Error when Attempting to Remove Windows Server 2008 Server Core from Domain
A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.
"The security database on the server does not have a computer account for this workstation trust relationship."
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
- By using SCONFIG
- By using NETDOM
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error:
"Failed to join domain."(Actually, I tried to get out of a domain, but no matter...)
netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************I got an error:
"No mapping between account names and security IDs was done."I also tried a variation of the username I used:
The command failed to complete successfully.
netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************Still, same error.
And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!
So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.
I created the server core computer account by clicking on the "Computers" container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account's object was disabled.