles to the root domain DC.

The very strange thing is there is no child3 remaining
data in Active Directory Sites and Services but in Active
Directory Users and Computers, if I manually search
child3's DC name choosing Entire Directory, I find it:

ntds://child3.domain.com/Domain Controllers/<DC NAME>

and another server in the deleted domain:

ntds://child3.domain.com/Computers/<SRV NAME>

If I try to delete these objects, I receive: A referral
was returned from the server.

Last thing, I found that the Tombstone Lifetime is by
default 60 days. I changed this setting to 30 but I still
get my "Phantom DC". I do not want to wait 30 days more
because we need to migrate to new Windows Servers 2003
and want to avoid migrating "Phantom" or unwanted objects
to the new servers.

Is there any solution for this weird situation???

Thanks a lot!

 

[Diana Smith [MSFT]]

Hello Jean-Marie,

Please take a look at the article listed below:
251307 HOW TO: Remove Orphaned Domains from Active Directory Without
Demoting
http://support.microsoft.com/?id=251307

230306 HOW TO: Remove Orphaned Domains from Active Directory
http://support.microsoft.com/?id=230306

Thank You.

Diana.


This posting is provided "AS IS" with no warranties, and confers no rights.

I have a forest with 4 domains (domain.com /
child1.domain.com / child2.domain.com /
child3.domain.com). The goal was to remove
child3.domain.com.

The child3.domain.com only has 1 DC. I've deleted
computers and users accounts which were not used anymore,
wait replication to root DC and launched dcpromo on
child3's DC to demote it (specifying it's the last DC in
the domain) and seem to be successful:

[INFO] Request for demotion of domain controller
[INFO] Replicating off local changes to server <ROOT DC>
[INFO] This machine is no longer a domain controller
[INFO] The attempted domain controller operation has
completed

The demotion was replicated to the root domain DC (Event
Logs):

"The consistency checker deleted connection object
CN=<DC>, CN=NTDS Settings .."

The problem is I did that more than 1 month ago and this
child domain still appears in the Active Directory
Domains and Trusts MMC:

- # domain.com
- # child1.domain.com
- # child2.domain.com
- # child3.domain.com

I found in the MS KB several articles close to my problem
and tried first this one: HOW TO: Remove Orphaned Domains
from Active Directory (230306).

It did not work because when I run the command: "remove
selected domain" with ntdsutil I receive this
error:"DsRemoveDsDomainW error 0x20ab (The cross
reference for the specified naming context could not be
found)".

Then I tried this one: Removing Non-Existent Domain with
ntdsutil.exe Generates DsRemoveDsDomainW Error. Error
Message (235416).

The resolution proposed in this article is to use Ldp.exe
or Adsiedit. When I try to remove child3 in
CN=Partitions, I receive this error: A referral was
returned from the server. I suppose it's because there is
no child3 site anymore.

I also tried: HOW TO: Remove Data in Active Directory
After an Unsuccessful Domain Controller Demotion (216498)
but the demotion was correct and ntdsutil can't help me.

The article: You Cannot Use ADSI Edit or Ldp.exe to
Remove a Domain (274424) doesn't work because the
child3's DC is not a DC anymore so I can't transfer FSMO
roles to the root domain DC.

The very strange thing is there is no child3 remaining
data in Active Directory Sites and Services but in Active
Directory Users and Computers, if I manually search
child3's DC name choosing Entire Directory, I find it:

ntds://child3.domain.com/Domain Controllers/<DC NAME>

and another server in the deleted domain:

ntds://child3.domain.com/Computers/<SRV NAME>

If I try to delete these objects, I receive: A referral
was returned from the server.

Last thing, I found that the Tombstone Lifetime is by
default 60 days. I changed this setting to 30 but I still
get my "Phantom DC". I do not want to wait 30 days more
because we need to migrate to new Windows Servers 2003
and want to avoid migrating "Phantom" or unwanted objects
to the new servers.

Is there any solution for this weird situation???

Thanks a lot!

 

[Jean-Marie]

Hi Diana,

Thanks for your reply. I understand that I can't
completely remove the child domain without removing all
servers and computers entries of the child domain. The
problem is I have no solution to remove these objects.
The only way to see these "phantom" objects is to search
the child domain DC name in the AD Users and
Computers in the root domain, choosing search option
"Entire Directory". Then I find something like:
ntds://child3.domain.com/Domain Controllers/<DC NAME>

That's what I want to remove, but how???
The child3.domain.com does not exist anymore. If I try to
Remove some entries using ADSIEDIT or LDP, I receive
Referral error.

