0

We cannot login as domain admin on one server but can on others. When I looked at Active Directory, I can see that the computer object doesn't exist for the server we can't login to. There is, however a DNS record with the proper computer name.

I don't know if this was deleted but I checked ldp.exe's deleted objects and didn't see it. It must have existed before if it is on the domain.

I have now re-created this computer object with it's computer name but still cannot login and get the same error. Shouldn't I be able to login now that the computer exist or would that object have a different SID that doesn't correspond to the machine?

Also, I tried adding this server to the server group in Server 2012 but it is not found in Active Directory yet for some reason. I did, however find it by DNS in "add servers" but get a kerberos error of "kerberos target resolution error." The details show "Cannot find the computer xxxxxx.domain.local" even though it found it by DNS when adding.

So the question I have is... why would this machine not be able to authenticate if I have re-created it in Active Directory?

mirkaim
  • 15
  • 1
  • 3
  • Did you rejoin the affected server to the domain yet? Creating the object manually won't matter much since the SIDs won't match. Local logon sshould still work. – Nathan C Apr 25 '14 at 17:54

1 Answers1

2

why would this machine not be able to authenticate if I have re-created it in Active Directory?

Well, because you haven't actually created it in Active Directory. No really, not properly. You just created a different Active Directory object with the same name that isn't actually linked or related to the computer in question.

In order to properly join it to your domain, you need to log on (probably with local credentials at this point) and, well, actually join it to the domain.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • I guess it was completely necessary that you spice this up with your attitude. Thanks for that because it really helps me. – mirkaim Apr 25 '14 at 19:07
  • @mirk There's no attitude - there are multiple, advanced ways to join a computer to a domain besides going through the GUI wizard, including ways to do it manually, to varying degrees of completeness and... proper-ness. For your case, you need to use the proper, complete join method. Since the original object doesn't exist in any fashion in Active Directory, you can't get away with a manual method that alters part of the object to get the machine "rejoined." – HopelessN00b Apr 25 '14 at 19:11
  • Sorry if I was so sensitive. :( – mirkaim Apr 25 '14 at 19:26
  • Let me ask you this though, if you are locked out of the computer and can't login because of kerberos/domain issues, then it seems that re-joining the domain is a catch 22. Am I right? – mirkaim Apr 25 '14 at 19:26
  • @mirk Well, it depends/sort of. You need to logon with a local administrator account in order to correct the issues that are prevent you from authenticating to the domain (get the time in sync with the domain, remove the computer from the domain on the computer itself, whatever the case is). Once the issues are resolved, you can authenticate with domain credentials again, and join the computer to the domain. Sometimes it's an issue you can resolve by making changes to the Active Directory object for the computer account, but not very frequently. – HopelessN00b Apr 25 '14 at 19:30