Problems when NT4 BDC removed from AD network

Here's our situation:
1 - Windows 2000 AD domain in mixed mode (first DC is SP2 and second DC is SP4)
2 - One NT4 (SP4) BDC (not runing any network service such as WINS or DNS or DHCP)
3 - Exchange 5.5 (SP4) on Win2K SP4 machine
4 - Various Win2K member servers (including a Citrix MetaFrame 1.8 server)
5 - Various XP, Win2K and Win98 clients

I took the BDC offline by just removing it from service.  The next morning, anyone with a PC that was 1)Win98 2)Win2K or 3)WinXP upgraded from Win2K would experience really long login times and actually never get a desktop that would function.  The machines would just hang.  The Upgraded to WinXP machine showed nothing odd in the event logs (when I got in via safe mode).   When using Citrix (off the Win2K server), email would process slowly.  Also, all of the desktops that were built originally with WinXP were doing just fine.  

So, putting 2 and 2 together, I brought the BDC back online and the problem went away.  I couldn't find anything in any event log on either DC to point to the problem.  
With the DC up again, I went to one of the clients and tried it as I shut down each available service that I could shut down on the BDC and it never caused any problems.  So, the server is running but with no user-configurable services running (netlogon, server, RPC locator, computer browser, etc.) and the problem doesn't come back.  It's only when the machine is completely off.

I also tried to remove the Upgraded to XP machine from the domain and re-add it (with the BDC off) but the problem persisted.

Also, on the Upgraded to XP machine, this slow down or hesitation also seemed to be happening when I took the machine out of the domain completely and rebooted it as a workgroup member - which I didn't expect.  That leads me to believe that it's a computer browsing/network service sort of issue but, again, the BDC does not host any.  Maybe there's another network role that I'm missing?

My guess is that it has something to do with the browsing service or communication between the DCs (i.e. they still look for the BDC for some reason and hold up the login of the clients).  

Well, now I need to get this thing offline again at some point.  Is there a cleaner way to remove a BDC from AD and is it just a matter of removing it and putting the domain in Native Mode to stop this from happening again.  Since you can't go back from Native mode, I want to make sure I get this right the first time.  

Any thoughts would be appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are your Windows clients configured to use WINS? Do they reference the BDC specifically in the IP configs? Do you use roaming profiles? Where are they kept?

What about making your Exchange 5.5 server a BDC before dropping the current BDC?
goalie1Author Commented:
Yes, they all use WINS off of one of the Win2K DCs.  No, they don't reference the BDC at all in any config/file share/web site, etc.  but there is a reference in WINS to the BDC.   I'll try taking that static reference out and see what happens.  

No, we don't use roaming profiles.

No can do on making the Exchange 5.5 server a BDC since it's running on Win2K.

Have you moved the PDC emulator role to an AD domain controller?  This role might not have properly transferred in your upgrade process.  transfer this role over to your win2k or 2k3 AD domain controller and repeat to see if the problem persists.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I share divi2323 idea!

My guess is you are having a problem with the fsmo roles. After removing the BDC (the NT), check where is your PDC FSMO role located! If you can't find one, then that's definetly your problem. Try either demote the NT BDC by transfering the BDC role to one of your w2k/w2k3 DCs or switch to native mode. The last option is somehow dangerous however, as you can't switch it back! Additionaly, it should be done only and only if there are no more NT Domain Controllers in the network.

Check these links:

Hope this helps ...

I wouldnt switch over to native mode just yet.

first try to transfer the PDC emulator role to a DC.
if you cant, then take the BDC offline, and seize the role.

i wouldnt switch to native mode until you've got the issue resolved.
Everybody is looking for the BDC that's not home anymore.

Packet traffic, ICMP's, broadcasts, ARP's, resolution.  Did you have another BDC replicating?

What are your DNS refresh and synch times?

Just sounds like the PDC still thinks the BDC is around, just can't find it, but it keeps trying, so do all the other computers, And since, above, you say the BDC was the DNS, everybody is lost!

Think about it.
Any luck yet?  BDC replication?
goalie1Author Commented:
Let's see if I can sum up my answers:

1 - there are not other BDCs
2 - the original PDC was upgraded to be the first DC in the Forest.
3 - The BDC was never the dns server so I'm not sure what you mean, GinEric.
4 - DNS refresh and sync times.  I assume you're talking about the refresh/retry/expire settings on Win2K DNS?  If so, refresh is 15 minutes, retry is 10 minutes and expires is 1 day.

Ok - I ran the following netdom command with the following results:
C:\>netdom query fsmo
Schema owner                rogers2.virtual.internal
Domain role owner           rogers2.virtual.internal
PDC role                    rogers2.virtual.internal
RID pool manager            rogers2.virtual.internal
Infrastructure owner        rogers2.virtual.internal
The command completed successfully.
Rogers2.virtual.internal is the original PDC that was upgraded to the first DC in the forest and it has all the roles.  So, that means that the troublesome BDC (also known as Rogers4) shouldn't cause any trouble if it's shut down - at least not as far as AD is concerned.  

I just removed any reference to Rogers4 (the BDC) in WINS (which is on Rogers2) and lets see what happens.  I think the oddest thing in this whole equation is that this problem effects newly installed Win2K machines, upgraded to XP machines -- not just windows98 machines (which is what you might expect).  There's nothing inherently wrong with the network since all of my built-from-scratch XP Pro machines are acting just fine when this BDC goes off-line.  Just some more food for thought.
goalie1Author Commented:
Ok - removing any reference to the BDC from WINS didn't help.  Of course, there still is a reference in DNS to it (just an A record, no SRV records).  I should probably remove that, too, and see what happens.
Replication was what I was talking about.

That and lag for DNS refresh.

The replicator doesn't really care about the DNS all that much, but it does care about finding its replicating partners.

Secondly, all the servers are aware of any of them going down.  They will try to reorganize.  A PDC down should result in an election, etc..  For the BDC's, a who's who game begins in reorganizing who has seconds dibs on PDC, and so forth.

A BDC going offline has to announce that to all other controllers before going off line, otherwise, they're left in the lurch wondering if it's going to come back in 5 minutes or so, was there a temporary network failures, etc..

Bad serial numbers in DNS will fail to refresh.

When you remove a record, it must be followed by update and synchronize the domain.

You have to do the same for DHCP.

The easy answer is to begin capturing packets with something like Ethereal and see what's going on.  Also, in SMS you can use the Network Monitor [same as Ethereal].

I don't know if you have SMS.  It's a very good tool.

Lastly, why the names like "rogers2.virtual.internal"  just curiosity really.  I sometimes use .local , but am considering dropping that with Split Brain DNS, something hard to do without Bind.  Tryng to use .com network wide to cut down on forwarding, NAT, etc., and go more split network between private and public.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.