Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Problems when NT4 BDC removed from AD network

Posted on 2005-03-14
Medium Priority
Last Modified: 2008-03-04
Here's our situation:
1 - Windows 2000 AD domain in mixed mode (first DC is SP2 and second DC is SP4)
2 - One NT4 (SP4) BDC (not runing any network service such as WINS or DNS or DHCP)
3 - Exchange 5.5 (SP4) on Win2K SP4 machine
4 - Various Win2K member servers (including a Citrix MetaFrame 1.8 server)
5 - Various XP, Win2K and Win98 clients

I took the BDC offline by just removing it from service.  The next morning, anyone with a PC that was 1)Win98 2)Win2K or 3)WinXP upgraded from Win2K would experience really long login times and actually never get a desktop that would function.  The machines would just hang.  The Upgraded to WinXP machine showed nothing odd in the event logs (when I got in via safe mode).   When using Citrix (off the Win2K server), email would process slowly.  Also, all of the desktops that were built originally with WinXP were doing just fine.  

So, putting 2 and 2 together, I brought the BDC back online and the problem went away.  I couldn't find anything in any event log on either DC to point to the problem.  
With the DC up again, I went to one of the clients and tried it as I shut down each available service that I could shut down on the BDC and it never caused any problems.  So, the server is running but with no user-configurable services running (netlogon, server, RPC locator, computer browser, etc.) and the problem doesn't come back.  It's only when the machine is completely off.

I also tried to remove the Upgraded to XP machine from the domain and re-add it (with the BDC off) but the problem persisted.

Also, on the Upgraded to XP machine, this slow down or hesitation also seemed to be happening when I took the machine out of the domain completely and rebooted it as a workgroup member - which I didn't expect.  That leads me to believe that it's a computer browsing/network service sort of issue but, again, the BDC does not host any.  Maybe there's another network role that I'm missing?

My guess is that it has something to do with the browsing service or communication between the DCs (i.e. they still look for the BDC for some reason and hold up the login of the clients).  

Well, now I need to get this thing offline again at some point.  Is there a cleaner way to remove a BDC from AD and is it just a matter of removing it and putting the domain in Native Mode to stop this from happening again.  Since you can't go back from Native mode, I want to make sure I get this right the first time.  

Any thoughts would be appreciated.

Question by:goalie1
  • 3
  • 3
  • 2
  • +2

Expert Comment

ID: 13539612
Are your Windows clients configured to use WINS? Do they reference the BDC specifically in the IP configs? Do you use roaming profiles? Where are they kept?

What about making your Exchange 5.5 server a BDC before dropping the current BDC?

Author Comment

ID: 13539851
Yes, they all use WINS off of one of the Win2K DCs.  No, they don't reference the BDC at all in any config/file share/web site, etc.  but there is a reference in WINS to the BDC.   I'll try taking that static reference out and see what happens.  

No, we don't use roaming profiles.

No can do on making the Exchange 5.5 server a BDC since it's running on Win2K.


Expert Comment

ID: 13539857
Have you moved the PDC emulator role to an AD domain controller?  This role might not have properly transferred in your upgrade process.  transfer this role over to your win2k or 2k3 AD domain controller and repeat to see if the problem persists.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 11

Expert Comment

ID: 13540952
I share divi2323 idea!

My guess is you are having a problem with the fsmo roles. After removing the BDC (the NT), check where is your PDC FSMO role located! If you can't find one, then that's definetly your problem. Try either demote the NT BDC by transfering the BDC role to one of your w2k/w2k3 DCs or switch to native mode. The last option is somehow dangerous however, as you can't switch it back! Additionaly, it should be done only and only if there are no more NT Domain Controllers in the network.

Check these links:


Hope this helps ...


Expert Comment

ID: 13541257
I wouldnt switch over to native mode just yet.

first try to transfer the PDC emulator role to a DC.
if you cant, then take the BDC offline, and seize the role.

i wouldnt switch to native mode until you've got the issue resolved.
LVL 12

Expert Comment

ID: 13541638
Everybody is looking for the BDC that's not home anymore.

Packet traffic, ICMP's, broadcasts, ARP's, resolution.  Did you have another BDC replicating?

What are your DNS refresh and synch times?

Just sounds like the PDC still thinks the BDC is around, just can't find it, but it keeps trying, so do all the other computers, And since, above, you say the BDC was the DNS, everybody is lost!

Think about it.
LVL 12

Expert Comment

ID: 13570698
Any luck yet?  BDC replication?

Author Comment

ID: 13570762
Let's see if I can sum up my answers:

1 - there are not other BDCs
2 - the original PDC was upgraded to be the first DC in the Forest.
3 - The BDC was never the dns server so I'm not sure what you mean, GinEric.
4 - DNS refresh and sync times.  I assume you're talking about the refresh/retry/expire settings on Win2K DNS?  If so, refresh is 15 minutes, retry is 10 minutes and expires is 1 day.

Ok - I ran the following netdom command with the following results:
C:\>netdom query fsmo
Schema owner                rogers2.virtual.internal
Domain role owner           rogers2.virtual.internal
PDC role                    rogers2.virtual.internal
RID pool manager            rogers2.virtual.internal
Infrastructure owner        rogers2.virtual.internal
The command completed successfully.
Rogers2.virtual.internal is the original PDC that was upgraded to the first DC in the forest and it has all the roles.  So, that means that the troublesome BDC (also known as Rogers4) shouldn't cause any trouble if it's shut down - at least not as far as AD is concerned.  

I just removed any reference to Rogers4 (the BDC) in WINS (which is on Rogers2) and lets see what happens.  I think the oddest thing in this whole equation is that this problem effects newly installed Win2K machines, upgraded to XP machines -- not just windows98 machines (which is what you might expect).  There's nothing inherently wrong with the network since all of my built-from-scratch XP Pro machines are acting just fine when this BDC goes off-line.  Just some more food for thought.

Author Comment

ID: 13570779
Ok - removing any reference to the BDC from WINS didn't help.  Of course, there still is a reference in DNS to it (just an A record, no SRV records).  I should probably remove that, too, and see what happens.
LVL 12

Accepted Solution

GinEric earned 2000 total points
ID: 13578506
Replication was what I was talking about.

That and lag for DNS refresh.

The replicator doesn't really care about the DNS all that much, but it does care about finding its replicating partners.

Secondly, all the servers are aware of any of them going down.  They will try to reorganize.  A PDC down should result in an election, etc..  For the BDC's, a who's who game begins in reorganizing who has seconds dibs on PDC, and so forth.

A BDC going offline has to announce that to all other controllers before going off line, otherwise, they're left in the lurch wondering if it's going to come back in 5 minutes or so, was there a temporary network failures, etc..

Bad serial numbers in DNS will fail to refresh.

When you remove a record, it must be followed by update and synchronize the domain.

You have to do the same for DHCP.

The easy answer is to begin capturing packets with something like Ethereal and see what's going on.  Also, in SMS you can use the Network Monitor [same as Ethereal].

I don't know if you have SMS.  It's a very good tool.

Lastly, why the names like "rogers2.virtual.internal"  just curiosity really.  I sometimes use .local , but am considering dropping that with Split Brain DNS, something hard to do without Bind.  Tryng to use .com network wide to cut down on forwarding, NAT, etc., and go more split network between private and public.


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question