Novell is now a part of Micro Focus

My Favorites


Please to see your favorites.

How to Remove a DSfW server, Domain, and Forest

This document (7005431) is provided subject to the disclaimer at the end of this document.


Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11.1 (OES11SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows


Single DSFW domain.
Server crashed, now need to clean up eDirectory  tree to prepare to install new DSfW Forest and Domain.

How to remove DSFW Domain Controller, Domain, and Forest and re-install a DSFW Forest, Domain and Domain Controller. 


Instructions on cleaning up eDirectory after a DSfW server is removed.  This will prepare the tree so that a new DSfW server,Domain, and Forest can be installed on a new OES2 SP3 or OES11.x server. 

Do not use this TID to remove an Additional Domain Controller (ADC) or Child Domain.  For an ADC only the DSfW object directly related to the DSfW server need to be removed (ncp server, ldap, certificate objects, etc).
For the PDC in a Child Domain follow TID 7012738.

If the Domain Controller is functioning, please use the script in the Additional Information section that can be downloaded from
  1. Make an existing server the master of all partitions and remove the DSfW server from the rings.  See TID 7002415 to designate a new server as the master of a partition.

  1. Merge the child partitions into the domain partition.
        First merge the schema partition into the configuration partition.
        Then merge the configuration partition into the domain partition.
        After merging the partitions delete the Schema and Configuration containers.

    Note: Make sure that there's still a Master server for the domain partition.

  2. Delete the server object, ssl certificate objects, and ldap objects.

  3. Delete all DSfW created objects.
    Delete these objects and the child objects to these containers.  The Users container might have additional users created by the administrator.  If those users are to be retained, move them to another container outside the DSfW domain. Users located in the domain, but not in one of the following containers can me left in their existing contianer.
        The containers that are created by DSFW are as follows:
           dn: ou=Domain Controllers,<DomainDN> 
           dn: ou=OESSystemObjects,<DomainDN> for OES2SP2
           dn: ou=novell,<DomainDN> for OES2SP1
           dn: cn=Builtin,<DomainDN>
           dn: cn=Configuration,<DomainDN>
           dn: cn=Computers,<DomainDN>
           dn: cn=DefaultMigrationContainer,<DomainDN>
           dn: cn=Deleted Objects,<DomainDN>
           dn: cn=ForeignsSecurityPrincipals,<DomainDN>
           dn: cn=NTDS Quotas,<DomainDN>
           dn: cn=System,<DomainDN>
           dn: cn=Users,<DomainDN>
           dn: cn=Infrastructure,<DomainDN>
           dn: cn=LostAndFound,<DomainDN>
           dn: cn=Program Data,<DomainDN>

  1. Remove the aux class "domainDNS" and "xadFlags" (depending on the patch level "xad-Domain-Flag" might be present instead of "xadFlags") from the domain partition root.  Since domainDNS and xadFlags are aux classes, to remove them go to the extentions of the object.   
    For Console One right click on the container, select extensions of this object, select the domainDNS aux class and click remove Extension.  Do the same for xadFlags.
    For iManager click the Schema role, Object Extensions task, browse to the container, select the domainDNS aux class and click remove.  Do the same for xadFlags.  Note: xadFlags is new starting oes2sp3.

  1. Remove the following ACLs from the partition where DSfW is installed
    For Console One right click on the container, select Trustees of this object, select the assigned trustee, click Assigned Rights, and remove the property right.  If you wish to remove a trustee completely like [Root], select the trustee and click Delete Trustee.
    For iManager click the Rights role, Modify Trustees task, browse to the container, check the box next to the trustee you wish to modify, click assigned rights, check the box next to the property right you wish to remove, and click Remove Seletected.

     ACL: 1#subtree#[Public]#cn
     ACL: 3#subtree#[Root]#[All Attributes Rights] (SP3 will list each attribute, remove all attributes)
     ACL: 4#subtree#[This]#dBCSPwd
     ACL: 4#subtree#[This]#unicodePwd
     ACL: 4#subtree#[This]#supplementalCredentials
     ACL: 3#subtree#[Root]#userCertificate;binary
     ACL: 3#subtree#[Root]#cACertificate;binary

  2. Check that the following attributes have been removed from the partition where DSfW is installed.  If these attributes exist, remove them.
    In Console One go to the properties of the container, other tab, select the attribute you wish to remove and click Delete.
    In iManager Modify the container object, click the General tab, click 'other' underneath the General tab, select the attribute you wish to remove and click Delete.

  3. These attributes should not cause an issue with OES11 re-isintalls, but will cause and issue with OES2SP3 and earlier.
    If re-installing OES2SP3 DSfW call Novell Support to have these attributes removed.  Since they are Read Only they can not be removed with standard tools.

Additional Information

A removal script can be downloaded at for OES2SP2 and OES2SP3 at
A new removal script,, has been created for all versions including OES11 and OES11SP1 can also be downloaded at  The can be used on a ADC or PDC.  Warning, if used on a PDC it will remove the DSfW domain.  Transfer the FSMO roles before running on a PDC if there is an ADC and the DSfW domain is to be retained in the eDirectory tree.

There is a -f switch that can used in some partially configured situations, but it depending on how far the install has gone it may or may not work.

The new removal script also requires the manual removal of some trustee assignments if removing the DSfW Domain, not just the server.
Start with [This] trustees from the mapped container (usually the O)
It should only have three ACLs, you can verify only these three attributes are listed.  If that is the case then remove the entire [This] ACL
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
If you see [Root] listed as a trustee for the mapped container, remove it.


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7005431
  • Creation Date:03-MAR-10
  • Modified Date:02-JUN-16
    • NovellOpen Enterprise Server
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback