Deletion of Critical Objects in Active Directory in Windows 2000 and Windows Server 2003

This article describes the issues that may occur if you delete critical objects in Active Directory, the impact of such a deletion, and what Microsoft is doing to resolve these issues. This issue impacts all customers who use Windows 2000 and Windows Server 2003 and Active Directory. Microsoft Product Support Services (PSS) has received many calls from customers who have either inadvertently or intentionally deleted critical objects in Active Directory.

In Microsoft Windows NT version 4.0, a common troubleshooting procedure is to delete certain objects in Server Manager to attempt to synchronize a backup domain controller (BDC) with the primary domain controller (PDC). However, this procedure has detrimental effects in Windows 2000 and Windows Server 2003.

This description focuses on two specific objects, the machine account, which is mostly used for authentication between two domain controllers, and the NTDS Settings object, which is used to locate other domain controllers and to determine enterprise Active Directory replication topology. These are the objects that most commonly cause problems when they are deleted, but other critical objects are just as susceptible. These objects include Dynamic Host Configuration Protocol (DHCP) authorization objects, File Replication service (FRS) subscription objects, trusted domain objects, anything in the system organizational unit, and so on.

Unless the domain controller is permanently offline, do not manually delete the domain controller's machine account (in Active Directory Users and Computers) or the NTDS Settings object (in Active Directory Sites and Services) that is associated with the domain controller. To see a procedure that you can use to remove the NTDS Settings object by using the Ntdsutil utility if the computer is permanently offline, click the following article number to view the article in the Microsoft Knowledge Base: After you remove the NTDS Settings object, you can safely delete the machine account.

Impacts

If you delete critical objects, domain controllers may be orphaned from the enterprise replication topology. Because of this, changes to Active Directory are orphaned along with the domain controller, which causes client logon failures.

Note this technical detail: generally, if an administrator attempts to delete the NTDS Settings object on the domain controller to which the NTDS Settings object applies, the local computer rejects the request and the administrator receives a message. However, other domain controllers allow this operation. If the server to which the NTDS Settings object applies is "alive" on the network when this change replicates to the server, the server does not allow the object to be deleted. Generally, the process should reverse itself, and the object should be re-animated. However, other domain controllers may never again pick up this change, which causes the KCC to leave the computer out of the topology, and consequently to orphan the computer. For the machine account, the failures are likely to come in the form of authentication failures between domain controllers and between domain controllers and clients. Mutual authentication, Domain Name System (DNS), and domain-specific data are kept in domain controller machine accounts. This data is necessary for operations such as Active Directory replication.

Short Term

If you delete the NTDS Settings object, you can use the procedure in the following Knowledge Base article to manually create a replication link between two domain controllers to reintroduce a domain controller back into the topology: The procedure in the preceding Knowledge Base article manually establishes a replication link between the orphaned domain controller and another domain controller, which triggers replication so that the critical objects can be replicated to at least one other computer; this procedure depends on Active Directory replication to propagate that object to other domain controllers. After time passes, the KCC on every other domain controller should determine that a new server object is present and adjust the replication topology accordingly.

If a machine account for a domain controller is deleted in Active Directory Users and Computers, you cannot easily recover the machine account. Specific authentication data is written to this object that cannot be recovered without restoring from backup. The following Knowledge Base article describes how to recover from a deleted machine account: However, in most cases, to recover from a deleted machine account you need to demote and re-promote the server to ensure that all of the data is correctly written back to the account.

If a backup is available, it may be preferable to perform an authoritative restoration of only the object that you need. More information on performing an authoritative restoration is available in the Windows 2000 Resource Kit, Distributed Systems Guide, Chapter 9, page 451.

Long Term

The administrative tools (Active Directory Users and Computers and Active Directory Sites and Services) are being modified so that an administrator is prompted if the administrator attempts to delete machine account objects that represent domain controllers, or if the NTDS Settings object, which represents the server as a domain controller to all other domain controllers, is deleted. In either case, the user interface will either direct the administrator to the proper procedure if the server is not offline, or demote the computer if the server is online and the administrator wants to remove the server from the network.

Note, however, that this modification does not restrict other administrative tools such as ADSI Edit and LDP, and this modification does not restrict you from programmatically removing these objects.