There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days. This would prevent a domain controller of the same name being introduced into Active Directory.
This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.
Cause
The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the ‘Deleted Objects’ container until after 14 days and retains all attributes fully populated.
As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the ‘Deleted Objects’ container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the ‘Deleted Objects’ container and replication to all domain controllers has completed.
Resolution
WARNING: Incorrect use of ADSIEdit can have serious consequences for Active Directory.
1. Open AdsiEdit.msc and browse to:
2. Configuration Container > Services > Windows NT > Directory Services
3. Right click on the Directory Services object and select properties
4. Change the following attribute replTopologyStayOfExecution from <notset> to 1.
Additionally, you can use LDP to check for the deleted objects. To do that you need to “check” the “Return Deleted Objects” option. Then, you should be able to see the demoted / deleted domain controllers in the ‘Deleted Objects’ container. And yet another option would be to use the Metadata cleanup tool to delete failed DCs from Active Directory – a guide on how to do this can be found here: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx.