[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Why not to re-use DC names:

Published on
16,158 Points
6 Endorsements
Last Modified:
Community Pick
There existed a problem in Windows 2000 and Windows Server 2003 prior to Service Pack 1 where the NTDS Settings container was not removed after successful demotion of a domain controller until after 14 days.  This would prevent a domain controller of the same name being introduced into Active Directory.

This problem can also be seen in newer versions of Active Directory Services if the replTopologyStayOfExecution setting has been set, so all domain administrators may benefit from this article.


Active Directory objects that are deleted are normally moved to the 'Deleted Objects' container.  Attributes that are not required for replication are removed.

The Active Directory object representing domain controllers (nTDSDSA object), however, is not moved to the 'Deleted Objects' container until after 14 days and retains all attributes fully populated.

As the object in Active Directory that represents the domain controller (the nTDSDSA object) is not moved to the 'Deleted Objects' container, but remains in its default location Configuration container > Sites > sitename > Servers > {servername} marked as iSDelete3d=TRUE (and thereby invisible in the user interface) , the name of a demoted or deleted domain controller must not be re-used until the nTDSDSA objects have been moved to the 'Deleted Objects' container and replication to all domain controllers has completed.


It is possible to change the default value of the time before a demoted/deleted nTDSDSA object is moved to the 'Deleted Objects' container by doing the following:

WARNING: Incorrect use of ADSIEdit can have serious consequences for Active Directory.

1.      Open AdsiEdit.msc and browse to:
2.      Configuration Container  > Services > Windows NT > Directory Services
3.      Right click on the Directory Services object and select properties
4.      Change the following attribute replTopologyStayOfExecution from <notset> to 1.

Now that this has been changed a demoted/deleted domain controllers name can be reused after 1 day + time to replicate the move to 'Deleted Objects' container to all DCs in the forest.

Additionally, you can use LDP to check for the deleted objects. To do that you need to "check" the "Return Deleted Objects" option.  Then, you should be able to see the demoted / deleted domain controllers in the 'Deleted Objects' container.  And yet another option would be to use the Metadata cleanup tool to delete failed DCs from Active Directory - a guide on how to do this can be found here: http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx.
  • 3
  • 2
LVL 24

Expert Comment

Great article..Nice info.

Author Comment

Thank you :)
LVL 24

Expert Comment

We will be looking more & esp on 2k8.
LVL 24

Expert Comment

Your article solved the problem of one of the user, i knew the answer,but didn't have document, so i pointed to your article & it worked.



Author Comment

Super :)

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month