0

I am in the process of trying to clean up after a domain rename gone bad. The rename was from xxx.com to hq.xxx.com

My current problem is that I cannot login to the DC (only DC on network) Logging into other computers is not a problem. The error is "The security database on the server does not have a computer account for this workstation trust relationship." The good news is that all other computers on the network allow logins fine.

I have a VM on the same physical machine with windows 2012 as a member server that I installed Remote Management on. I can run Active Users & Computers, when I look under Domain Controllers I see the DC, but the "DNS Name:" is set to server.xxx.com, instead of server.hq.xxx.com. There appears to be no way to either;

a) Change the DNS Name:, or b) Manually add another server with the right name.

Hence my question, How can I change the DNS Name on a Windows 2012 domain controller?

Additionally, am I barking up the wrong tree? Is there something else I should look at?

I guess someone got their shorts in a bunch because I did not specify all of the things that I have researched and tried.

I spent a number of hours manually changing the DNS, removing LDAP and KErberos entries linking the DC to the old (xxx.com) domain. After restarting the servers, when I couldn't get logged in to the DC I searched for other examples of that problem, I couldn't find any relevant examples. I then searched for, found & installed the remote management tools for 2012 domains, on the VM containing a member server. That is when I found that the DNS Name defined above was incorrect. I searched for this issue, to no avail. I specifically looked at all of the items in ServerFault that might be related, and found nothing useful.

Paul Stearns
  • 151
  • 1
  • 2
  • 7
  • You could look into the steps at this link. You would obviously perform them from your member server that you setup. Likely you are in for a directory rebuild, though. http://virtualcurtis.wordpress.com/2011/03/02/fix-the-security-database-on-the-server-does-not-have-a-computer-account-for-this-workstation-trust-relationship/ – DanBig Dec 19 '13 at 16:25

2 Answers2

3

Domain Controllers retain their original FQDN after a rename. There is a specific procedure that you must follow to correct this after a domain rename, it's outlined in this TechNet article: http://technet.microsoft.com/en-us/library/cc794925(v=ws.10).aspx

You can use this procedure to rename domain controllers after a domain rename operation.The Domain Name System (DNS) host names of the domain controllers in the renamed domains do not change automatically as a result of the domain rename operation. In other words, the DNS suffix in the fully qualified DNS host name of a domain controller in the renamed domain continues to reflect the old domain name. You can change the DNS host name of domain controllers in a renamed domain at a later time by using a special procedure.

Modification of the computer name causes updates to the DNS and Active Directory databases. The computer performs these updates automatically. After the updated data propagates to the DNS servers and Active Directory domain controllers that a client computer uses, the client computer can locate and authenticate to the renamed domain controller computer. However, DNS and Active Directory replication latency (the time that it takes for the name change to replicate throughout the databases) might cause a temporary inability of clients to locate or authenticate the renamed domain controller. Therefore, renaming a mission-critical server, such as a domain controller, requires that you follow a computer rename preparation procedure before you rename the domain controller. This preparation procedure ensures that there will be no interruption in the ability of client computers to locate or authenticate the renamed domain controller. For more information about how to rename a domain controller, see Renaming a Domain Controller.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Prior to rebooting the servers, I tried the netDom approach. it would not work. I can no longer login to the domain controller, but I have tried the netdom commands from the member server, and it gives the following errors; C:\Windows\system32>netdom computername server.xxx.com /add:server.hq.xxx.com Unable to add server.hq.xxx.com as an alternate name for the computer. The error is: The network path was not found. The command failed to complete successfully. – Paul Stearns Dec 19 '13 at 17:49
  • Did you change the netbios name of the AD domain as part of the rename? If so, are you trying to log in to the DC with the new netbios name prefixing your user account? – MDMarra Dec 19 '13 at 18:14
  • Yes, and yes I am using the correct netbios name, which works on all the other computers in the domain. The original netbios name was xxx\login-name the new netbios name is hqxxx\login-name. The old netbios name no longer works. I truly believe that it has to do with the "DNS Name:" listed in active users and computers for the DC, it is server.xxx.com, instead of server.hq.xxx.com. – Paul Stearns Dec 19 '13 at 18:50
0

Well it sounds like your domain is still working and logons are processing. So you need to get a working DC. I believe the fastest way would be to build a new DC to replace this broken one.

  1. Create a new VM
  2. dcpromo it to get a working DC again
  3. then rebuild the current DC
  4. demote the temp VM
  5. Do any name cleanup needed after that.
SpiderIce
  • 551
  • 2
  • 9
  • I was hoping there would be a better way. We are actually going to use another computer, but the same principle. Is it possible to demote a server to a member server remotely? My thought was to create a new temp DC, if possible demote the existing DC, then promote it, which should fix the issue, then get rid of the temp DC. – Paul Stearns Dec 20 '13 at 14:29
  • Well if you can't login to the server I don't think it's going to demote correctly. I think the safest way would be to take it offline and rebuild it then clean up the records in AD. Normally you could demote a DC to a member server again via RDP or other remote control but would need to have login access to that system. – SpiderIce Dec 20 '13 at 15:29
  • I am able to run Active Users and Directories from my VM. I can get to advanced properties which should allow me to edit under Attribute Editor the dNSHostName, which is "server.xxx.com" When I change it to server.hq.xxx.com, and click Apply, I get the error; Operation failed Error code: 0x214d. Which I can't find any useful information on. The full error goes on with While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync. 0000214D: SvcErr: DSID-033E0F61, problem 5001 (BUSY), data 87. ANy ideas on this? – Paul Stearns Dec 20 '13 at 16:09
  • @PaulStearns the only thing I could find on that error is https://social.technet.microsoft.com/Forums/en-US/fe33a5aa-b9ce-425b-8467-ffee71649036/while-processing-a-change-to-the-dns-host-name-for-an-object-the-service-principal-name-values?forum=smallbusinessserver I have not seen that error before but at the end it seems to be related to missing permissions based on this URL. Your Domain name change might not have update all the AD permissions to the new hq.xxx.com from the old xxx.com. – SpiderIce Dec 20 '13 at 16:24