Removing Servers from a domain without a DC? Or even an active Domain?
Posted on 2007-10-19
This is a strange thing that hopefully can be explained.
In a Win Server 2003 domain, I had to rebuild the servers. Everything was rebuilt from scratch, starting with the first DC in the new domain. Even though we used the same domain name (xyz.local), I knew that all servers had to be rebuilt and joined to the new domain, as the security identifiers on the new DC's were different from the old domain.
Here is the problem/question: There were two members servers from the old domain that I could not rebuild for specific reasons. I decided (after I created the new domain) to remove these two servers from the old domain, make them members of a workgroup, then have them rejoin the new domain.
In order to have these servers exit the old domain and become part of a workgroup, the server popped up a window asking for the credentials of a user with rights to let me perform this function (administrator rights). This was panic time, as the old domain did not exist any longer, and even thought the name of the new domain was the same, it was logically a different domain.
After entering the username and password of the old domains admin, the member server said "Welcome to the "xxxxxx" workgroup. It actually performed the function based on the credentials of the old domain.
I then did the same thing on the second server, while logged in locally instead of to the domain. This time I used the credentials of the local admin, and it also allowed for removal from the domain. Remember, the old domain no longer existed!
Is this working as designed? I thought that you could not perform domain functions, such as adds, moves, and changes, without having a functioning DC from the same domain. This sounds like a security issue, if these servers allow for domain joins/ removals such as this scenario.
Any insight will be invaluable for future rebuilds!