Cant completely remove windows 2003 domain controller after demoting it using dcpromo

Posted on 2013-11-21
Medium Priority
Last Modified: 2013-11-24

I have successfully added a new windows 2008 r2 domain controller to my existing domain/forest.

Before this DC was introduced, I had only one Root windows 2003 DC and I have transferred all fsmo rolls and waited 6 weeks before disjoing it from the domain and physically removing

I then upgraded my domain to windows 2008 r2 domain and forest functional level.

okay, now I am having wiered issues with Group Policy where my policies wont apply to groups but only single user accounts!

I have another thread opened called "Cant Get My Screen Saver to work right" and after much trouble shooting on that thread, I have come to the realization that my issue has greatly to do with the fact that my windows 2003 DC has not been completely removed from AD or where ever it may still have a trace.  

I need help.

I have done the following:

I have just recently gone through my DNS on my Win 2008 R2 DC and completely removed all traces of the old win 2003 server from EVERYWHERE.

what else should I do?

I never ran ntdsutil to remove the meta data from the win2003 dc before physically removing it.  I hope there is still another way I can completely remove any and all traces of this damn server.

please help

Question by:JB Blanco
  • 3
  • 2
LVL 97

Expert Comment

by:Lee W, MVP
ID: 39667007
I have come to the realization that my issue has greatly to do with the fact that my windows 2003 DC has not been completely removed from AD or where ever it may still have a trace.  

HOW?  HOW have you come to this realization?  What led you to believe this is because of the 2003 system and not because of another reason?  Were there event log entries?  Did something say it was having trouble reaching the 2003 DC?

Have you checked the health of the AD using DCDIAG?  Have you confirmed your clients aren't still using the IP address of the removed DC for DNS?  Did you remember to make the new DC(s) Global Catalog servers?

Author Comment

by:JB Blanco
ID: 39667371
sorry please understand that in my other thread i did and explained all this and thats why i dont feel like repeating myself.

here have a look


Author Comment

by:JB Blanco
ID: 39667397
to answer your question,

nothing is really telling me that its having trouble reaching the 2003 DC, its just that i cant think of what else might be causing the problem im having.

Right now i just added a new win 2008 R2 DC into my existing domain.

now i have 2 win 2008 r2 DC's in my forest.

Im gonna play around with Group Policy and see if i am still having the issues.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

by:JB Blanco
ID: 39667434
basically my real issue is My screen Saver GPO is not applying to User Groups only Single User accounts.

If you read my other thread

you will see all the trouble shooting that has been done.

Expert Comment

by:Esteban Blanco
ID: 39667698
Wow.  The response was not very nice in my opinion.  I spent days with him on this leew.  I asked for logs to see if we could find out why this was happening.  We looked at several avenues.  Read the thread and enlighten us please because I see you are very good at what you do and you have proven results.  So help us here.

I asked him if all of the FSMO roles had been moved.  I asked for logs.  I told him to use a test machine and rejoin it to the domain.  I asked him to create a separate OU and GPO for the specific screensaver.  I asked him to send me screenshots.  I showed him best practices articles used in my company when we setup clients.  I requested for others to chime in and another expert agreed that the 2003 server could be part of the issue.  I asked if the machines were hard coded to the other server.  So that is HOW he came to that conclusion.  I hope that clears it up.

Now; can you help him leew?  I would love to learn as well and put a new trick in my toolbox.

Accepted Solution

Esteban Blanco earned 2000 total points
ID: 39668998
The fix was to take the extra screen saver policy and apply it to the default domain policy instead. The environment is 10 computer. No need to have a specific GPO for it when you can do it at the top level.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question