How to Remove DSfW Server in Child Domain and the Child Domain

  • Document ID:7012738
  • Creation Date:28-Jun-2013
  • Modified Date:30-Oct-2013
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11.1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSFW

Situation

How to Remove  DSfW Server in Child Domain and the Child Domain

Resolution

This TID gives instructions on how to remove a DSfW Child Domain.
For removing a DSfW server, Domain, and Forest (removing DSfW from the eDirectory Tree) then follow TID 7005431.
To remove an ADC (Additional Domain Controller), only the DSfW objects directly related to the DSfW server need to be removed (ncp server, ldap, certificate objects, object in the Domain Controllers container, etc).

If the Domain Controller is functioning, please use the script in the Additional Information section that can be downloaded at dsfwdude.com.

Delete the following objects in the child domains.  If an object has child objects, delete the child objects first.

Builtin
Computers
DefaultMigrationContainer
Deleted Objects
ForeignSecurityPrincipals
Program Data
System
Users
Infrastructure
LostAndFound
NTDS Quotas
Domain Controllers container
OESSystemObjects 

On the container where the domain was mapped, remove the extentions domainDNS and xadFlags
DO NOT REMOVE PARTITION

Delete the following attributes on the container where the domain was mapped.
rIDManagerReference
TrustPosixOffset
wellKnownObjects
xad-Domain-Flag

In the parent domain in the cn=users container an object with the name of the child domain will exist.  It will have a $ at the end of the name of the object.  This object represents the trust set up between the parent and child domain.  Delete this object.

Additional Information

A removal script can be downloaded at for OES2SP2 and OES2SP3 at dsfwdude.com
A new removal script, ndsdcrmx.pl, has been created for all versions including OES11 and OES11SP1 can also be downloaded at dsfwdude.com.  The ndsdcrmx.pl can be used on a ADC or PDC.  Warning, if used on a PDC it will remove the DSfW domain.  Transfer the FSMO roles before running on a PDC if there is an ADC and the DSfW domain is to be retained in the eDirectory tree.

There is a -f switch that can used in some partially configured situations, but it depending on how far the install has gone it may or may not work.

The new removal script also requires the manual removal of some trustee assignments if removing the DSfW Domain, not just the server.
Start with [This] trustees from the mapped container (usually the O)
It should only have three ACLs, you can verify only these three attributes are listed.  If that is the case then remove the entire [This] ACL
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
If you see [Root] listed as a trustee for the mapped container, remove it.