Re-joining a computer to domain

18

4

I have a problem with a Windows 7 PC that had been a member of the domain. When I try to logon to this PC with domain credentials I get a message similar to

The trust relationship between this workstation and the primary domain could not be established.

Now I need to reestablish the membership of the PC in the domain. But since I can't logon I can't change neither the computer name nor the domain membership.

  • How can I re-trust PC and domain?
  • Can I add or renew the membership from the domain controllers console?

Edit:

There are no active local accounts on the machine that I could use to logon.

harper

Posted 2013-02-21T13:51:57.763

Reputation: 860

Do you have access to AD UC? – Tanner Faulkner – 2013-02-21T15:23:08.687

Access to what? I assume: AD=active directory UC=?? But: Yes, I have administrative rights to the domain. – harper – 2013-02-21T15:33:31.280

Answers

2

It's only possible to add the PC when you have the administrators rights at the PC and the right to change the DC.

Therefore it is necessary to reset the administrators password at the PC. One way to perform this task is the use of the installation DVD and use the repair console. This allows you to regain the full control.

harper

Posted 2013-02-21T13:51:57.763

Reputation: 860

9

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

  1. In AD right-click the computer and select Reset Account.
    Then re-join without un-joining the computer to the domain.
    Reboot required.
  2. In an elevated command prompt type: dsmod computer "ComputerDN" -reset
    Then re-join without un-joining the computer to the domain.
    Reboot required.
  3. In an elevated command prompt type: netdom reset MachineName /domain:DomainName /usero:UserName /passwordo:Password
    The account whose credentials you provided must be a member of the Local Administrators group.
    No rejoin. No reboot.
  4. In an elevate command prompt type: nltest.exe /Server:ServerName /SC_Reset:DomainDomainController
    No rejoin. No reboot.

Ahmed Raza

Posted 2013-02-21T13:51:57.763

Reputation: 91

5

Stop fighting with this problem from the client side. If you can't log in to the domain, you're either going to have to log in with an enabled local account, or use a boot CD to enable one.

Try removing the machine from Active Directory Users and Computers. It should be in the Administrative Tools on your server. Open the OU (organizational unit) that contains the computer. Find the computer, right click on it, and hit delete.

enter image description here

It might not hurt to be patient and just let replication do its thing, depending on how many DCs you have. If your domain is pretty simple (no sites and just two DCs) you could use repadmin /replicate to force replication. Give this a read before doing so.

Now add the PC again using AD UC and either wait for replication or force it.

If it still whines at you, give netdom /remove a try (man page here) and see if that will get it off your domain. If you have trouble with that, take a look at this question. It's a different scenario but essentially the same concept: trying to remove a computer from a domain when it can't contact the DC.

Tanner Faulkner

Posted 2013-02-21T13:51:57.763

Reputation: 11 948

2This will delete the PC from the domain, won't it? How do I use the domain authentication to logon at the PC when it is not a domain member anymore? Can't I add it with ADUC? – harper – 2013-02-21T17:00:50.190

You're right. Hadn't had my coffee yet... – Tanner Faulkner – 2013-02-21T17:08:47.890

4

As of Server 2008 R2, the task is very simple. We may now use the Test-ComputerSecureChannel cmdlet.

Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose

Screen Shot

Add the -Repair parameter to perform the actual repair; use credentials for an account that's authorized to join computers to the domain.

Reference:

https://msdn.microsoft.com/en-us/powershell/reference/3.0/microsoft.powershell.management/test-computersecurechannel

http://windowsitpro.com/blog/quick-fix-computers-no-longer-domain-joined

-- EDIT--

If there aren't any local administrator accounts you can use for this, you can create one (or enable the disabled built-in Administrator account) with the well-known Sticky Keys hack.

To reset a forgotten administrator password, follow these steps: ^

  1. Boot from Windows PE or Windows RE and access the command prompt.
  2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:. For the purposes of this demonstration, we'll assume that Windows is installed on drive C:
  3. Type the following command: copy C:\Windows\System32\sethc.exe C:\ This creates a copy of sethc.exe to restore later.
  4. Type this command to replace sethc.exe with cmd.exe: copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe Reboot your computer and run the Windows instance for which you don't have the administrator password.
  5. After you see the logon screen, press the SHIFT key five times.
  6. You should see a command prompt where you can enter the following command to reset the Windows password: net user [username] [password] If you don't know your user name, just type net user to list the available user names.
  7. You can now log on with the new password.

If you wish to enable the disabled-by-default built-in Administrator account instead of resetting the password on an existing account, the command is:

  1. net user administrator /active:yes.

