How to Remove a DSfW server, Domain, and Forest

  • 7005431
  • 03-Mar-2010
  • 06-Sep-2018

Environment

Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11.1 (OES11SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 2015.1 (OES2015.1)
Novell Open Enterprise Server 2018 (OES2018)
Domain Services for Windows
DSfW

Situation

Single DSfW domain.
Server crashed, now need to clean up eDirectory  tree to prepare to install new DSfW Forest and Domain.
How to remove DSfW Domain Controller, Domain, and Forest and re-install a DSfW Forest, Domain and Domain Controller. 

Resolution

Instructions on cleaning up eDirectory after a DSfW server is removed.  This will prepare the tree so that a new DSfW server, Domain, and Forest can be installed on a new OES 2015.1 or 2018 server. 

Do not use this TID to remove an Additional Domain Controller (ADC) or Child Domain. For an ADC only the DSfW object directly related to the DSfW server need to be removed (ncp server, ldap, certificate objects, etc).
For the PDC in a Child Domain follow TID 7012738.

For OES 11 and older only: If the Domain Controller is functioning, please use the script instead of the manual procedure. Please refer to the additional information section for more information. It can be downloaded from dsfwdude.com.
  1. Make an existing server the master of all partitions and remove the DSfW server from the rings. 
    See TID 7002415 to designate a new server as the master of a partition.

  2. Merge the child partitions into the domain partition.
    1. Merge the schema partition into the configuration partition.
    2. For OES 2015 and newer: Merge the <servername>.Servers.Site-One.Sites.Configuration.<domain>.<TLD> into the parent partition. Example: DSFW1.Servers.Site-One.Sites.Configuration.Provo-Lab.int
    3. Merge the configuration partition into the domain partition.
    4. After merging the partitions delete the Schema and Configuration containers.
Note: Make sure that there's still a Master server for the domain partition.
  1. Shutdown the DSfW server permanently.

  2. Delete the server object, SSL certificate objects, and LDAP objects.

  3. Delete all DSfW created objects.
    Delete these objects and the child objects to these containers. The Users container might have additional users created by the administrator. If those users are to be retained, move them to another container outside the DSfW domain first! Users located in the domain, but not in one of the following containers can me left in their existing container. The containers that are created by DSfW are as follows:

dn: ou=Domain Controllers,<DomainDN> 
dn: ou=OESSystemObjects,<DomainDN>
dn: ou=novell,<DomainDN> for OES2SP1 ONLY
dn: cn=Builtin,<DomainDN>
dn: cn=Configuration,<DomainDN>
dn: cn=Computers,<DomainDN>
dn: cn=DefaultMigrationContainer,<DomainDN>
dn: cn=Deleted Objects,<DomainDN>
dn: cn=ForeignsSecurityPrincipals,<DomainDN>
dn: cn=NTDS Quotas,<DomainDN>
dn: cn=System,<DomainDN>
dn: cn=Users,<DomainDN>
dn: cn=Infrastructure,<DomainDN>
dn: cn=LostAndFound,<DomainDN>
dn: cn=Program Data,<DomainDN>
  1. Remove the aux class "domainDNS" and "xadFlags" (depending on the patch level "xad-Domain-Flag" might be present instead of "xadFlags") from the domain partition root.  Since domainDNS and xadFlags are aux classes, to remove them go to the extensions of the object.   
    For Console One right click on the container, select extensions of this object, select the domainDNS aux class and click remove Extension.  Do the same for xadFlags.
    For iManager click the Schema role, Object Extensions task, browse to the container, select the domainDNS aux class and click remove.  Do the same for xadFlags.  Note: xadFlags is new starting OES2sp3.

  1. Remove the following ACLs from the partition where DSfW is installed:
For Console One right click on the container, select Trustees of this object, select the assigned trustee, click Assigned Rights, and remove the property right.  If you wish to remove a trustee completely like [Root], select the trustee and click Delete Trustee.
For iManager click the Rights role, Modify Trustees task, browse to the container, check the box next to the trustee you wish to modify, click assigned rights, check the box next to the property right you wish to remove, and click Remove Seletected.

ACL: 1#subtree#[Public]#cn
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
ACL: 3#subtree#[Root]#[All Attributes Rights] (OES11SP3 ONLY - each attribute is listed: remove all attributes)
ACL: 3#subtree#[Root]#userCertificate;binary 
ACL: 3#subtree#[Root]#cACertificate;binary
  1. Check that the following attributes have been removed from the partition where DSfW is installed.  If these attributes exist, remove them.
    In Console One go to the properties of the container, other tab, select the attribute you wish to remove and click Delete.
    In iManager Modify the container object, click the General tab, click 'other' underneath the General tab, select the attribute you wish to remove and click Delete.
gPlink
isCriticalSystemObject
modifiedCount
modifiedCountAtLastProm
ms-DS-MachineAccountQuota
msDS-AllUsersTrustQuota
msDS-PerUserTrustQuota
msDS-PerUserTrustTombstonesQuota
ms-DS-Behavior-Version
nTMixedDomain
rIDManagerReference
serverState
systemFlags
uASCompat
  1. These attributes should not cause an issue with OES11 re-installs, but will cause and issue with OES2SP3 and earlier.
    If re-installing OES2SP3 DSfW call Novell Support to have these attributes removed.  Since they are Read-Only, they cannot be removed with standard tools.
nextRid
objectSid
uniqueDomainID

Additional Information

A removal script can be downloaded at for OES2SP2 and OES2SP3 at dsfwdude.com
A new removal script, ndsdcrmx.pl, has been created for all versions including OES11 and OES11SP1 can also be downloaded at dsfwdude.com.  The ndsdcrmx.pl can be used on a ADC or PDC.  Warning, if used on a PDC it will remove the DSfW domain.  Transfer the FSMO roles before running on a PDC if there is an ADC and the DSfW domain is to be retained in the eDirectory tree.

There is a -f switch that can used in some partially configured situations, but it depending on how far the install has gone it may or may not work.

The new removal script also requires the manual removal of some trustee assignments if removing the DSfW Domain, not just the server.
Start with [This] trustees from the mapped container (usually the O)
It should only have three ACLs, you can verify only these three attributes are listed.  If that is the case then remove the entire [This] ACL
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
Note: If you see [Root] listed as a trustee for the mapped container, remove it.