ndsdcrm tool for removing domain controller(DC) in DSfW domain
Purpose here is to help DSfW Administrator decommission domain controller from the domain. This may be needed when hardware becomes very old, or it is impacted by some malware or virus that has slowed the server. Or the requirement itself has reduced.
DSfW server has various eDirectory objects associated to it. All these objects are organized in a complex manner to represent the organizational structure, and are inter-connected in various ways to satisfy the needs of the domain operations. Therefore removing an existing server from the domain is also difficult, as it needs a lot of knowledge of the existing configuration of the server. Here the “decommissioning of an existing server” means the complete removal of all the objects associated with the server from the eDirectory. We have come up with a script called ndsdcrmx.pl ( attached with this cool solution ) , which can be executed on the server to be decommissioned. This script takes care of the removal of all the objects associated to the server.
Script is applicable for all types of domain controllers. Whether its first domain controller or additional domain controller.
Before moving ahead to remove an existing DSfW server from the domain, following are the things that need to be verified:
- Make sure the time synchronization across all the DC’s in the domain is correct.
– Run the following command to check time synchronization:
# /opt/novell/eDirectory/bin/ndsrepair -T -Ad
- Replica ring is active across all the servers in the domain.
– Run the following command to check replica synchronization:
# /opt/novell/eDirectory/bin/ndsstat -r
- All the services are up and running on the active DSfW servers.
– Run the following command:
# xadcntrl validate
3.0 How to execute the script on the server
Below are the steps explaining the execution of the script on the DSfW server to be removed:
- Copy the script(ndsdcrmx.pl) to the local directory on the DSfW server.
Check the permissions on the script, it should have executable permission on it . Use the following command to give permission.
# chmod +x ndsdcrmx.pl
- Script can be executed as ./ndsdcrmx.pl in the command prompt.
- As the script is an interactive script, it will ask for various inputs like the Tree administrator credentials, Domain administrator credentials and confirmation on various stages of removal of the server. For e.g.
>>> Enter cn=administrator,cn=users,dc=nnmsp,dc=com’s password:
>>> Enter cn=Administrator,cn=Users,dc=cd,dc=nnmsp,dc=com’s password:
2014-05-07 12:13:05 >>> WARNING: The domain has parent-child trust with its parent domain. The administrator of parent domain must remove this trust using the Microsoft Management Console (MMC).
2014-05-07 12:13:05 >>> The server ‘cdc’ is the only domain controller residing in ‘cd.nnmsp.com’. Removing this server will remove the domain ‘cd.nnmsp.com’. Are you sure you want to remove it? [y/n]
2014-05-07 12:13:13 >>> WARNING: All objects present in the cn=Users,DC=cd,DC=nnmsp,DC=com (cn=Users,DC=cd,DC=nnmsp,DC=com) container will be deleted. Do you wish to continue? [y/n]:
- On completion of the script’s execution, server is removed from the domain and a successful message is displayed on the screen “Domain Services for Windows server removed successfully”.
2014-05-07 12:16:20 >>> Cleaning Domain Services objects
2014-05-07 12:16:20 >>> Refreshing LDAP server
2014-05-07 12:16:59 >>> Domain Services for Windows server removed successfully
- A failure message “Domain Services for Windows server removal failed” comes when there is incomplete removal of the server objects from the domain. Further, administrator needs to take care of the resulted error to ensure that the server is removed completely from the domain. A log file /var/log/ndsdcrm.log gets created, provides details of the failure scenario.
4.0 Merge option ( -m )
The script also merges the domain and other partitions created while installing the DSfW server. These merge operations called from the script can take long time in setups having many domain controllers. For such situations we have provided option to the administrator for merging the partitions from outside using eDirectory operations.
- Partitions can be merged manually by using iManager:
- -m option is used when administrator has to merge partitions through script.
– #perl nsdscrmx.pl -m ( merge through script)
5.0 Known Issues
- Sometimes decommissioning of the domain controller results to “Unknown Objects” in the tree. Please delete these objects to prevent errors during re-installation of domain controller.
- In case of re-installation of DSfW on a decommissioned machine, make sure that the following services are enabled for configure or reconfigure:
1. LDAP Configuration for Open Enterprise Server
2. Linux User Management
3. Novell DNS services
4. Novell Storage Services
5. Netware Core Protocol Server
6. Storage Management Services
Some of the DSfW objects associated with these services will not be created if state of the service is not in reconfigure or configure state (like LUM ). Otherwise there is a failure of DSfW re-installation. This failure is seen only when the server is decommissioned with ndsdcrm tool.
So far removing DSfW domain was a very tedious task. Now with this script we think that Administrators can speed up the process of removing DSfW domain controller.