<

Why not to re-use DC names:

Published on
16,049 Points
8,449 Views
6 Endorsements
Last Modified:
Approved
Community Pick
There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.


Cause

Active Directory objects that are deleted are normally moved to the 'Deleted Objects' container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the 'Deleted Objects' container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the 'Deleted Objects' container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the 'Deleted Objects' container and replication to all domain controllers has completed.


Resolution

It is possible to change the default value of the time before a demoted/deleted nTDSDSA object is moved to the 'Deleted Objects' container by doing the following:

WARNING: Incorrect use of ADSIEdit can have serious consequences for Active Directory.

1.      Open AdsiEdit.msc and browse to:
2.      Configuration Container  > Services > Windows NT > Directory Services
3.      Right click on the Directory Services object and select properties
4.      Change the following attribute replTopologyStayOfExecution from <notset> to 1.
   
 replTopologyStayOfExecution

Now that this has been changed a demoted/deleted domain controllers name can be reused after 1 day + time to replicate the move to 'Deleted Objects' container to all DCs in the forest.


Additionally, you can use LDP to check for the deleted objects. To do that you need to "check" the "Return Deleted Objects" option.  Then, you should be able to see the demoted / deleted domain controllers in the 'Deleted Objects' container.  And yet another option would be to use the Metadata cleanup tool to delete failed DCs from Active Directory - a guide on how to do this can be found here: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx.
6
Comment
Author:ms-pro
  • 3
  • 2
5 Comments
 
LVL 24

Expert Comment

by:Awinish
Great article..Nice info.
0
 
LVL 7

Author Comment

by:ms-pro
Thank you :)
0
 
LVL 24

Expert Comment

by:Awinish
We will be looking more & esp on 2k8.
0
 
LVL 24

Expert Comment

by:Awinish
Your article solved the problem of one of the user, i knew the answer,but didn't have document, so i pointed to your article & it worked.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26614850.html

Brilliant..:)
0
 
LVL 7

Author Comment

by:ms-pro
Super :)
0

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month