Cannot delete AD object using ldp.exe. 'Not allowed on Non-leaf' error returned
Hello Experts,
I hope you can help with this annoying problem?
The background to this is as follows:
I have a Small Business Server 2003 Premium Edition and a Virutal 2003 Server Standard Edition setup in MS Virtual Server on the SBS, acting as a Terminal Server.
To cut a long story short, I was setting up a Group Policy for the Terminal Server, got it wrong and decided to start from scratch.
In the process of setting up the GP I moved the Terminal Server Computer Object into a new OU called Maslows Terminal Servers, which I was going to apply the policy to.
When I decided to start again, I deleted the Terminal Servers OU, BUT forgot to move the Terminal Server Computer Object out first.
I now have what appears to be an orphaned object called Terminal Servers in the My Business folder, which I can't delete.
It also means that I can't recreate the Terminal Server Computer Object as AD replies that the object already exists in the domain.
When I try to delete the object from the Users and Computers mmc I get the following error:
"Windows cannot delete object Terminal Servers because: The specified directory service attribute or value does not exist."
I have changed the owner of the object to the administrator account with full control which made no difference
I have run ldp.exe and can see the object in the LADP tree and tried to delete it from there.
I get the following return:
deleting "OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error <66>: failed to delete 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Server error: 0000208C: UpdErr: DSID-030A0491, problem 6003 (CANT_ON_NON_LEAF), data 0
deleted 0 entries
I am drwaing a blank now when searching for anything relevant on 'Non-leaf'
My questions are:
1. Is there any way I can recreate the Terminal Server Computer Object with the issue I have outstanding?
2. Should I be deleting the orphaned object anyway? if so, how do I do it?
Regards
Paul
I hope you can help with this annoying problem?
The background to this is as follows:
I have a Small Business Server 2003 Premium Edition and a Virutal 2003 Server Standard Edition setup in MS Virtual Server on the SBS, acting as a Terminal Server.
To cut a long story short, I was setting up a Group Policy for the Terminal Server, got it wrong and decided to start from scratch.
In the process of setting up the GP I moved the Terminal Server Computer Object into a new OU called Maslows Terminal Servers, which I was going to apply the policy to.
When I decided to start again, I deleted the Terminal Servers OU, BUT forgot to move the Terminal Server Computer Object out first.
I now have what appears to be an orphaned object called Terminal Servers in the My Business folder, which I can't delete.
It also means that I can't recreate the Terminal Server Computer Object as AD replies that the object already exists in the domain.
When I try to delete the object from the Users and Computers mmc I get the following error:
"Windows cannot delete object Terminal Servers because: The specified directory service attribute or value does not exist."
I have changed the owner of the object to the administrator account with full control which made no difference
I have run ldp.exe and can see the object in the LADP tree and tried to delete it from there.
I get the following return:
deleting "OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error <66>: failed to delete 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Server error: 0000208C: UpdErr: DSID-030A0491, problem 6003 (CANT_ON_NON_LEAF), data 0
deleted 0 entries
I am drwaing a blank now when searching for anything relevant on 'Non-leaf'
My questions are:
1. Is there any way I can recreate the Terminal Server Computer Object with the issue I have outstanding?
2. Should I be deleting the orphaned object anyway? if so, how do I do it?
Regards
Paul
By The Way:
If your Terminal server is your DC or serves other purposes, you might want to relay this information first. I am going under the assumption that your terminal server is a separate entity. If not, we may need to take a more passive approach to this fix.
Also, the reason I say contact Microsoft is because of the differences between your problem and my past problem. Further, I don't remember how we got the TSinternetuser account back into AD.
If your Terminal server is your DC or serves other purposes, you might want to relay this information first. I am going under the assumption that your terminal server is a separate entity. If not, we may need to take a more passive approach to this fix.
Also, the reason I say contact Microsoft is because of the differences between your problem and my past problem. Further, I don't remember how we got the TSinternetuser account back into AD.
ASKER
Hello ChiefIT
Sorry for the delay in replying, I've just got onto site.
Thanks for your comments and possible solutions.
I shall give these a go today and get back with the results.
The Terminal Server is a seperate Virtual Server so, if worst comes to worst I can delete the whole thing and start again, as I am just setting it up anyway now.
I will be back soon with results.
Thanks,
Paul
Sorry for the delay in replying, I've just got onto site.
Thanks for your comments and possible solutions.
I shall give these a go today and get back with the results.
