Trouble shooting on Dc when all FSMO roles transferred to new server and after shutting down the old server it search for the OLD DC

When you’ve transferred all FSMO (Flexible Single Master Operations) roles to a new Domain Controller (DC) and shut down the old DC, yet clients or other DCs are still searching for the old server, it usually means residual references to the old DC are lingering in Active Directory or DNS.

Here’s a deep troubleshooting checklist to resolve this:

---

🔍 1. Verify FSMO Role Transfer

Make sure FSMO roles are truly transferred and not just assumed.

bashCopyEditnetdom query fsmo

All roles should point to the new DC. If not, transfer using:

bash
ntdsutil
> roles
> connections
> connect to server <NewDC>
> quit
> transfer <role name>

---

🔍 2. Check Old DC References in DNS

• Open DNS Manager.
• Expand the zones (especially Forward Lookup Zones → your domain).
• Check for:
  • NS records (name server entries still pointing to the old DC)
  • A records for old DC
  • SRV records under:
    • _ldap._tcp.dc._msdcs.<domain>
    • _kerberos._tcp.dc._msdcs.<domain>

👉 Delete any references to the old server.

Then force a DNS replication:

bash

repadmin /syncall /AdeP

And flush the DNS cache:

bash

ipconfig /flushdns

---

🔍 3. Check AD Sites and Services

• Open Active Directory Sites and Services.
• Expand Sites > Default-First-Site-Name > Servers.
• Ensure the old server is removed.
• If it’s still there:
  • Right-click and delete the old DC.
  • Then go into NTDS Settings under that server and delete any remaining connections.

---

🔍 4. Remove Metadata of Old DC

If the old DC was shut down before proper demotion (dcpromo), you need to clean up metadata:

bashntdsutil
> metadata cleanup
> connections
> connect to server <NewDC>
> quit
> select operation target
> list domains
> select domain <number>
> list sites
> select site <number>
> list servers in site
> select server <number>
> quit
> remove selected server

---

🔍 5. Check SYSVOL/NETLOGON Replication

If any GPOs or scripts reference the old server (e.g., with UNC paths like \\oldserver\NETLOGON), clients will keep looking for it.

Check:

• Group Policies (gpmc.msc)
• Logon scripts
• Startup scripts
• Scheduled tasks
• Login profiles

---

🔍 6. Registry / Services Dependency

Some older software or services might store static references to the old DC (especially apps that store LDAP/DC info manually).

Search the registry on other servers and clients:

bash

reg query HKLM /f "oldservername" /s

---

🔍 7. Repadmin Diagnostics

Check if any DCs still reference the old DC in replication:

bash

repadmin /showrepl
repadmin /replsummary

Also look for lingering objects:

bashCopyEditrepadmin /removelingeringobjects <NewDC> <OldDC GUID> <NC>

---

🔍 8. DCDIAG for Final Sanity Check

bash

dcdiag /v /c /e /f:dcdiag.txt

Look in the output for any reference to the old DC. That’ll give clues to where it’s still being referenced.

---

🧼 Optional Cleanup – ADSIEdit

If anything still remains:

• Open ADSIEdit.msc
• Connect to Default Naming Context
• Navigate to: iniCopyEditCN=Sites > CN=Default-First-Site-Name > CN=Servers CN=Configuration > CN=Services > CN=Windows NT > CN=DCs
• Delete leftover objects pointing to the old DC with care.

---

✅ Final Checks

After cleanup:

bash

repadmin /syncall /AdeP
ipconfig /flushdns
dcdiag