Friday, September 7, 2012

The last token starts with 'd'


Problem:   I recently demoted a Certificate Authority server from Windows 2008.  While deleting the remaining CA objects from Active Directory per:  

     ldifde -i -f remainingCAobjects.ldf

     I received the following error:  

There is a syntax error in the input file failed on line 3.  The last token starts with 'd'  0 entries modified successfully.  An error occurred in the program.

Resolution:  Edit the the ldf file so that there is not any data/ text below the "changetype:  delete" line.  If we were adding or modifying AD entries additional directives are expected.  When deleting AD entries the LDIF file only needs the DN and the "changetype=delete" directive.  Working example:   

     dn: cn=Bill Gates,ou=people,dc=microsoft,dc=com  

     changetype: delete

 P.S.  This post has been surprisingly popular.   Please leave comments.  Thanks!  -SMJ
References:
http://docs.oracle.com/cd/B14099_19/idmanage.1012/b15883/ldif_appendix002.htm#CHDFECDI
http://support.microsoft.com/kb/889250 
at

11 comments:

  1. AnonymousNovember 21, 2012 at 9:52 AM

    Thank you! Thank you! Thank you! Thank you! Thank you!

    ReplyDelete
  2. AnonymousDecember 20, 2012 at 4:08 AM

    Thank you! works great.

    ReplyDelete
  3. AnonymousJanuary 15, 2013 at 7:33 AM

    Super thanks! And thanks to Google for leading me here!

    ReplyDelete
  4. AnonymousFebruary 13, 2013 at 10:40 AM

    thanks a million!

    ReplyDelete
  5. AnonymousJune 5, 2013 at 12:57 PM

    graci

    ReplyDelete
  6. AnonymousNovember 12, 2014 at 7:30 PM

    Thanks again! I'm working from this: http://support2.microsoft.com/kb/889250
    Seems there are quite a few gotchas - not the most reliable guide from MS :-|

    ReplyDelete
  7. AnonymousNovember 19, 2014 at 4:00 AM

    Thanks mate!!!!

    ReplyDelete
  8. AnonymousSeptember 16, 2015 at 4:28 AM

    Thank you! You'd think the official documentation would be better.

    ReplyDelete
  9. AnonymousNovember 3, 2015 at 8:26 PM

    Cheers

    ReplyDelete
  10. AnonymousMay 11, 2016 at 6:46 PM

    +1 Thanks!

    ReplyDelete
  11. AnonymousAugust 31, 2017 at 11:20 AM

    Great article and I had the same issue and your page helped. Thanks a bunch for posting.

    To provide some background, I was completing a full decommission of an Enterprise CA within my active directory. The article I followed is below

    https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r

    In step 12, under "Remove all Certification Services objects from Active Directory" Under line B, the article doesnt tell to delete all data under the changetype option. Also if you are copying and pasting from the article, it shows as "changetype: delete."

    The period after delete is not required.

    Thank you so much!!!!

    ReplyDelete