MORE INFORMATION
In Microsoft Windows NT version 4.0, a common
troubleshooting procedure is to delete certain objects in Server Manager to
attempt to synchronize a backup domain controller (BDC) with the primary domain
controller (PDC). However, this procedure has detrimental effects in Windows
2000
and Windows Server 2003.
This description
focuses on two specific objects, the machine account, which is mostly used for
authentication between two domain controllers, and the NTDS Settings object,
which is used to locate other domain controllers and to determine enterprise
Active Directory replication topology. These are the objects that most commonly
cause problems when they are deleted, but other critical objects are just as
susceptible. These objects include Dynamic Host Configuration Protocol (DHCP)
authorization objects, File Replication service (FRS) subscription objects,
trusted domain objects, anything in the system organizational unit, and so
on.
Unless the domain controller is permanently offline, do not
manually delete the domain controller's machine account (in Active Directory
Users and Computers) or the NTDS Settings object (in Active Directory Sites and
Services) that is associated with the domain controller. To see a
procedure that you can use to remove the NTDS Settings object by using the
Ntdsutil utility if the computer is
permanently offline, click the following article number to view the article in the Microsoft Knowledge Base:
216498 How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion
After you remove the NTDS Settings object, you can
safely delete the machine account.
Impacts
If you delete critical objects, domain controllers may be
orphaned from the enterprise replication topology. Because of this, changes to
Active Directory are orphaned along with the domain controller, which causes
client logon failures.
Note this technical detail: generally, if an
administrator attempts to delete the NTDS Settings object on the domain
controller to which the NTDS Settings object applies, the local computer
rejects the request and the administrator receives a message. However, other
domain controllers allow this operation. If the server to which the NTDS
Settings object applies is "alive" on the network when this change replicates
to the server, the server does not allow the object to be deleted. Generally,
the process should reverse itself, and the object should be re-animated.
However, other domain controllers may never again pick up this change, which
causes the KCC to leave the computer out of the topology, and consequently to
orphan the computer. For the machine account, the failures are likely to come
in the form of authentication failures between domain controllers and between
domain controllers and clients. Mutual authentication, Domain Name System
(DNS), and domain-specific data are kept in domain controller machine accounts.
This data is necessary for operations such as Active Directory replication.
Short Term
If you delete the NTDS Settings object, you can use the procedure
in the following Knowledge Base article to manually create a replication link
between two domain controllers to reintroduce a domain controller back into the
topology:
232538 Unsuccessful Replication Without Partner Listed
The procedure in the preceding Knowledge Base
article manually establishes a replication link between the orphaned domain
controller and another domain controller, which triggers replication so that
the critical objects can be replicated to at least one other computer; this
procedure depends on Active Directory replication to propagate that object to
other domain controllers. After time passes, the KCC on every other domain
controller should determine that a new server object is present and adjust the
replication topology accordingly.
If a machine account for a domain
controller is deleted in Active Directory Users and Computers, you cannot
easily recover the machine account. Specific authentication data is written to
this object that cannot be recovered without restoring from backup. The
following Knowledge Base article describes how to recover from a deleted
machine account:
257288 How to Recover from a Deleted Domain Controller Machine Account in Windows 2000
However, in most cases, to recover from a deleted
machine account you need to demote and re-promote the server to ensure that all
of the data is correctly written back to the account.
If a backup is
available, it may be preferable to perform an authoritative restoration of only
the object that you need. More information on performing an authoritative
restoration is available in the Windows 2000 Resource Kit,
Distributed Systems Guide, Chapter 9, page 451.
Long Term
The administrative tools (Active Directory Users and Computers
and Active Directory Sites and Services) are being modified so that an
administrator is prompted if the administrator attempts to delete machine
account objects that represent domain controllers, or if the NTDS Settings
object, which represents the server as a domain controller to all other domain
controllers, is deleted. In either case, the user interface will either direct
the administrator to the proper procedure if the server is not offline, or
demote the computer if the server is online and the administrator wants to
remove the server from the network.
Note, however, that this
modification does not restrict other administrative tools such as ADSI Edit and
LDP, and this modification does not restrict you from programmatically removing
these objects.