About 3 weeks ago I replaced a Win2003 DC with a newer/faster machine.
The old/slow one was shutdown after transferring FSMO roles, DNS etc.
The new server runs fine for about 3 weeks without the old one being
online so I thought it is time to get rid of ALL entries in the DNS that
points to the old/slow server.

What exactly does _msdcs folder do? I am NOT talking about the following
folder:

Forward Lookup Zones
_msdcs.my-domain.com


.... but I'm talking about this one:

Forward Lookup Zones
my-domain.com
_msdcs

When I look at the properties, there was an entry
"WS2003TEMP.my-domain.com with IP address 192.168.1.236

I deleted that entry and manually added New2003SRVR.my-domain.com at IP
192.168.1.20

Now I can't see the Security tab entries. It shows "Unable to display
security information." Why is that? Is it normal?

Ron wrote:
> About 3 weeks ago I replaced a Win2003 DC with a newer/faster machine.
> The old/slow one was shutdown after transferring FSMO roles, DNS etc.
> The new server runs fine for about 3 weeks without the old one being
> online so I thought it is time to get rid of ALL entries in the DNS
> that points to the old/slow server.
>
> What exactly does _msdcs folder do? I am NOT talking about the
> following folder:
>
> Forward Lookup Zones
> _msdcs.my-domain.com
>
>
> ... but I'm talking about this one:
>
> Forward Lookup Zones
> my-domain.com
> _msdcs
>
> When I look at the properties, there was an entry
> "WS2003TEMP.my-domain.com with IP address 192.168.1.236
>
> I deleted that entry and manually added New2003SRVR.my-domain.com at
> IP 192.168.1.20
>
> Now I can't see the Security tab entries. It shows "Unable to display
> security information." Why is that? Is it normal?

I take it that you just transferred the Roles, and turned the old DC off?

Did you run Dcpromo on it to demote it out of the domain as a Domain
Controller?
If not reconnect it, turn it on and run DCpromo, that will remove it from
Active Directory and it should de-register its records.

As far the _msdcs sub domain, that is a delegation that has NS records for
all DNS servers that have the full _msdcs.my-domain.com zone, again, once
you demote it out of AD as a DC it should remove its NS record from the
delegation, too.

Also, did you make the new server a Global Catalog in AD Sites & Services?

All of these things must be done or the old DC will haunt you from now on
until it is removed from Active Directory because the new DC will try to
replicate to it.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Kevin D. Goodknecht Sr. [MVP] wrote:
> I take it that you just transferred the Roles, and turned the old DC off?
>

No. I transferred FSMO roles and demoted the old DC. Then turned it off.

> Did you run Dcpromo on it to demote it out of the domain as a Domain
> Controller?

Yes I did run dcpromo on the old server after transferring FSMO roles to
the new server and making the new server a GC server.

> If not reconnect it, turn it on and run DCpromo, that will remove it from
> Active Directory and it should de-register its records.
>

That's the problem. After demoting the old server, the old server
records are still intact in the DNS. That is why I manually deleted the
records.

> As far the _msdcs sub domain, that is a delegation that has NS records for
> all DNS servers that have the full _msdcs.my-domain.com zone, again, once
> you demote it out of AD as a DC it should remove its NS record from the
> delegation, too.
>

I would think so too but the old server record is intact in that folder.
It shows:

Name: (same as parent folder)
Type: Name Server (NS)
Data: WS2003TEMP.my-domain.com

WS2003TEMP is the old server. I manually removed WS2003TEMP and added
the new server into the list of Name Servers.

> Also, did you make the new server a Global Catalog in AD Sites & Services?

Yes I did make it a GC when the old DC was still online.

>
> All of these things must be done or the old DC will haunt you from now on
> until it is removed from Active Directory because the new DC will try to
> replicate to it.
>

I don't see any errors or warnings in the event logs. I'm just curious
why I can't see the security information under Security tab as I
mentioned earlier.

Ron wrote:

> I don't see any errors or warnings in the event logs. I'm just curious
> why I can't see the security information under Security tab as I
> mentioned earlier.

It is typically a DNS issue like incorrectly using an external DNS in TCP/IP
properties.
Do the dcdiag a netdiag tests all pass.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Kevin D. Goodknecht Sr. [MVP] wrote:
> Ron wrote:
>
>
>>I don't see any errors or warnings in the event logs. I'm just curious
>>why I can't see the security information under Security tab as I
>>mentioned earlier.
>
>
> It is typically a DNS issue like incorrectly using an external DNS in TCP/IP
> properties.
> Do the dcdiag a netdiag tests all pass.
>

2 external DNS IP addresses (our ISP's DNS) are set in the Win2003 DNS
Forwarders tab.

I did a dcdiag /v and dcdiag /test:dns, both passed.
Netdiag /v also passed. No indication or errors, warnings, failures etc.

I haven't restarted the server since I removed old DNS records. If
things work normally after rebooting the server, I guess I'll just
ignore it.