Re-joining a computer to domain

windows domain active-directory
236,156

Solution 1

It's only possible to add the PC when you have the administrators rights at the PC and the right to change the DC.

Therefore it is necessary to reset the administrators password at the PC. One way to perform this task is the use of the installation DVD and use the repair console. This allows you to regain the full control.

Solution 2

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

  1. In AD right-click the computer and select Reset Account.
    Then re-join without un-joining the computer to the domain.
    Reboot required.
  2. In an elevated command prompt type: dsmod computer "ComputerDN" -reset
    Then re-join without un-joining the computer to the domain.
    Reboot required.
  3. In an elevated command prompt type: netdom reset MachineName /domain:DomainName /usero:UserName /passwordo:Password
    The account whose credentials you provided must be a member of the Local Administrators group.
    No rejoin. No reboot.
  4. In an elevate command prompt type: nltest.exe /Server:ServerName /SC_Reset:DomainDomainController
    No rejoin. No reboot.

Solution 3

As of Server 2008 R2, the task is very simple. We may now use the Test-ComputerSecureChannel cmdlet.

Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose

Screen Shot

Add the -Repair parameter to perform the actual repair; use credentials for an account that's authorized to join computers to the domain.

Reference:

https://msdn.microsoft.com/en-us/powershell/reference/3.0/microsoft.powershell.management/test-computersecurechannel

http://windowsitpro.com/blog/quick-fix-computers-no-longer-domain-joined

-- EDIT--

If there aren't any local administrator accounts you can use for this, you can create one (or enable the disabled built-in Administrator account) with the well-known Sticky Keys hack.

To reset a forgotten administrator password, follow these steps: ^

  1. Boot from Windows PE or Windows RE and access the command prompt.
  2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:. For the purposes of this demonstration, we'll assume that Windows is installed on drive C:
  3. Type the following command: copy C:\Windows\System32\sethc.exe C:\ This creates a copy of sethc.exe to restore later.
  4. Type this command to replace sethc.exe with cmd.exe: copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe Reboot your computer and run the Windows instance for which you don't have the administrator password.
  5. After you see the logon screen, press the SHIFT key five times.
  6. You should see a command prompt where you can enter the following command to reset the Windows password: net user [username] [password] If you don't know your user name, just type net user to list the available user names.
  7. You can now log on with the new password.

If you wish to enable the disabled-by-default built-in Administrator account instead of resetting the password on an existing account, the command is:

  1. net user administrator /active:yes.

If you wish to create a new account and add it to the local Administrators group, the command sequence is:

  1. net user /add [username] [password]
  2. net localgroup administrators [username] /add

Solution 4

Stop fighting with this problem from the client side. If you can't log in to the domain, you're either going to have to log in with an enabled local account, or use a boot CD to enable one.

Try removing the machine from Active Directory Users and Computers. It should be in the Administrative Tools on your server. Open the OU (organizational unit) that contains the computer. Find the computer, right click on it, and hit delete.

enter image description here

It might not hurt to be patient and just let replication do its thing, depending on how many DCs you have. If your domain is pretty simple (no sites and just two DCs) you could use repadmin /replicate to force replication. Give this a read before doing so.

Now add the PC again using AD UC and either wait for replication or force it.

If it still whines at you, give netdom /remove a try (man page here) and see if that will get it off your domain. If you have trouble with that, take a look at this question. It's a different scenario but essentially the same concept: trying to remove a computer from a domain when it can't contact the DC.

Solution 5

You may have to log in using credentials that are local to that machine. When the OS was first installed, there is a local account that is set up.

Log in with that account using the Computer Name as the domain (ex. MYCOMP\JSmith). Usually the local machine administrator account is present but disabled by default.

Once you are logged in as a local user, you should be able to leave and rejoin the domain.

Share:
236,156
harper
Author by

harper

Updated on September 18, 2022

Comments

  • harper
    harper over 1 year

    I have a problem with a Windows 7 PC that had been a member of the domain. When I try to logon to this PC with domain credentials I get a message similar to

    The trust relationship between this workstation and the primary domain could not be established.

    Now I need to reestablish the membership of the PC in the domain. But since I can't logon I can't change neither the computer name nor the domain membership.

    • How can I re-trust PC and domain?
    • Can I add or renew the membership from the domain controllers console?

    Edit:

    There are no active local accounts on the machine that I could use to logon.

    • rtf
      rtf about 11 years
      Do you have access to AD UC?
    • harper
      harper about 11 years
      Access to what? I assume: AD=active directory UC=?? But: Yes, I have administrative rights to the domain.
    • wisbucky
      wisbucky over 2 years
      Solution for Windows 10: superuser.com/questions/947750/…
  • Lee Harrison
    Lee Harrison about 11 years
    Leaving and re-entering the domain is the preferred fix to this. However, sometimes it just doesn't work and you'll also need to change your computer name if Active Directory doesn't understand the change for whatever reason.
  • harper
    harper about 11 years
    This will delete the PC from the domain, won't it? How do I use the domain authentication to logon at the PC when it is not a domain member anymore? Can't I add it with ADUC?
  • rtf
    rtf about 11 years
    You're right. Hadn't had my coffee yet...
  • harper
    harper over 9 years
    Please read before post. The last sentence (after Edit) shows that I can't use local accounts.
  • user
    user almost 9 years
    Why? How does this fix the trust relationship between the client and the domain controller?
  • vapcguy
    vapcguy almost 7 years
    Excellent source of info here! $credential = Get-Credential, press Enter, type password on prompt, then Test-ComputerSecureChannel -Credential $credential -Repair -Verbose is what we did and worked for us (basically what you described but slightly nuanced for those that might find it hard to follow). Great trick on the sethc.exe and getting a hold of the local admin account again.
  • InteXX
    InteXX almost 7 years
    @vapcguy — All these years, and they still haven't fixed that. It's a bit disconcerting, knowing that a Windows installation can be so easily compromised.
  • vapcguy
    vapcguy almost 7 years
    InteXX - Yeah, but it's sort of nice when you lose the password for the local admin account, though - or never receive it because the outgoing contractors want to be @#&%!, lol
  • InteXX
    InteXX almost 7 years
    Every sword has two edges :-)
  • puravidaso
    puravidaso over 3 years
    Yes, Test-ComputerSecureChannel works as well summarized in the comment. If the client computer has been delete from domain controller, simply create it before running Test-ComputerSecureChannel and details (OS for example) will be automated populated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Installing software using local account Vs Active Directory login
Difference between http://connect and manually joining domain?
How can I find out which user groups my domain user belongs to?
Windows Active Directory Login Issue
Allow a domain user access to administrative shares on some PCs
"The user's password must be changed before logging on the first time" when using a file server
Moving a Domain from a forest into a new forest of its own
Authenticate client against specific Domain Controller
trust relationship between this workstation and the primary domain failed
Active directory rename computer that has been disconnected