The Terminal Server is a seperate Virtual Server so, if worst comes to worst I can delete the whole thing and start again, as I am just setting it up anyway now.
I will be back soon with results.
Thanks,
Paul
ASKER
Hi ChiefIT,
Well, I've run NTDSUTIL without success.
The 'deleted' server is not listed, so there's nothing to remove there.
I have also tried repadmin /removelingeringobjects but get the following error:
DsRepicaVerifyObjectsW() failed with status 8440 (0x20f8):
Can't retrieve message string 8440 (0x20f8), error 1815
Also. the Terminal Server computer doesn't show in LDAP or LostandFound
So I am out of ideas at this stage now.
Thanks for trying,
Paul
Well, I've run NTDSUTIL without success.
The 'deleted' server is not listed, so there's nothing to remove there.
I have also tried repadmin /removelingeringobjects but get the following error:
DsRepicaVerifyObjectsW() failed with status 8440 (0x20f8):
Can't retrieve message string 8440 (0x20f8), error 1815
Also. the Terminal Server computer doesn't show in LDAP or LostandFound
So I am out of ideas at this stage now.
Thanks for trying,
Paul
I was just researching your NON LEAF Error and found this article:
http://support.microsoft.com/kb/244344
where it says:
"NOTE: You can delete only "leaf" objects in this manner. If you attempt to delete an object that is not empty, you receive an error message similar to the following message:
Error: Delete: Not allowed on non-leaf. <66>
Therefore, to delete a container object, you must delete all objects in the container."
Hmm, I see your delema.
Error <66>: failed to delete 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Server error: 0000208C: UpdErr: DSID-030A0491, problem 6003 (CANT_ON_NON_LEAF), data 0
As you said, you are trying to delete an OU that was not empty. The error should have prevented you from deleting the OU. (Your error does say 0 entries deleted).
Correct me if I am wrong on any of this:
You have no GUI for either the server or the OU.
You can see the tombstone of the OU in LDP.exe
But, you can't see any instances of the server's GUI.
http://support.microsoft.com/kb/244344
where it says:
"NOTE: You can delete only "leaf" objects in this manner. If you attempt to delete an object that is not empty, you receive an error message similar to the following message:
Error: Delete: Not allowed on non-leaf. <66>
Therefore, to delete a container object, you must delete all objects in the container."
Hmm, I see your delema.
Error <66>: failed to delete 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Server error: 0000208C: UpdErr: DSID-030A0491, problem 6003 (CANT_ON_NON_LEAF), data 0
As you said, you are trying to delete an OU that was not empty. The error should have prevented you from deleting the OU. (Your error does say 0 entries deleted).
Correct me if I am wrong on any of this:
You have no GUI for either the server or the OU.
You can see the tombstone of the OU in LDP.exe
But, you can't see any instances of the server's GUI.
Let me rephrase this:
Correct me if I am wrong on any of this:
Under Active Directory Users and Computers snapin, you have no GUI for either the server or the OU.
You can see the tombstone of the OU in LDP.exe
But, you can't see anything of the server by using DCdiag, NTDSUTIL or LDP.exe meaning it may be in the phantom state.
To straighten this out, we need to get rid of the server metadata first. Then, we need to get rid of the OU metadata.You have two active directory objects that have the GUIs deleted, not one.
Once done, we will need to rejoin the domain. By rejoining, I mean we will need to Unjoin the domain and bring it to a workgroup, delete DNS records of the server, rejoin the domain.
You once mentioned blowing away the computer and coming up with a fresh VM image. The problem is in active directory, not on the terminal server. So, it won't do you much good.
Correct me if I am wrong on any of this:
Under Active Directory Users and Computers snapin, you have no GUI for either the server or the OU.
You can see the tombstone of the OU in LDP.exe
But, you can't see anything of the server by using DCdiag, NTDSUTIL or LDP.exe meaning it may be in the phantom state.
To straighten this out, we need to get rid of the server metadata first. Then, we need to get rid of the OU metadata.You have two active directory objects that have the GUIs deleted, not one.
Once done, we will need to rejoin the domain. By rejoining, I mean we will need to Unjoin the domain and bring it to a workgroup, delete DNS records of the server, rejoin the domain.
You once mentioned blowing away the computer and coming up with a fresh VM image. The problem is in active directory, not on the terminal server. So, it won't do you much good.
ASKER
HI ChiefIT
I'm sorry I haven't checked in over the weekend, but just seen your additional posts now.
