joem

Cannot Connect Computer to the Server. Help!

59 posts in this topic

Go into AD, find the computer object, right click and reset. That should solve the issue if you are using the same hostname for the client.,

Share this post


Link to post
Share on other sites

Cool! I'll try that and run another test to disjoin and rejoin. Give me a little time to do this and I'll report back. Thanks.

Share this post


Link to post
Share on other sites

That action will clear the SID within AD.

Share this post


Link to post
Share on other sites

That action will clear the SID within AD.

 

When you say "clear the SID" do you mean it will set the SID to "0000......00"?

Share this post


Link to post
Share on other sites

jmwills: I want to get this AD reset in the right order when I do this test. At what point should I do the reset on that computer? Before I disjoin? After disjoining? It seems the computer objiect would be gone from AD after disjoining though. Anyway please advise. Thanks.

Share this post


Link to post
Share on other sites

Not to 0's.

 

1. A domain computer account synchronizes with the Domain Controller (DC) on a regular basis. This means that the computer checks with the DC or the DC checks for the computer on the network at a set interval. If for some reason synchronization does not take place, then the computer account can become invalid due to failed authentication. Group policy may also fail to take effect.

 

Each domain computer maintains a machine account password history containing the current and previous passwords used for the account. When the computer attempt to authenticate with DC and a change to the current password is not yet received, Windows then relies on the previous password. If this authentication fails (due to the failed sync of password), both computers may not communicate. Hence, you have to reset the computer password. You can't set the password directly but you can perform a computer account reset on the "Active Directory User and Computer" console or "netdom reset" on a DC.

 

After you have reset the computer account, you won't be able to login to the affected computer using domain-based accounts. You have to re-join the computer to domain, so that the AD re-sync can take place. Login to the affected computer on local administrator account.

 

 

2.

 

When a secure channel fails, ie the trust with the domain has been lost, you must reset it. Most people simply remove the computer from the domain by joining a workgroup, and then re-joining the domain. This is a bad idea because the computer account SID is lost, along with any group memberships.

 

 

 

Type the command netdomm reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *} where the credentials belong to the local Administrators group of the computer. This resets the secure channel by attempting to reset the password on both the computer and the domain, and does not require rejoining or rebooting.

 

You could also try the following from the computer that has lost it's trust: nltest /server:ServerName /sc_reset:DOMAIN\DomainController. This also tries to reset the secure channel by resetting the password both on the computer and in the domain, and does not require rejoining or rebooting.

Share this post


Link to post
Share on other sites

Thinking a little bit more about this I am thinking that the reset would be done before I disjoin it from the domain?

Share this post


Link to post
Share on other sites

Yes. Remove from the Domain first, but since you are past that point, you could log on locally with the Admin account and place back into a workgroup.

Share this post


Link to post
Share on other sites

No. I still have the computer I am going to test on the domain. So I can reset and then disjoin?

Share this post


Link to post
Share on other sites

Thanks for the article jmwills. Very interesting info. I haven't seen it before. I agree, most people do resolve these issues by joining the client computer to a workgroup and then back to the domain. As the article says, "bad idea". Now I see why, and have a way of not having to do that.

Share this post


Link to post
Share on other sites

No. I still have the computer I am going to test on the domain. So I can reset and then disjoin?

 

That's the way I read it. In fact, with a Reset, you may not even have to Disjoin because the Reset requires you to login to the client computer using a local admin account and you have to Rejoin the computer to the network anyway.

Share this post


Link to post
Share on other sites

For sure, I would remove it just to be safe.

Share this post


Link to post
Share on other sites

For sure, I would remove it just to be safe.

 

With the caveat that Disjoining will remove any SID associations, I agree. Although, it might be interesting to try it without Disjoining, just as an experiment. :)

Share this post


Link to post
Share on other sites

I know what will happen. The secure channel comms will be lost and the client cannot connect to a DC

Share this post


Link to post
Share on other sites

I have a guy coming in soon that I will have to blow away his Windows 7 pro and reinstall. I will test that first by joining to domain and the reset trick. Then try to join it again. I'll get back to you on the results. If there is anything else you want met to test let me know.

Share this post


Link to post
Share on other sites

I know what will happen. The secure channel comms will be lost and the client cannot connect to a DC

 

Well, yes, of course. But, will it be able to rejoin the domain, since that is his main issue? IOW, will a Reset be enough to allow it to rejoin the domain, or will it actually have to be deleted from the domain and get an entirely new SID?

Share this post


Link to post
Share on other sites

You should be able to join, but if you try to remote to it, you will not be able to.

Share this post


Link to post
Share on other sites

I have a guy coming in soon that I will have to blow away his Windows 7 pro and reinstall. I will test that first by joining to domain and the reset trick. Then try to join it again. I'll get back to you on the results. If there is anything else you want met to test let me know.

 

Fantastic. Looking forward to reading the results.

Share this post


Link to post
Share on other sites

Blowing away the install would be the same as removing it from the domain, as far as a DC is concerned.

Share this post


Link to post
Share on other sites

Blowing away the install would be the same as removing it from the domain, as far as a DC is concerned.

 

Yeah, but he's going to do a fresh install, then join the network, then disjoin the network, then try to rejoin again.

Share this post


Link to post
Share on other sites

I would go with this sequence which I know works:

  • Remove client from Domain
  • Reset Computer Object in AD
  • Rejoin Client to Domain

Share this post


Link to post
Share on other sites

I would go with this sequence which I know works:

  • Remove client from Domain
  • Reset Computer Object in AD
  • Rejoin Client to Domain

 

Yep. That's exactly the scenario we're wondering about. He has done everything except the Reset.

 

I think, like you, that it will work just fine, but the variable is that this is WS2012 Essentials. It seems to be behaving differently than WHS2011 in that, with WHS2011, he was able to disjoin and rejoin with no issues, but with WSE2012 it doesn't seem to work. Hopefully, the Reset will be the fix.

Share this post


Link to post
Share on other sites

It has to behave differently, it's a Domain. Try this in WHS2011 and you should/would get an error stating a computer with this name already exists, but it allows you to continues by archiving the backups. I know, I did this recently.

Share this post


Link to post
Share on other sites

I did a reset on the computer I joined to the domain. I restarted and it was still on the domain. Same user name and password. I thought it would have popped it off the domain and make me log on with a local admin account?

 

Next step. If I remove the computer from the domain would their still be a computer object to reset for that computer I remove?

 

I will find out with that 3 step process you provided.

  • Remove client from Domain
  • Reset Computer Object in AD
  • Rejoin Client to Domain

Share this post


Link to post
Share on other sites

Resetting the account will not kick the client off the domain, so to speak, if by that you mean unjoin it. It will only break the secure channel comms with the DC.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now