We help IT Professionals succeed at work.

Win2003 dc & workstations freeze-ups

We used to have 2 Domain Controllers on the network: one is Win 2003  and
another one is Win 2000. All the workstations are Windows XP. We replaced
the Windows 2000 dc with a new windows 2003 DC during xmas but had problem when tried to demote the w2k DC, so the win2k DC was not demoted and my collegue just powered it off and unplugged from the network. since then we have intermitent network problems:  The workstaions and servers often hang , the servers seem to recover after 10 - 20 minutes, but the
workstations had to be rebooted; Internet Explorer often load up with Visio
basic debug message, if users click no, then the Internet explorere closes
itself; it is very slow to access any documents saved on the server. We
checked everything we could think off, but could not find out what's causing
the problems. I had 3 consultans on-site and they could not find the problem either.

Your help is much appreciated

Watch Question

First thing to check is your DNS.  Check the tcpip properties for the lan connection, the DNS server should point to itself then in DNS you should have  a forwarder pointing to your ISP dns server.
Also when you brought the new server up did you also make it a global catalog server?  Did you rin adprep and forest prep on the old box.
What happened when you tried to demote it?


Thank you very much for your reply. My collegue did not tell me how he did it even I asked him many times, so I did not know the details. I checked the DNS, it is pointing to itself and another Win2003 dc (we have two DNS servers all the time). I found out a few problems with DNS and DHCP, but all've been fixed. But the 2 dcs and workstations seem have the same problem. How can I check whether the new DC is global catalog server?

Regarding the old win2k dc, I do not think he has done anything to it. when I asked him why he did not demote the w2k dc, he said he could not because the old dc looked for the win2003 dc (not the new one) and could not establish the connection. So he unplugged it from the network and powered the old win2k dc off. I asked whether we could put the win2k dc back to the network, he said that's impossible coz the ad is corrupted.

Global catalog -
Active directory sites and services>Sites>Default First Site name> Servers>Servername>right click and on the general tab there should be a check mark in Global catalog.
You can have both DC's global catalogs.

Also you should download and run dcdiag to see what issues it reports

What issues did you fix for DNS/DHCP.
Also it is best to have the DNS server point to itself with NO alternate DNS server in tcpip properties then in the forwarder section of DNS set this up to go out to your ISP DNS.


Both DCs are global catalog servers. I tried that on the old DC & the new one. It passed
the netdiag completely. with dcdiag I had one error message on both DCs:


An error event occured. Event ID: 0x00000457. Time generated:
01/23/2008 09:42:10
<Event String could not be retrived>
<DCname> failed test systemlog

But I thought this is just a report of a failure from the Event Logs, usually nothing too much to worry about. There is not any serious errors or warnings logged in the event logs when I checked on the two DCs except "Application Hang (101)", all the workstations have the same error message in the event log.

When the issue occurs do you have any error logs?


yes, the only error message I am getting is "Application Hang" for the DCs and workstations

Here is how to remove the left over from the old DC



When I chaned the forwarders to our ISP's DNS, the microsoft website does not work. so I changed it back to the current ones, which I do not quite understand though.

also found more error messages in Directory Service and I am attaching the file. It does say it may slow down the network.

Did you clean up AD by using the link above?  It cleans up metadata when domain controllers are just taken off the network without demotion.
Also in regards to the forwarder what DNS server provides lookup to the clients now?  Root hints?
Your ISP's DNS should work just fine unless they blacklist MS for some reason but I doubt thats the case.  After you chnaged the forwarders on the client machine did you do an ipconfig /flushdns


All the meta data has been cleaned up while ago. Thanks

I tried to demote the old win2k dc again.  I had the error message:

The operation failed because:

Failed finding a suitable domain controller for the domain <domainname>

"The security database on the server does not have a computer account for this workstattion trust relationship"

Do you think the NTDS replication error cause the network to hang?

Its very possible thats whats causing the hang up.
Can you nail down a time when the issue occurs do you have corresponding error logs (for replication) during the same time

Here is another article on removing a dead domain controller


I cleared up all the meta data already. But the network still has exactly the same problem.When I noticed the replication error messages, I raised the domain and forest functional level to windows 2003 because it used to be winodws 2000 native. It did not solve the problem.

When the network freezes you start getting those messages in AD replication right?


It is difficult to say coz workstations often freeze-up around 12.00pm afterwards. It might be coincidence now as we had the same error messages before and the network worked perfect. It's driving everybody mad.

Short of rebuilding the domain I am out of ideas.  Did you give MS a call?


I am thinking to give MS a call. Thank you very much for all your help

Anytime.  Post back with steps taken and a resolution if one is found
PAQed with points refunded (500)

EE Admin

Explore More ContentExplore courses, solutions, and other research materials related to this topic.