I am back on site tomorrow so will have another look at this and get back again then.
Thanks again for persisting with this!
Paul
I'm sorry I haven't checked in over the weekend, but just seen your additional posts now.
I am back on site tomorrow so will have another look at this and get back again then.
Thanks again for persisting with this!
Paul
ASKER
Hi ChiefIT,
Just checking ldp.exe again;
In ldp.exe:
There is an instance (phantom) , but no GUID, of the OU.
There is no instance (or GUID) of the server itself.
In ADUC:
There is a tombstone of the OU in ADUC\MyBusiness, but no other instances of the server in ADUC.
However, the server is residual in AD somewhere as I cannot recreate the same server or OU without getting the following message:
Windows cannot create hte object........ because: an attempt was made to add an object to the directory with a name that is already in use.
In DCdiag, no references.
in NTDSUTIL there is no instance of the server to remove.
As you say, the problem lies in the AD on the DC, and at the moment I too can only see one way of resolving this, which I am very reluctant to do.
Paul
Just checking ldp.exe again;
In ldp.exe:
There is an instance (phantom) , but no GUID, of the OU.
There is no instance (or GUID) of the server itself.
In ADUC:
There is a tombstone of the OU in ADUC\MyBusiness, but no other instances of the server in ADUC.
However, the server is residual in AD somewhere as I cannot recreate the same server or OU without getting the following message:
Windows cannot create hte object........ because: an attempt was made to add an object to the directory with a name that is already in use.
In DCdiag, no references.
in NTDSUTIL there is no instance of the server to remove.
As you say, the problem lies in the AD on the DC, and at the moment I too can only see one way of resolving this, which I am very reluctant to do.
Paul
See if removing your DNS records help. If active directory DNS, it may be holding onto some cached version of the Active directory object.
ASKER
OK, I will give that a go on Tuesday - its a Bank Holiday weekend here now.
Thanks again
Paul
Thanks again
Paul
ASKER
Hi ChiefIT,
Well, I'm afraid that made no difference.
I removed the DNS server and reinstalled it and the object is still there.
Never mind, it was worth a try.
Thanks
Paul
Well, I'm afraid that made no difference.
I removed the DNS server and reinstalled it and the object is still there.
Never mind, it was worth a try.
Thanks
Paul
Paul:
I am going to look into the alternatives to nukeing AD. Give me a little bit.
John
I am going to look into the alternatives to nukeing AD. Give me a little bit.
John
Here is an explaination of your problem:
http://support.microsoft.com/kb/244344
The GUI:
You have deleted the GUI of a NON-Leaf object in AD. So, both GUIs have been deleted. One is for the machine. The second is for the OU. So, they can not be seen in ADUC snapin.
Tombstone:
The OU is in a tombstoned state.
Phantom:
The machine is in a phantom state.
Problem:
Since the machine is in the phantom state, it is considered an AD object. So, LDP.EXE can not be used to delete the OU because it is a NON-LEAF Object.
Provide this explanation to the blog below.
__________________________
I think you should post a question on this blog:
http://forums.devshed.com/ldap-programming-76/operation-not-allowed-on-non-leaf-226395.html
They are more experienced in programing AD using various means and could probably tell you exactly what to do. I see your prediciment, but don't know EXACTLY how to fix it. I think they will.
http://support.microsoft.com/kb/244344
The GUI:
You have deleted the GUI of a NON-Leaf object in AD. So, both GUIs have been deleted. One is for the machine. The second is for the OU. So, they can not be seen in ADUC snapin.
Tombstone:
The OU is in a tombstoned state.
Phantom:
The machine is in a phantom state.
Problem:
Since the machine is in the phantom state, it is considered an AD object. So, LDP.EXE can not be used to delete the OU because it is a NON-LEAF Object.
Provide this explanation to the blog below.
__________________________
I think you should post a question on this blog:
http://forums.devshed.com/ldap-programming-76/operation-not-allowed-on-non-leaf-226395.html
They are more experienced in programing AD using various means and could probably tell you exactly what to do. I see your prediciment, but don't know EXACTLY how to fix it. I think they will.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once done with the above, you will have to do the same on all AD servers within the domain.
ASKER
Hi ChiefIT,
Gosh, thanks for your persistance with this!!
I have had a look at the link and as you say, that seems to be the answer to the problem here.
I am onsite tomorrow, so will give it a go then and report back with hopefully good news.
Paul
Gosh, thanks for your persistance with this!!
