Re-joining a computer to domain

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

1. In AD right-click the computer and select Reset Account.
   Then re-join without un-joining the computer to the domain.
   Reboot required.
2. In an elevated command prompt type: dsmod computer "ComputerDN" -reset
   Then re-join without un-joining the computer to the domain.
   Reboot required.
   
3. In an elevated command prompt type: netdom reset MachineName /domain:DomainName /usero:UserName /passwordo:Password
   The account whose credentials you provided must be a member of the Local Administrators group.
   No rejoin. No reboot.
4. In an elevate command prompt type: nltest.exe /Server:ServerName /SC_Reset:DomainDomainController
   No rejoin. No reboot.

As of Server 2008 R2, the task is very simple. We may now use the Test-ComputerSecureChannel cmdlet.

Test-ComputerSecureChannel -Credential (Get-Credential) -Verbose

Add the -Repair parameter to perform the actual repair; use credentials for an account that's authorized to join computers to the domain.

Reference:

https://msdn.microsoft.com/en-us/powershell/reference/3.0/microsoft.powershell.management/test-computersecurechannel

http://windowsitpro.com/blog/quick-fix-computers-no-longer-domain-joined

-- EDIT--

If there aren't any local administrator accounts you can use for this, you can create one (or enable the disabled built-in Administrator account) with the well-known Sticky Keys hack.

To reset a forgotten administrator password, follow these steps: ^

1. Boot from Windows PE or Windows RE and access the command prompt.
2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:. For the purposes of this demonstration, we'll assume that Windows is installed on drive C:
3. Type the following command: copy C:\Windows\System32\sethc.exe C:\ This creates a copy of sethc.exe to restore later.
4. Type this command to replace sethc.exe with cmd.exe: copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe Reboot your computer and run the Windows instance for which you don't have the administrator password.
5. After you see the logon screen, press the SHIFT key five times.
6. You should see a command prompt where you can enter the following command to reset the Windows password: net user [username] [password] If you don't know your user name, just type net user to list the available user names.
7. You can now log on with the new password.

If you wish to enable the disabled-by-default built-in Administrator account instead of resetting the password on an existing account, the command is:

1. net user administrator /active:yes.

If you wish to create a new account and add it to the local Administrators group, the command sequence is:

1. net user /add [username] [password]
2. net localgroup administrators [username] /add

Stop fighting with this problem from the client side. If you can't log in to the domain, you're either going to have to log in with an enabled local account, or use a boot CD to enable one.

Try removing the machine from Active Directory Users and Computers. It should be in the Administrative Tools on your server. Open the OU (organizational unit) that contains the computer. Find the computer, right click on it, and hit delete.

It might not hurt to be patient and just let replication do its thing, depending on how many DCs you have. If your domain is pretty simple (no sites and just two DCs) you could use repadmin /replicate to force replication. Give this a read before doing so.

Now add the PC again using AD UC and either wait for replication or force it.

If it still whines at you, give netdom /remove a try (man page here) and see if that will get it off your domain. If you have trouble with that, take a look at this question. It's a different scenario but essentially the same concept: trying to remove a computer from a domain when it can't contact the DC.