Novell is now a part of Micro Focus

My Favorites


Please to see your favorites.

How to Remove DSfW Server in Child Domain and the Child Domain

This document (7012738) is provided subject to the disclaimer at the end of this document.


Novell Open Enterprise Server 11.1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows


How to Remove  DSfW Server in Child Domain and the Child Domain


This TID gives instructions on how to remove a DSfW Child Domain.
For removing a DSfW server, Domain, and Forest (removing DSfW from the eDirectory Tree) then follow TID 7005431.
To remove an ADC (Additional Domain Controller), only the DSfW objects directly related to the DSfW server need to be removed (ncp server, ldap, certificate objects, object in the Domain Controllers container, etc).

If the Domain Controller is functioning, please use the script in the Additional Information section that can be downloaded at

Delete the following objects in the child domains.  If an object has child objects, delete the child objects first.

Deleted Objects
Program Data
NTDS Quotas
Domain Controllers container

On the container where the domain was mapped, remove the extentions domainDNS and xadFlags

Delete the following attributes on the container where the domain was mapped.

In the parent domain in the cn=users container an object with the name of the child domain will exist.  It will have a $ at the end of the name of the object.  This object represents the trust set up between the parent and child domain.  Delete this object.

Additional Information

A removal script can be downloaded at for OES2SP2 and OES2SP3 at
A new removal script,, has been created for all versions including OES11 and OES11SP1 can also be downloaded at  The can be used on a ADC or PDC.  Warning, if used on a PDC it will remove the DSfW domain.  Transfer the FSMO roles before running on a PDC if there is an ADC and the DSfW domain is to be retained in the eDirectory tree.

There is a -f switch that can used in some partially configured situations, but it depending on how far the install has gone it may or may not work.

The new removal script also requires the manual removal of some trustee assignments if removing the DSfW Domain, not just the server.
Start with [This] trustees from the mapped container (usually the O)
It should only have three ACLs, you can verify only these three attributes are listed.  If that is the case then remove the entire [This] ACL
ACL: 4#subtree#[This]#dBCSPwd
ACL: 4#subtree#[This]#unicodePwd
ACL: 4#subtree#[This]#supplementalCredentials
If you see [Root] listed as a trustee for the mapped container, remove it.


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012738
  • Creation Date:28-JUN-13
  • Modified Date:30-OCT-13
    • NovellOpen Enterprise Server
    • SUSESUSE Linux Enterprise Server
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback