Removing DSfW Domain Controllers

Removing DSfW Domain Controllers

ndsdcrm tool for removing domain controller(DC) in DSfW domain

1.0 Introduction

Purpose here is to help DSfW Administrator decommission domain controller from the domain. This may be needed when hardware becomes very old, or it is impacted by some malware or virus that has slowed the server. Or the requirement itself has reduced.

DSfW server has various eDirectory objects associated to it. All these objects are organized in a complex manner to represent the organizational structure, and are inter-connected in various ways to satisfy the needs of the domain operations. Therefore removing an existing server from the domain is also difficult, as it needs a lot of knowledge of the existing configuration of the server. Here the “decommissioning of an existing server” means the complete removal of all the objects associated with the server from the eDirectory. We have come up with a script called ( attached  file with this cool solution and this zip file contains for oes2015sp1 server and  for oes2018 server and above) , which can be executed on the server to be decommissioned. This script takes care of the removal of all the objects associated to the server.

Script is applicable for all types of domain controllers. Whether its first domain controller or additional domain controller.

2.0 Prerequisites

Before moving ahead to remove an existing DSfW server from the domain, following are the things that need to be verified:

    • Make sure the time synchronization across all the DC's in the domain is correct.

      - Run the following command to check time synchronization:

      # /opt/novell/eDirectory/bin/ndsrepair -T -Ad

    • Replica ring is active across all the servers in the domain.

      - Run the following command to check replica synchronization:

      # /opt/novell/eDirectory/bin/ndsstat -r


    • All the services are up and running on the active DSfW servers.

      - Run the following command:

      # xadcntrl validate

3.0 How to execute the script on the server

Below are the steps explaining the execution of the script on the DSfW server to be removed:

    • If it is OES2015sp1 server, then copy the script( to the local directory on the DSfW server. If it is OES2018 server or above , then copy the script( to the local directory on the DSfW server.

    • Check the permissions on the script, it should have executable permission on it . Use the following command to give permission.

      # chmod +x


    • Script can be executed as (perl -m) in the command prompt.


    • As the script is an interactive script, it will ask for various inputs like the Tree administrator credentials, Domain administrator credentials and confirmation on various stages of removal of the server. For e.g.

      >>> Enter cn=administrator,cn=users,dc=nnmsp,dc=com's password:

      >>> Enter cn=Administrator,cn=Users,dc=cd,dc=nnmsp,dc=com's password:

      2014-05-07 12:13:05 >>> WARNING: The domain has parent-child trust with its parent domain. The administrator of parent domain must remove this trust using the Microsoft Management Console (MMC).

      2014-05-07 12:13:05 >>> The server 'cdc' is the only domain controller residing in ''. Removing this server will remove the domain ''. Are you sure you want to remove it? [y/n]


      2014-05-07 12:13:13 >>> WARNING: All objects present in the cn=Users,DC=cd,DC=nnmsp,DC=com (cn=Users,DC=cd,DC=nnmsp,DC=com) container will be deleted. Do you wish to continue? [y/n]:


    • Also in OES2018 and OES2018SP1, if you are running the script in Additional Domain Controller(ADC) server, the dns configuration has to be modified for secure nsupdate to work. However this modification will reflect only after restart of novell dns. So there will be a message in console for rcnovell-named restart for modifying this dns configuration. Also once the ndsdcrmx script completes, this dns configuration will be reverted. For this again there will be a message for "rcnovell-named restart". 

      For e.g

      >>> Please restart novell-named <rcnovell-named restart>.
      If novell-named is not running in this server, please restart novell-named in Primary Domain controller (PDC).
      Once novell named restart is completed, press to continue:
      >>> Please restart novell-named on Primary Domain Controller(PDC) and press to continue:
      2019-04-09 15:02:51 Reverting the changes is done
      2019-04-09 15:02:51 >>> Domain Services for Windows server removed successfully


    • On completion of the script's execution, server is removed from the domain and a successful message is displayed on the screen “Domain Services for Windows server removed successfully”.

      2014-05-07 12:16:20 >>> Cleaning Domain Services objects

      2014-05-07 12:16:20 >>> Refreshing LDAP server

      2014-05-07 12:16:59 >>> Domain Services for Windows server removed successfully


    • A failure message “Domain Services for Windows server removal failed” comes when there is incomplete removal of the server objects from the domain. Further, administrator needs to take care of the resulted error to ensure that the server is removed completely from the domain. A log file /var/log/ndsdcrm.log gets created, provides details of the failure scenario.

4.0 Merge option ( -m )

The script also merges the domain and other partitions created while installing the DSfW server. These merge operations called from the script can take long time in setups having many domain controllers. For such situations we have provided option to the administrator for merging the partitions from outside using eDirectory operations.


    • -m option is used when administrator has to merge partitions through script.

      - #perl -m ( merge through script)

Note:  Currently running the script with manual merge is not working for OES2018 and OES2018SP1. So here we need to run the script with only "-m" option.

5.0 Validating the Domain Controller is removed from the Tree

Please use the below ldapsearch commands to vaildate that the objects corresponding to Domain Controller are removed from Edirectory Tree.

  • For Non-name mapped setups, use the below ldapsearch command:

                  export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
                  export SASL_PATH=/opt/novell/xad/lib64/sasl2/

                  ldapsearch -Y EXTERNAL -b "<Domain Partition>" -s sub "(cn=*<Name of the server (hostname)>*)" dn -LLL

  • For Name mapped setups, use the below ldapsearch command:

                  ldapsearch -D <Tree admin name> -w <Tree admin Password> -b "<Domain Partition>" -s sub "(cn=*<Name of the server (hostname)>*)" dn -LLL -Z


After running the above ldapsearch command, if any objects are left please remove them manually.


6.0 Known Issues

    • Sometimes decommissioning of the domain controller results to “Unknown Objects” in the tree. Please delete these objects to prevent errors during re-installation of domain controller.


    • In case of re-installation of DSfW on a decommissioned machine, make sure that the following services are enabled for configure or reconfigure:

      1. LDAP Configuration for Open Enterprise Server

      2. Linux User Management

      3. Novell DNS services

      4. Novell Storage Services

      5. Netware Core Protocol Server

      6. Storage Management Services

      Some of the DSfW objects associated with these services will not be created if state of the service is not in reconfigure or configure state (like LUM ). Otherwise there is a failure of DSfW re-installation. This failure is seen only when the server is decommissioned with ndsdcrm tool.

7.0 Conclusion:

So far removing DSfW domain was a very tedious task. Now with this script we think that Administrators can speed up the process of removing DSfW domain controller.

Note :  will work for lower versions also but we have not tested it.





Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Right off the bat, the script is too vague, for an entry which has no mention on this page. The first step was:
"Enter the IP address of the eDirectory server".
WHICH eDirectory server? The master of the partition? A separate LDAP server? or the DsfW server? If the latter, why not simply specify, "the DsfW Server?" But since the script should be run on the DsfW server itself, it seems superfluous to ask for the IP when it could easily get that info itself.
Well, that's what I entered, I hope it works.
Also, it seems to be merging partitions even though I didn't specify the -m option.
Top Contributors
Version history
Revision #:
11 of 11
Last update:
‎2019-06-12 06:20
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.