Removing Servers from a domain without a DC? Or even an active Domain?

This is a strange thing that hopefully can be explained.

In a Win Server 2003 domain, I had to rebuild the servers. Everything was rebuilt from scratch, starting with the first DC in the new domain. Even though we used the same domain name (xyz.local), I knew that all servers had to be rebuilt and joined to the new domain, as the security identifiers on the new DC's were different from the old domain.

Here is the problem/question: There were two members servers from the old domain that I could not rebuild for specific reasons. I decided (after I created the new domain) to remove these two servers from the old domain, make them members of a workgroup, then have them rejoin the new domain.

In order to have these servers exit the old domain and become part of a workgroup, the server popped up a window  asking for the credentials of a user with rights to let me perform this function (administrator rights). This was panic time, as the old domain did not exist any longer, and even thought the name of the new domain was the same, it was logically a different domain.

After entering the username and password of the old domains admin, the member server said "Welcome to the "xxxxxx" workgroup. It actually performed the function based on the credentials of the old domain.
I then did the same thing on the second server, while logged in locally instead of to the domain. This time I used the credentials of the local admin, and it also allowed for removal from the domain. Remember, the old domain no longer existed!

Is this working as designed? I thought that you could not perform domain functions, such as adds, moves, and changes, without having a functioning DC from the same domain. This sounds like a security issue, if these servers allow for domain joins/ removals such as this scenario.

Any insight will be invaluable for future rebuilds!

Who is Participating?
There were two members servers from the old domain that I could not rebuild for specific reasons.<<<

Since these were just member servers and not actual dcs then the credentials from the last logons stayed on the computer. For example you can take a computer off of the network and still be able to logon to the computer without being hooked up.
If you have local administrator credentials on the box, you can change its domain/workgroup membership with impunity.  When you are prompted for domain credentials it is to attempt to connect to the domain in question and gracefully remove the computer account from the domain that it is being removed from.  This operation isn't a show-stopper in terms of changing domain/workgroup membership, though; if it were unable to contact the domain in question you would simply get a pop-up to the effect of "Hi, couldn't contact domain, so you may need to go and do some manual cleanup.  Now let's put you in that workgroup like you asked."
rickgiguereAuthor Commented:
Wholy Cow, those answers were fast!
And very complete! Many thanks to the both of you.
This answers the mystery for me. Thanks again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.