A very interesting problem was posted recently concerning the inability to rejoin a client computer to a WSE 2012 Domain. A Home Server Show forum member had successfully joined the client computer to the domain at one point and then removed the client from the domain but left the computer object in the domain. Here is where the problem starts.
The NETBIOS name of the client computer was left the same and the client could communicate with the server in order to download the connector software but the connector installation would fail with the error message, “Cannot connect this computer to the network: An unexpected error has occurred. For more information, See troubleshoot connecting computers to the server”, which is not very helpful when trying to trouble shoot. For each workstation or server that is a member of a domain, there is a secure channel with a domain controller. The secure channel’s password is stored along with the computer account on all domain controllers. If, for some reason, the computer account’s password and the LSA secret are not synchronized, the Net logon service will log an error.
The issue lies within the fact that the server still sees an Active Directory (AD) object named “Test01” (for sake of illustration). Test01 knows how to communicate with the Domain Controller (DC) and vice versa through the “Secure Channel Communications” process. These two are using two-factor authentication, or, who you are and what you know. The who part being the DC and Test01, and the what you know part is the Secure Channel password. That password is as critical as the password for any user. When a computer object is created in AD, an associated SID (System Identifier) is also created which uniquely identifies the AD object within the domain. You cannot have duplicate SID’s without major issues being involved, mainly those associated with the hostnames of clients. When the forum member removed the client from the domain, the AD object remained on the DC as did the relationship between the computers object and the DC, in this case the Server 2012 Essentials install. So how do we fix this?
A couple of ways are available to us and we need to look at those. The first one is an easy fix, which would involve removing the client computer from the domain and deleting the AD object for the client. We would also need to unjoin the client computer from the domain. While easy enough to do, this process could create some issues for you depending on the complexity of your setup. Once you delete the AD object, all properties are removed in such things as Group Policies, Group Memberships, and placement within any special OU (Organizational Unit) structure. If you have a plain vanilla sort of setup, this would not be hard to remedy. If your AD structure is a little more complex, the fix could be a little more time consuming. The following is as easy to implement with no adverse effects within AD.
Logon onto the Client computer and remove it from the domain using elevated credentials. Be sure at this point you know the local Admin password because once the client reboots the local Admin account will be your only method to log on.
Logon to the server and go to the Server Manager Console and then to tools and select Active Directory Users and Computers.
Expand AD and select the Computers OU and then select the client computer in question. Right Click and select “Reset”. Nothing will appear to have happened but in fact what you have just done is reset the Secure Channel password between the client computer and the DC (WSE 2012 Server).
The big advantage to this method is the computer object remains within AD and all associated memberships and policies remain intact. You can now run the Client Connector software and should not have any issues. The “new client” will now be given the secure channel password and you can work as you did before.