Why not to re-use DC names

There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.

Cause

Active Directory objects that are deleted are normally moved to the ‘Deleted Objects’ container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the ‘Deleted Objects’ container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the ‘Deleted Objects’ container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the ‘Deleted Objects’ container and replication to all domain controllers has completed.

Resolution

It is possible to change the default value of the time before a demoted/deleted nTDSDSA object is moved to the ‘Deleted Objects’ container by doing the following:

WARNING: Incorrect use of ADSIEdit can have serious consequences for Active Directory.

1.      Open AdsiEdit.msc and browse to:
2.      Configuration Container  > Services > Windows NT > Directory Services
3.      Right click on the Directory Services object and select properties
4.      Change the following attribute replTopologyStayOfExecution from <notset> to 1. 
 

273976
Now that this has been changed a demoted/deleted domain controllers name can be reused after 1 day + time to replicate the move to ‘Deleted Objects’ container to all DCs in the forest.

Additionally, you can use LDP to check for the deleted objects. To do that you need to “check” the “Return Deleted Objects” option.  Then, you should be able to see the demoted / deleted domain controllers in the ‘Deleted Objects’ container.  And yet another option would be to use the Metadata cleanup tool to delete failed DCs from Active Directory – a guide on how to do this can be found here: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx.

Leave a Reply

Your email address will not be published. Required fields are marked *