Thank you

-----Original Message-----
Hello Jean-Marie,

Please take a look at the article listed below:
251307 HOW TO: Remove Orphaned Domains from Active Directory Without
Demoting
http://support.microsoft.com/?id=251307

230306 HOW TO: Remove Orphaned Domains from Active Directory
http://support.microsoft.com/?id=230306

Thank You.

Diana.


This posting is provided "AS IS" with no warranties, and confers no rights.

I have a forest with 4 domains (domain.com /
child1.domain.com / child2.domain.com /
child3.domain.com). The goal was to remove
child3.domain.com.

The child3.domain.com only has 1 DC. I've deleted
computers and users accounts which were not used anymore,
wait replication to root DC and launched dcpromo on
child3's DC to demote it (specifying it's the last DC in
the domain) and seem to be successful:

[INFO] Request for demotion of domain controller
[INFO] Replicating off local changes to server <ROOT DC>
[INFO] This machine is no longer a domain controller
[INFO] The attempted domain controller operation has
completed

The demotion was replicated to the root domain DC (Event
Logs):

"The consistency checker deleted connection object
CN=<DC>, CN=NTDS Settings .."

The problem is I did that more than 1 month ago and this
child domain still appears in the Active Directory
Domains and Trusts MMC:

- # domain.com
- # child1.domain.com
- # child2.domain.com
- # child3.domain.com

I found in the MS KB several articles close to my problem
and tried first this one: HOW TO: Remove Orphaned Domains
from Active Directory (230306).

It did not work because when I run the command: "remove
selected domain" with ntdsutil I receive this
error:"DsRemoveDsDomainW error 0x20ab (The cross
reference for the specified naming context could not be
found)".

Then I tried this one: Removing Non-Existent Domain with
ntdsutil.exe Generates DsRemoveDsDomainW Error. Error
Message (235416).

The resolution proposed in this article is to use Ldp.exe
or Adsiedit. When I try to remove child3 in
CN=Partitions, I receive this error: A referral was
returned from the server. I suppose it's because there is
no child3 site anymore.

I also tried: HOW TO: Remove Data in Active Directory
After an Unsuccessful Domain Controller Demotion (216498)
but the demotion was correct and ntdsutil can't help me.

The article: You Cannot Use ADSI Edit or Ldp.exe to
Remove a Domain (274424) doesn't work because the
child3's DC is not a DC anymore so I can't transfer FSMO
roles to the root domain DC.

The very strange thing is there is no child3 remaining
data in Active Directory Sites and Services but in Active
Directory Users and Computers, if I manually search
child3's DC name choosing Entire Directory, I find it:

ntds://child3.domain.com/Domain Controllers/<DC NAME>

and another server in the deleted domain:

ntds://child3.domain.com/Computers/<SRV NAME>

If I try to delete these objects, I receive: A referral
was returned from the server.

Last thing, I found that the Tombstone Lifetime is by
default 60 days. I changed this setting to 30 but I still
get my "Phantom DC". I do not want to wait 30 days more
because we need to migrate to new Windows Servers 2003
and want to avoid migrating "Phantom" or unwanted objects
to the new servers.

Is there any solution for this weird situation???

Thanks a lot!

.

 

[Guest]

Regarding..
Please take a look at the article listed below
251307 HOW TO: Remove Orphaned Domains from Active Directory Withou
Demotin
http://support.microsoft.com/?id=25130

230306 HOW TO: Remove Orphaned Domains from Active Director
http://support.microsoft.com/?id=23030

I find these KB articles inaccurate, elliptical and ineffective. For example, it is Sites and Services not Sites and Servers. And where in that snap-in does one navigate to FSMO Holder? When I try to delete a computer in the snap-in I am either advised not to do and it doesn't do it or the snap-in refuses to do it. Since this is a pre-requisite to NTDSUTIL actually performing the liquidation of the domain, NTDSUTIL is useless for the purpose. Someone should research and effectively treat of the matter of crowbar-ing Active Directory from an orphaned computer. Then publish it for all to see. Personally, I think DCPROMO should never refuse absolutely to demote a computer. It can advise against it and set off all sorts of alarm bells in the operator's head but ACT ON the inadvisable option nevertheless. Using NTDSUTIL is arcane and FOR WIZARDS USE ONLY

 

[Guest]

SYBEX publishes a wonderful and thick book on Windows 2003 Server that explains, as nobody else explains, how to crowbar Active Directory off a computer, plus many eye-opening things about Windows 2003 Server. I recommend to every interested person, who does not already own the book, to buy it and learn. I don't own shares in SYBEX and I didn't write the book.