Cool Solutions

Removing DSfW Domain Controllers


May 12, 2015 11:45 am






ndsdcrm tool for removing domain controller(DC) in DSfW domain

1.0 Introduction

Purpose here is to help DSfW Administrator decommission domain controller from the domain. This may be needed when hardware becomes very old, or it is impacted by some malware or virus that has slowed the server. Or the requirement itself has reduced.

DSfW server has various eDirectory objects associated to it. All these objects are organized in a complex manner to represent the organizational structure, and are inter-connected in various ways to satisfy the needs of the domain operations. Therefore removing an existing server from the domain is also difficult, as it needs a lot of knowledge of the existing configuration of the server. Here the “decommissioning of an existing server” means the complete removal of all the objects associated with the server from the eDirectory. We have come up with a script called ( attached with this cool solution ) , which can be executed on the server to be decommissioned. This script takes care of the removal of all the objects associated to the server.

Script is applicable for all types of domain controllers. Whether its first domain controller or additional domain controller.

2.0 Prerequisites

Before moving ahead to remove an existing DSfW server from the domain, following are the things that need to be verified:

  • Make sure the time synchronization across all the DC’s in the domain is correct.

    – Run the following command to check time synchronization:

    # /opt/novell/eDirectory/bin/ndsrepair -T -Ad
  • Replica ring is active across all the servers in the domain.

    – Run the following command to check replica synchronization:

    # /opt/novell/eDirectory/bin/ndsstat -r
  • All the services are up and running on the active DSfW servers.

    – Run the following command:

    # xadcntrl validate

3.0 How to execute the script on the server

Below are the steps explaining the execution of the script on the DSfW server to be removed:

  • Copy the script( to the local directory on the DSfW server.
  • Check the permissions on the script, it should have executable permission on it . Use the following command to give permission.

    # chmod +x
  • Script can be executed as ./ in the command prompt.
  • As the script is an interactive script, it will ask for various inputs like the Tree administrator credentials, Domain administrator credentials and confirmation on various stages of removal of the server. For e.g.

    >>> Enter cn=administrator,cn=users,dc=nnmsp,dc=com’s password:

    >>> Enter cn=Administrator,cn=Users,dc=cd,dc=nnmsp,dc=com’s password:

    2014-05-07 12:13:05 >>> WARNING: The domain has parent-child trust with its parent domain. The administrator of parent domain must remove this trust using the Microsoft Management Console (MMC).

    2014-05-07 12:13:05 >>> The server ‘cdc’ is the only domain controller residing in ‘’. Removing this server will remove the domain ‘’. Are you sure you want to remove it? [y/n]


    2014-05-07 12:13:13 >>> WARNING: All objects present in the cn=Users,DC=cd,DC=nnmsp,DC=com (cn=Users,DC=cd,DC=nnmsp,DC=com) container will be deleted. Do you wish to continue? [y/n]:


  • On completion of the script’s execution, server is removed from the domain and a successful message is displayed on the screen “Domain Services for Windows server removed successfully”.

    2014-05-07 12:16:20 >>> Cleaning Domain Services objects

    2014-05-07 12:16:20 >>> Refreshing LDAP server

    2014-05-07 12:16:59 >>> Domain Services for Windows server removed successfully

  • A failure message “Domain Services for Windows server removal failed” comes when there is incomplete removal of the server objects from the domain. Further, administrator needs to take care of the resulted error to ensure that the server is removed completely from the domain. A log file /var/log/ndsdcrm.log gets created, provides details of the failure scenario.

4.0 Merge option ( -m )

The script also merges the domain and other partitions created while installing the DSfW server. These merge operations called from the script can take long time in setups having many domain controllers. For such situations we have provided option to the administrator for merging the partitions from outside using eDirectory operations.

5.0 Known Issues

  • Sometimes decommissioning of the domain controller results to “Unknown Objects” in the tree. Please delete these objects to prevent errors during re-installation of domain controller.
  • In case of re-installation of DSfW on a decommissioned machine, make sure that the following services are enabled for configure or reconfigure:

    1. LDAP Configuration for Open Enterprise Server

    2. Linux User Management

    3. Novell DNS services

    4. Novell Storage Services

    5. Netware Core Protocol Server

    6. Storage Management Services

    Some of the DSfW objects associated with these services will not be created if state of the service is not in reconfigure or configure state (like LUM ). Otherwise there is a failure of DSfW re-installation. This failure is seen only when the server is decommissioned with ndsdcrm tool.

6.0 Conclusion:

So far removing DSfW domain was a very tedious task. Now with this script we think that Administrators can speed up the process of removing DSfW domain controller.


2 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 5 (2 votes, average: 4.00 out of 5)
You need to be a registered member to rate this post.

Tags: , ,
Categories: Cool Tools, Open Enterprise Server, Technical

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

1 Comment

  1. By:lpphiggp

    Right off the bat, the script is too vague, for an entry which has no mention on this page. The first step was:
    “Enter the IP address of the eDirectory server”.
    WHICH eDirectory server? The master of the partition? A separate LDAP server? or the DsfW server? If the latter, why not simply specify, “the DsfW Server?” But since the script should be run on the DsfW server itself, it seems superfluous to ask for the IP when it could easily get that info itself.
    Well, that’s what I entered, I hope it works.
    Also, it seems to be merging partitions even though I didn’t specify the -m option.