Removing Stubborn Orphaned Active Directory (Child) Domain

Say you’re using ntdsutil to remove an offline, orphaned domain as per KB230306 and you get an error like

DsRemoveDsDomainW error 0x2162(The requested domain could not be deleted because there exist domain controllers that still host this domain.)

There a few things you can still try. Again, we’re assuming the last DC in the domain is dead/offline and we’re in a completely orphaned state.

NOTE: These steps were performed on a child domain so millage may vary

Remove the Server Reference

Assuming you’ve deleted traces of the AD object — e.g. AD object, DNS references, etc try the following.

NOTE: You will need to know the Operations Master (e.g. ADUC in Advanced view >  Operations Master)

Usually I just run the commands from the operations master as well.

  • Enter ntudstil prompt
  • metadata cleanup
  • connections
    • connect to server OPERATIONS_MASTER_SERVER
    • q
  • select operations target
    • list sites
      • note the number of the site you want to remove (be VERY CAREFUL)
    • select site #
    • list servers in site
      • Note the server # (usually the first/only)
    • select server #
    • q
  • remove selected server

Remove the AD Partition

At this point, if you’re still getting an error — even after deleting NTDS in ADSS — you can try removing the AD partition

You may see an error like:

DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

There is a KB887424 regarding this issue, though it doesn’t cover the fact that in since Server 2003 domain management has changed to partition management.

  • ntdsutil
  • partition management
  • connections
    • connection to server OPERATIONS_MASTER_SERVER
    • q
  • list

You’ll see something like this:

Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 9 Naming Context(s)
0 – CN=Configuration,DC=skynet,DC=com
1 – CN=Schema,CN=Configuration,DC=skynet,DC=com
2 – DC=skynet,DC=com
3 – DC=DomainDnsZones,DC=skynet,DC=com
4 – DC=ForestDnsZones,DC=skynet,DC=com
5 – DC=test,DC=skynet,DC=com
6 – DC=DomainDnsZones,DC=test,DC=skynet,DC=com
7 – DC=stage,DC=skynet,DC=com
8 – DC=DomainDnsZones,DC=stage,DC=skynet,DC=com

  • Let’s try deleting the DomainDnsZone of the errant domain by its LDAP name
  • delete nc DC=DomainDnsZones,DC=stage,DC=skynet,DC=com

You will see output like:

The operation was successful. The partition has been marked for removal from the enterprise. It will be removed over tim
e in the background.

Note: Please do not create another partition with the same name until the servers which hold this partition have had an
opportunity to remove it. This will occur when knowledge of the deletion of this partition has replicated throughout the
forest, and the servers which held the partition have removed all the objects within that partition. Complete removal o
f the partition can be verified by consulting the Directory event log on each server.

  • q
  • q

Try to Remove Orphaned Domain (Again)

As per KB230306 try to remove the domain again

Replicate Changes

  • /syncall — all replication points
  • /APed — /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished

Leave a Reply

Your email address will not be published. Required fields are marked *