I have had a look at the link and as you say, that seems to be the answer to the problem here.
I am onsite tomorrow, so will give it a go then and report back with hopefully good news.
Paul
ASKER
Hi CheifIT,
I'm sorry its taken so long to get back, but I have now tried deleting using the above method and got the following message in ldp.exe:
ldap_delete_ext_s(ld, 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-03151D12, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The Administrator is a member of Enterprise Administrators and I am definitley binding as Administrator in ldp, but perhaps I need to add any special permissions to perform this?
It seems I am so close, but so far at the moment!
Thanks
Paul
I'm sorry its taken so long to get back, but I have now tried deleting using the above method and got the following message in ldp.exe:
ldap_delete_ext_s(ld, 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-03151D12, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The Administrator is a member of Enterprise Administrators and I am definitley binding as Administrator in ldp, but perhaps I need to add any special permissions to perform this?
It seems I am so close, but so far at the moment!
Thanks
Paul
I am researching. Sorry for the delay.
OK:
This is what I am thinking. You don't have the authority of writing to the schema. If the administrator is a member of the schema administrators group, you might have to enable writing to the schema in order for it to work.
http://windowsitpro.com/article/articleid/73965/jsi-tip-2645-schema-administrator-requires-new-registry-value-name-to-enable-a-write-operation-to-the-schema.html
This is what I am thinking. You don't have the authority of writing to the schema. If the administrator is a member of the schema administrators group, you might have to enable writing to the schema in order for it to work.
http://windowsitpro.com/article/articleid/73965/jsi-tip-2645-schema-administrator-requires-new-registry-value-name-to-enable-a-write-operation-to-the-schema.html
ASKER
Hi ChiefIT,
Thanks for that info.
I changed the registry settings as follows:
HKEY_LOCAL_MACHINE\SYSTEM\
Schema Update Allowed (1)
Schema Delete Allowed (1) (not mentioned in the article above but I thought it might be relevant here)
I then tried to delete the OU and got the following response:
ldap_delete_ext_s(ld, 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-03151D12, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0l
Slightly different to the last message in that there is a 0l rather than 0 at the end, the rest is identical.
I shall have a look around to see if anything relates to this error.
Paul
Thanks for that info.
I changed the registry settings as follows:
HKEY_LOCAL_MACHINE\SYSTEM\
Schema Update Allowed (1)
Schema Delete Allowed (1) (not mentioned in the article above but I thought it might be relevant here)
I then tried to delete the OU and got the following response:
ldap_delete_ext_s(ld, 'OU=Maslows Terminal Servers,OU=MyBusiness,DC=M
Error: Delete: Insufficient Rights. <50>
Server error: 00000005: SecErr: DSID-03151D12, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0l
Slightly different to the last message in that there is a 0l rather than 0 at the end, the rest is identical.
I shall have a look around to see if anything relates to this error.
Paul
ASKER
One more thing........
I have been having a think about this and looked at a Microsoft article relating to other INNSUFF_ACCESS_RIGHTS issues which can be caused by incorrect name resolution and inheritable permission problem:
http://support.microsoft.com/kb/254030
As part of my security policy here I have renamed the Administrator account and am wondering if that might be a possible reason for these errors?
Paul
I have been having a think about this and looked at a Microsoft article relating to other INNSUFF_ACCESS_RIGHTS issues which can be caused by incorrect name resolution and inheritable permission problem:
http://support.microsoft.com/kb/254030
As part of my security policy here I have renamed the Administrator account and am wondering if that might be a possible reason for these errors?
Paul
As part of my security policy here I have renamed the Administrator account and am wondering if that might be a possible reason for these errors?
Does this renamed account have access rights to edit the AD schema? I think there is a Schema admin group under ADUC.
Does this renamed account have access rights to edit the AD schema? I think there is a Schema admin group under ADUC.
ASKER
Hi ChiefIT
Yes, the renamed Administrator account is a member of the Schema Admins group.
Yes, the renamed Administrator account is a member of the Schema Admins group.
Well Paul:
I have searched High and low. I have come up with a few ideas, but need to know what computer is the SCHEMA MASTER. Is it this DC? If not, you may have to run this utility on the Schema Master and then replicate the change down to this DC.
I have searched High and low. I have come up with a few ideas, but need to know what computer is the SCHEMA MASTER. Is it this DC? If not, you may have to run this utility on the Schema Master and then replicate the change down to this DC.
