The last token starts with 'd'

Problem:   I recently demoted a Certificate Authority server from Windows 2008.  While deleting the remaining CA objects from Active Directory per:  

     ldifde -i -f remainingCAobjects.ldf

     I received the following error:  

There is a syntax error in the input file failed on line 3.  The last token starts with 'd'  0 entries modified successfully.  An error occurred in the program.

Resolution:  Edit the the ldf file so that there is not any data/ text below the "changetype:  delete" line.  If we were adding or modifying AD entries additional directives are expected.  When deleting AD entries the LDIF file only needs the DN and the "changetype=delete" directive.  Working example:   

     dn: cn=Bill Gates,ou=people,dc=microsoft,dc=com  

     changetype: delete

P.S.  This post has been surprisingly popular.   Please leave comments.  Thanks!  -SMJ



  1. Thank you! Thank you! Thank you! Thank you! Thank you!

  2. Thank you! works great.

  3. Super thanks! And thanks to Google for leading me here!

  4. Thanks again! I'm working from this:
    Seems there are quite a few gotchas - not the most reliable guide from MS :-|

  5. Thank you! You'd think the official documentation would be better.

  6. Great article and I had the same issue and your page helped. Thanks a bunch for posting.

    To provide some background, I was completing a full decommission of an Enterprise CA within my active directory. The article I followed is below

    In step 12, under "Remove all Certification Services objects from Active Directory" Under line B, the article doesnt tell to delete all data under the changetype option. Also if you are copying and pasting from the article, it shows as "changetype: delete."

    The period after delete is not required.

    Thank you so much!!!!


My Instagram