We have a Server 2003 SP2 (not R2) box that we're trying to decommission. The guy originally assigned to do this is no longer with the company, so we don't know how far he got. It used to hold some licensing roles, and was a Domain Controller. It was cleanly (or so it seemed) dcpromo'd and demoted over a year ago, and the licensing roles have either been moved or determined to be redundant. It's not clear if this server was doing anything else, but as management are extremely risk-averse, just turning it off and seeing who screams is not an option. So I fired up Wireshark to see if anything was still talking to it, and found that some workstations are still trying to find the netlogon share on this server.
Trans2 Request, GET_DFS_REFERRAL, File: \serverFQDN\netlogon
Trans2 Response, GET_DFS_REFERRAL, Error STATUS_NO_SUCH_DEVICE
Tree Connect Andx Request, Path: \\serverFQDN\NETLOGON
Tree Connect Andx Response, Error: STATUS_BAD_NETWORK_NAME
I've confirmed that the share doesn't exist on this server. There are no lingering traces in DNS that point to this server as a DC. There are no DHCP options pointing to this server (it may have hosted DHCP at some time, this is unclear). I've run dcdiag across all of our DC's and can find no references to this server, and no errors. I've checked Sites and Services, no references to it there. I've looked at the event logs of a couple of the workstations at the time these packets are captured, and can see nothing out of the ordinary. I've investigated the DFS settings, via dfsgui.msc, dfsmgmt.msc, and adsiedit.msc, nothing I could see refers to this server. At this point, I have no idea what is referring these workstations to look at this server, does anyone have any ideas of what else I could look at?
Nigel Benfell B.Sc. MCSA