If you wish to create a new account and add it to the local Administrators group, the command sequence is:

  1. net user /add [username] [password]
  2. net localgroup administrators [username] /add

InteXX

Posted 2013-02-21T13:51:57.763

Reputation: 300

Excellent source of info here! $credential = Get-Credential, press Enter, type password on prompt, then Test-ComputerSecureChannel -Credential $credential -Repair -Verbose is what we did and worked for us (basically what you described but slightly nuanced for those that might find it hard to follow). Great trick on the sethc.exe and getting a hold of the local admin account again. – vapcguy – 2017-08-03T21:11:31.067

1@vapcguy — All these years, and they still haven't fixed that. It's a bit disconcerting, knowing that a Windows installation can be so easily compromised. – InteXX – 2017-08-03T21:45:53.707

InteXX - Yeah, but it's sort of nice when you lose the password for the local admin account, though - or never receive it because the outgoing contractors want to be @#&%!, lol – vapcguy – 2017-08-03T22:00:00.183

1Every sword has two edges :-) – InteXX – 2017-08-04T02:05:47.963

4

You may have to log in using credentials that are local to that machine. When the OS was first installed, there is a local account that is set up.

Log in with that account using the Computer Name as the domain (ex. MYCOMP\JSmith). Usually the local machine administrator account is present but disabled by default.

Once you are logged in as a local user, you should be able to leave and rejoin the domain.

Rich G

Posted 2013-02-21T13:51:57.763

Reputation: 191

Leaving and re-entering the domain is the preferred fix to this. However, sometimes it just doesn't work and you'll also need to change your computer name if Active Directory doesn't understand the change for whatever reason. – Lee Harrison – 2013-02-21T14:28:26.887

1

The only solution, if you have a PC / Server Trust issue, (after reset, recreate on DC, etc.) to resolve it without any restore!

Disable all NICS, so it can't verify the trust relationship with the logon DC. Then login with a previously logged in administrator level domain account (must reside in local PC Administrators Groups) that was previously logged in i.e. to leverage the cached credentials. My Problem was I moved a W7 VM from prod to a test lab, and anticipated a trust to be broken, however not that i was not able to login with Local admin / user accounts, or even with the "old domains" cached credentials.

Disable the NIC's and cached credentials works, then you can rejoin to domain with netdom join.

If you run out of cached Credentials tries (depends on local OS Policies / GPO - up to 50), do a system restore to a previous days, this will work, too.

reg one

Posted 2013-02-21T13:51:57.763

Reputation: 11

0

At first try to log in with Administrator (Computer name\Administrator), then unjoin domain to WorkGroup then reboot.Now your PC is in WorkGrup as local account. Now try to join domain again.(Right click on My computer->Property->Change->Doamin->Ex Fu-com.com -> Then it will as administrator password for Server then enter user name as administrator and then password. then reboot your computer. Now your computer is in domain try to login with you User ID and password.

Ahmed Raza

Posted 2013-02-21T13:51:57.763

Reputation: 91

1Please read before post. The last sentence (after Edit) shows that I can't use local accounts. – harper – 2015-01-18T13:26:50.200

0

  1. Disconnect the network cable and log in to the affected workstation (cached credentials will allow this.) After doing this, reconnect the network cable.

  2. Download the Remote Server Administration Tools (RSAT) package from Microsoft here: http://www.microsoft.com/en-us/download/details.aspx?id=7887 (select the proper 32-bit or 64-bit version according to the workstation’s operating system, not the server’s.)

  3. Install the downloaded package. We had trouble with this until we used clean boot mode, so you may have to restart the workstation after configuring for clean boot, which can be undone after this process.

  4. Installing RSAT doesn’t automatically make it available to use. Go to Control Panel -> Programs -> Add/Remove Windows Features and look for Remote Server Administrator Tools. Expand this and drill down to AD/AS / Command line and enable that.

  5. Open a command window as Administrator and enter this command:

NETDOM.EXE resetpwd /s:(server) /ud:(username) /pd:*

Where (server) is the Netbios name of the domain server and (username) is the login account of the affected workstation in the format DOMAIN\Username

That’s it. After doing this, everything returned to normal on the workstation.

user473120

Posted 2013-02-21T13:51:57.763

Reputation: 9

-3

I have had this happen and what worked for me is to log in on admin account and re add to workgroup, then re add to domain after that.

Chris

Posted 2013-02-21T13:51:57.763

Reputation: 1

There are no active local accounts on the machine that I could use to logon. This answer is also similar to the accepted answer. – Rsya Studios – 2014-11-28T23:43:31.140

-3

If you have antivirus software installed, do the following...

Start ==> run ==> ncpa.cpl ==> press Alt + N button ==> Advanced Settings ==> tab Provider Order ==> press the up botton to get Microsoft Windows Network to the top.

Do this on client and domain controller (DC).

khalid khan

Posted 2013-02-21T13:51:57.763

Reputation: 1

4Why? How does this fix the trust relationship between the client and the domain controller? – a CVn – 2015-05-23T12:57:45.517

Asked: 2013-02-21T13:51:57.763

Viewed: 154 704 times

Active: 2019-07-06T22:44:46.090