Removing Servers from a domain without a DC? Or even an active Domain?

Posted on 2007-10-19
Last Modified: 2013-12-04
This is a strange thing that hopefully can be explained.

In a Win Server 2003 domain, I had to rebuild the servers. Everything was rebuilt from scratch, starting with the first DC in the new domain. Even though we used the same domain name (xyz.local), I knew that all servers had to be rebuilt and joined to the new domain, as the security identifiers on the new DC's were different from the old domain.

Here is the problem/question: There were two members servers from the old domain that I could not rebuild for specific reasons. I decided (after I created the new domain) to remove these two servers from the old domain, make them members of a workgroup, then have them rejoin the new domain.

In order to have these servers exit the old domain and become part of a workgroup, the server popped up a window  asking for the credentials of a user with rights to let me perform this function (administrator rights). This was panic time, as the old domain did not exist any longer, and even thought the name of the new domain was the same, it was logically a different domain.

After entering the username and password of the old domains admin, the member server said "Welcome to the "xxxxxx" workgroup. It actually performed the function based on the credentials of the old domain.
I then did the same thing on the second server, while logged in locally instead of to the domain. This time I used the credentials of the local admin, and it also allowed for removal from the domain. Remember, the old domain no longer existed!

Is this working as designed? I thought that you could not perform domain functions, such as adds, moves, and changes, without having a functioning DC from the same domain. This sounds like a security issue, if these servers allow for domain joins/ removals such as this scenario.

Any insight will be invaluable for future rebuilds!

Question by:rickgiguere
    LVL 8

    Accepted Solution

    There were two members servers from the old domain that I could not rebuild for specific reasons.<<<

    Since these were just member servers and not actual dcs then the credentials from the last logons stayed on the computer. For example you can take a computer off of the network and still be able to logon to the computer without being hooked up.
    LVL 30

    Assisted Solution

    If you have local administrator credentials on the box, you can change its domain/workgroup membership with impunity.  When you are prompted for domain credentials it is to attempt to connect to the domain in question and gracefully remove the computer account from the domain that it is being removed from.  This operation isn't a show-stopper in terms of changing domain/workgroup membership, though; if it were unable to contact the domain in question you would simply get a pop-up to the effect of "Hi, couldn't contact domain, so you may need to go and do some manual cleanup.  Now let's put you in that workgroup like you asked."

    Author Comment

    Wholy Cow, those answers were fast!
    And very complete! Many thanks to the both of you.
    This answers the mystery for me. Thanks again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now