Removing DSfW Domain Controllers
ndsdcrm tool for removing domain controller(DC) in DSfW domain
Purpose here is to help DSfW Administrator decommission domain controller from the domain. This may be needed when hardware becomes very old, or it is impacted by some malware or virus that has slowed the server. Or the requirement itself has reduced.
DSfW server has various eDirectory objects associated to it. All these objects are organized in a complex manner to represent the organizational structure, and are inter-connected in various ways to satisfy the needs of the domain operations. Therefore removing an existing server from the domain is also difficult, as it needs a lot of knowledge of the existing configuration of the server. Here the “decommissioning of an existing server” means the complete removal of all the objects associated with the server from the eDirectory. We have come up with a script called ndsdcrmx.pl ( attached ndsdcrm.zip file with this cool solution and this zip file contains ndsdcrmx_2015sp1.pl for oes2015sp1 server and ndsdcrmx.pl for oes2018 server and above) , which can be executed on the server to be decommissioned. This script takes care of the removal of all the objects associated to the server.
Script is applicable for all types of domain controllers. Whether its first domain controller or additional domain controller.
Before moving ahead to remove an existing DSfW server from the domain, following are the things that need to be verified:
- Make sure the time synchronization across all the DC's in the domain is correct.
- Run the following command to check time synchronization:
# /opt/novell/eDirectory/bin/ndsrepair -T -Ad
- Replica ring is active across all the servers in the domain.
- Run the following command to check replica synchronization:
# /opt/novell/eDirectory/bin/ndsstat -r
- All the services are up and running on the active DSfW servers.
- Run the following command:
# xadcntrl validate
3.0 How to execute the script on the server
Below are the steps explaining the execution of the script on the DSfW server to be removed:
If it is OES2015sp1 server, then copy the script(ndsdcrmx_2015sp1.pl) to the local directory on the DSfW server. If it is OES2018 server or above , then copy the script(ndsdcrmx.pl) to the local directory on the DSfW server.
Check the permissions on the script, it should have executable permission on it . Use the following command to give permission.
# chmod +x ndsdcrmx.pl
- Script can be executed as (perl nsdscrmx.pl -m) in the command prompt.
- As the script is an interactive script, it will ask for various inputs like the Tree administrator credentials, Domain administrator credentials and confirmation on various stages of removal of the server. For e.g.
>>> Enter cn=administrator,cn=users,dc=nnmsp,dc=com's password:
>>> Enter cn=Administrator,cn=Users,dc=cd,dc=nnmsp,dc=com's password:
2014-05-07 12:13:05 >>> WARNING: The domain has parent-child trust with its parent domain. The administrator of parent domain must remove this trust using the Microsoft Management Console (MMC).
2014-05-07 12:13:05 >>> The server 'cdc' is the only domain controller residing in 'cd.nnmsp.com'. Removing this server will remove the domain 'cd.nnmsp.com'. Are you sure you want to remove it? [y/n]
2014-05-07 12:13:13 >>> WARNING: All objects present in the cn=Users,DC=cd,DC=nnmsp,DC=com (cn=Users,DC=cd,DC=nnmsp,DC=com) container will be deleted. Do you wish to continue? [y/n]:
- Also in OES2018 and OES2018SP1, if you are running the script in Additional Domain Controller(ADC) server, the dns configuration has to be modified for secure nsupdate to work. However this modification will reflect only after restart of novell dns. So there will be a message in console for rcnovell-named restart for modifying this dns configuration. Also once the ndsdcrmx script completes, this dns configuration will be reverted. For this again there will be a message for "rcnovell-named restart".
>>> Please restart novell-named <rcnovell-named restart>.
If novell-named is not running in this server, please restart novell-named in Primary Domain controller (PDC).
Once novell named restart is completed, press to continue:
>>> Please restart novell-named on Primary Domain Controller(PDC) and press to continue:
2019-04-09 15:02:51 Reverting the changes is done
2019-04-09 15:02:51 >>> Domain Services for Windows server removed successfully
- On completion of the script's execution, server is removed from the domain and a successful message is displayed on the screen “Domain Services for Windows server removed successfully”.
2014-05-07 12:16:20 >>> Cleaning Domain Services objects
2014-05-07 12:16:20 >>> Refreshing LDAP server
2014-05-07 12:16:59 >>> Domain Services for Windows server removed successfully
- A failure message “Domain Services for Windows server removal failed” comes when there is incomplete removal of the server objects from the domain. Further, administrator needs to take care of the resulted error to ensure that the server is removed completely from the domain. A log file /var/log/ndsdcrm.log gets created, provides details of the failure scenario.
4.0 Merge option ( -m )
The script also merges the domain and other partitions created while installing the DSfW server. These merge operations called from the script can take long time in setups having many domain controllers. For such situations we have provided option to the administrator for merging the partitions from outside using eDirectory operations.
- Partitions can be merged manually by using iManager:
- -m option is used when administrator has to merge partitions through script.
- #perl nsdscrmx.pl -m ( merge through script)
Note: Currently running the script with manual merge is not working for OES2018 and OES2018SP1. So here we need to run the script with only "-m" option.
5.0 Validating the Domain Controller is removed from the Tree
Please use the below ldapsearch commands to vaildate that the objects corresponding to Domain Controller are removed from Edirectory Tree.
- For Non-name mapped setups, use the below ldapsearch command:
ldapsearch -Y EXTERNAL -b "<Domain Partition>" -s sub "(cn=*<Name of the server (hostname)>*)" dn -LLL
- For Name mapped setups, use the below ldapsearch command:
ldapsearch -D <Tree admin name> -w <Tree admin Password> -b "<Domain Partition>" -s sub "(cn=*<Name of the server (hostname)>*)" dn -LLL -Z
After running the above ldapsearch command, if any objects are left please remove them manually.
6.0 Known Issues
- Sometimes decommissioning of the domain controller results to “Unknown Objects” in the tree. Please delete these objects to prevent errors during re-installation of domain controller.
- In case of re-installation of DSfW on a decommissioned machine, make sure that the following services are enabled for configure or reconfigure:
1. LDAP Configuration for Open Enterprise Server
2. Linux User Management
3. Novell DNS services
4. Novell Storage Services
5. Netware Core Protocol Server
6. Storage Management Services
Some of the DSfW objects associated with these services will not be created if state of the service is not in reconfigure or configure state (like LUM ). Otherwise there is a failure of DSfW re-installation. This failure is seen only when the server is decommissioned with ndsdcrm tool.
So far removing DSfW domain was a very tedious task. Now with this script we think that Administrators can speed up the process of removing DSfW domain controller.
Note : ndsdcrmx_2015sp1.pl will work for lower versions also but we have not tested it.