ASKER
Hi Cheif IT,
The schema master is the Small Business Server (DC).
The Terminal Server is on a virtual Windows 2003 Server which is a member server of the domain.
Look forward to hearing your ideas.
Paul
The schema master is the Small Business Server (DC).
The Terminal Server is on a virtual Windows 2003 Server which is a member server of the domain.
Look forward to hearing your ideas.
Paul
Paul if this is a terminal server, and you have an AD problem, go to the PDCe with roles and run this utility to remove the AD objects. Then, replicate the AD changes down to all other Domain controllers. This terminal server, as a member server, doesn't hold the AD database. I think that's why we are getting an access denied error.
ASKER
Hi ChiefIT,
I can confirm that all of the above instructions have been preformed on the DC.
I haven't run any of the utilities on the terminal server.
To clarify there is one physical server, a 2003 Small Business Server with MS Virtual Server, and one virtual 2003 Server which is the terminal server hosted on the MS Virtual Server.
There are no other DCs.
Paul
I can confirm that all of the above instructions have been preformed on the DC.
I haven't run any of the utilities on the terminal server.
To clarify there is one physical server, a 2003 Small Business Server with MS Virtual Server, and one virtual 2003 Server which is the terminal server hosted on the MS Virtual Server.
There are no other DCs.
Paul
Paul: I requested help, because I am as stuck as you are. Someone will hopefully bring you an answer. you could also make this a neglected question to bring more attention to it.
ASKER
Hi ChiefIT,
Thanks for all your help and for going may extra miles than was expected!!
I shall wait for a couple of days and then elevate to a neglected question.
I do think that you have offered all the possible solutions that would usually work and that the only other solution is the inevitable start from scratch option.
If I don't hear anything in a week I am happy to allocate at least half points to you for all your efforts - is that acceptable to you?
Paul
Thanks for all your help and for going may extra miles than was expected!!
I shall wait for a couple of days and then elevate to a neglected question.
I do think that you have offered all the possible solutions that would usually work and that the only other solution is the inevitable start from scratch option.
If I don't hear anything in a week I am happy to allocate at least half points to you for all your efforts - is that acceptable to you?
Paul
You know I will continue to look:
I wonder if a restore would work to make these objects easier to get rid of.
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx
And here is a GUI shell to view AD:
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
I wonder if a restore would work to make these objects easier to get rid of.
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx
And here is a GUI shell to view AD:
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
ASKER
Hi ChiefIT,
I am sorry for not posting back before.
I am afraid this server is no longer available as the company involved has infact closed down now.
I thought there was something strange going on!
What to do with the points?
I would like to close the question and have it available for others to view as I am sure that all your suggestions would solve 95% of issues related to this area of AD.
So I am more than happy to award you the points.
Thanks again
Paul
I am sorry for not posting back before.
I am afraid this server is no longer available as the company involved has infact closed down now.
I thought there was something strange going on!
What to do with the points?
I would like to close the question and have it available for others to view as I am sure that all your suggestions would solve 95% of issues related to this area of AD.
So I am more than happy to award you the points.
Thanks again
Paul
Thanks Paul for the update:
Thought we had it on a number of occassions.
Thought we had it on a number of occassions.
I found an active directory object called TSinternetuser. I didn't know what it was, so I deleted it. It is a built in user account for terminal services. In your case, it may be easier for you to resolve this problem.
You have what is called a tombstone record left in Active directory. I have an article that explains the four stages of a deleted active directory object.
Please review the following information to understand the tombstone record.
1) Phantom, Tombstone, and the AD infrastructure master. (explains the four stages of a Deleted SID).
http://support.microsoft.com/kb/248047
To straighten this out, you will need two things. One is the ability to use DCDIAG and the second is the NTDSUTIL. Both utilities are found 2003 server support tools.
DCDIAG will show you the tombstone record. The NTDSUTIL is a command prompt utility that will allow you to remove metadata from the AD database. Metadata is defined as data left over from an improperly deleted AD object.
2) How to remove metadata from AD:(Use of the NTDSUTIL)
http://support.microsoft.com/kb/230306
or preferably,
http://www.petri.co.il/fix_unsuccessful_demotion.htm
Once the tombstone object is deleted, then you have to reregister the computer in AD. To do this, I think you will have to rejoin the domain. I can't remember how I reregistered TSinternetuser, because it was a user account. This is where we differ in the process to fix your problem. I had a user account, you have what appears to be a computer account for your terminal server.
I hope this information helps.
John