Problems when NT4 BDC removed from AD network

Posted on 2005-03-14
Medium Priority
Last Modified: 2008-03-04
Here's our situation:
1 - Windows 2000 AD domain in mixed mode (first DC is SP2 and second DC is SP4)
2 - One NT4 (SP4) BDC (not runing any network service such as WINS or DNS or DHCP)
3 - Exchange 5.5 (SP4) on Win2K SP4 machine
4 - Various Win2K member servers (including a Citrix MetaFrame 1.8 server)
5 - Various XP, Win2K and Win98 clients

I took the BDC offline by just removing it from service.  The next morning, anyone with a PC that was 1)Win98 2)Win2K or 3)WinXP upgraded from Win2K would experience really long login times and actually never get a desktop that would function.  The machines would just hang.  The Upgraded to WinXP machine showed nothing odd in the event logs (when I got in via safe mode).   When using Citrix (off the Win2K server), email would process slowly.  Also, all of the desktops that were built originally with WinXP were doing just fine.  

So, putting 2 and 2 together, I brought the BDC back online and the problem went away.  I couldn't find anything in any event log on either DC to point to the problem.  
With the DC up again, I went to one of the clients and tried it as I shut down each available service that I could shut down on the BDC and it never caused any problems.  So, the server is running but with no user-configurable services running (netlogon, server, RPC locator, computer browser, etc.) and the problem doesn't come back.  It's only when the machine is completely off.

I also tried to remove the Upgraded to XP machine from the domain and re-add it (with the BDC off) but the problem persisted.

Also, on the Upgraded to XP machine, this slow down or hesitation also seemed to be happening when I took the machine out of the domain completely and rebooted it as a workgroup member - which I didn't expect.  That leads me to believe that it's a computer browsing/network service sort of issue but, again, the BDC does not host any.  Maybe there's another network role that I'm missing?

My guess is that it has something to do with the browsing service or communication between the DCs (i.e. they still look for the BDC for some reason and hold up the login of the clients).  

Well, now I need to get this thing offline again at some point.  Is there a cleaner way to remove a BDC from AD and is it just a matter of removing it and putting the domain in Native Mode to stop this from happening again.  Since you can't go back from Native mode, I want to make sure I get this right the first time.  

Any thoughts would be appreciated.

Question by:goalie1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2

Expert Comment

ID: 13539612
Are your Windows clients configured to use WINS? Do they reference the BDC specifically in the IP configs? Do you use roaming profiles? Where are they kept?

What about making your Exchange 5.5 server a BDC before dropping the current BDC?

Author Comment

ID: 13539851
Yes, they all use WINS off of one of the Win2K DCs.  No, they don't reference the BDC at all in any config/file share/web site, etc.  but there is a reference in WINS to the BDC.   I'll try taking that static reference out and see what happens.  

No, we don't use roaming profiles.

No can do on making the Exchange 5.5 server a BDC since it's running on Win2K.


Expert Comment

ID: 13539857
Have you moved the PDC emulator role to an AD domain controller?  This role might not have properly transferred in your upgrade process.  transfer this role over to your win2k or 2k3 AD domain controller and repeat to see if the problem persists.
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

LVL 11

Expert Comment

ID: 13540952
I share divi2323 idea!

My guess is you are having a problem with the fsmo roles. After removing the BDC (the NT), check where is your PDC FSMO role located! If you can't find one, then that's definetly your problem. Try either demote the NT BDC by transfering the BDC role to one of your w2k/w2k3 DCs or switch to native mode. The last option is somehow dangerous however, as you can't switch it back! Additionaly, it should be done only and only if there are no more NT Domain Controllers in the network.

Check these links:


Hope this helps ...


Expert Comment

ID: 13541257
I wouldnt switch over to native mode just yet.

first try to transfer the PDC emulator role to a DC.
if you cant, then take the BDC offline, and seize the role.

i wouldnt switch to native mode until you've got the issue resolved.
LVL 12

Expert Comment

ID: 13541638
Everybody is looking for the BDC that's not home anymore.

Packet traffic, ICMP's, broadcasts, ARP's, resolution.  Did you have another BDC replicating?

What are your DNS refresh and synch times?

Just sounds like the PDC still thinks the BDC is around, just can't find it, but it keeps trying, so do all the other computers, And since, above, you say the BDC was the DNS, everybody is lost!

Think about it.
LVL 12

Expert Comment

ID: 13570698
Any luck yet?  BDC replication?

Author Comment

ID: 13570762
Let's see if I can sum up my answers:

1 - there are not other BDCs
2 - the original PDC was upgraded to be the first DC in the Forest.
3 - The BDC was never the dns server so I'm not sure what you mean, GinEric.
4 - DNS refresh and sync times.  I assume you're talking about the refresh/retry/expire settings on Win2K DNS?  If so, refresh is 15 minutes, retry is 10 minutes and expires is 1 day.

Ok - I ran the following netdom command with the following results:
C:\>netdom query fsmo
Schema owner                rogers2.virtual.internal
Domain role owner           rogers2.virtual.internal
PDC role                    rogers2.virtual.internal
RID pool manager            rogers2.virtual.internal
Infrastructure owner        rogers2.virtual.internal
The command completed successfully.
Rogers2.virtual.internal is the original PDC that was upgraded to the first DC in the forest and it has all the roles.  So, that means that the troublesome BDC (also known as Rogers4) shouldn't cause any trouble if it's shut down - at least not as far as AD is concerned.  

I just removed any reference to Rogers4 (the BDC) in WINS (which is on Rogers2) and lets see what happens.  I think the oddest thing in this whole equation is that this problem effects newly installed Win2K machines, upgraded to XP machines -- not just windows98 machines (which is what you might expect).  There's nothing inherently wrong with the network since all of my built-from-scratch XP Pro machines are acting just fine when this BDC goes off-line.  Just some more food for thought.

Author Comment

ID: 13570779
Ok - removing any reference to the BDC from WINS didn't help.  Of course, there still is a reference in DNS to it (just an A record, no SRV records).  I should probably remove that, too, and see what happens.
LVL 12

Accepted Solution

GinEric earned 2000 total points
ID: 13578506
Replication was what I was talking about.

That and lag for DNS refresh.

The replicator doesn't really care about the DNS all that much, but it does care about finding its replicating partners.

Secondly, all the servers are aware of any of them going down.  They will try to reorganize.  A PDC down should result in an election, etc..  For the BDC's, a who's who game begins in reorganizing who has seconds dibs on PDC, and so forth.

A BDC going offline has to announce that to all other controllers before going off line, otherwise, they're left in the lurch wondering if it's going to come back in 5 minutes or so, was there a temporary network failures, etc..

Bad serial numbers in DNS will fail to refresh.

When you remove a record, it must be followed by update and synchronize the domain.

You have to do the same for DHCP.

The easy answer is to begin capturing packets with something like Ethereal and see what's going on.  Also, in SMS you can use the Network Monitor [same as Ethereal].

I don't know if you have SMS.  It's a very good tool.

Lastly, why the names like "rogers2.virtual.internal"  just curiosity really.  I sometimes use .local , but am considering dropping that with Split Brain DNS, something hard to do without Bind.  Tryng to use .com network wide to cut down on forwarding, NAT, etc., and go more split network between private and public.


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Make the most of your online learning experience.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question