Community Pick: Many members of our community have endorsed this article.

Why not to re-use DC names:

Published:
There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.


Cause

Active Directory objects that are deleted are normally moved to the 'Deleted Objects' container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the 'Deleted Objects' container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the 'Deleted Objects' container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the 'Deleted Objects' container and replication to all domain controllers has completed.


Resolution

It is possible to change the default value of the time before a demoted/deleted nTDSDSA object is moved to the 'Deleted Objects' container by doing the following:

WARNING: Incorrect use of ADSIEdit can have serious consequences for Active Directory.

1.      Open AdsiEdit.msc and browse to:
2.      Configuration Container  > Services > Windows NT > Directory Services
3.      Right click on the Directory Services object and select properties
4.      Change the following attribute replTopologyStayOfExecution from <notset> to 1.
   
 replTopologyStayOfExecution

Now that this has been changed a demoted/deleted domain controllers name can be reused after 1 day + time to replicate the move to 'Deleted Objects' container to all DCs in the forest.


Additionally, you can use LDP to check for the deleted objects. To do that you need to "check" the "Return Deleted Objects" option.  Then, you should be able to see the demoted / deleted domain controllers in the 'Deleted Objects' container.  And yet another option would be to use the Metadata cleanup tool to delete failed DCs from Active Directory - a guide on how to do this can be found here: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx.
6
8,933 Views

Comments (5)

AwinishSenior Solution Architect

Commented:
Great article..Nice info.

Author

Commented:
Thank you :)
AwinishSenior Solution Architect

Commented:
We will be looking more & esp on 2k8.
AwinishSenior Solution Architect

Commented:
Your article solved the problem of one of the user, i knew the answer,but didn't have document, so i pointed to your article & it worked.

https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26614850.html

Brilliant..:)

Author

Commented:
Super :)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community