Monday 26 March 2012

Error when Attempting to Remove Windows Server 2008 Server Core from Domain


Error when Attempting to Remove Windows Server 2008 Server Core from Domain


A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.

This is the error I got while attempting to log on by using a domain user account:
"The security database on the server does not have a computer account for this workstation trust relationship."
The security database on the server does not have a computer account for this workstation trust relationship
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
  • By using SCONFIG
  • By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the "1" key.
Resolving server core error, SCONFIG
I then attempted to remove the machine from the domain in order to later re-join it.
Remove machine from domain
I entered the right local credentials:
Enter local credentials
But no matter what I did, I got an error:
"Failed to join domain."
(Actually, I tried to get out of a domain, but no matter...)
Failed to join domain





So I tried using NETDOM. In the Command Prompt window I typed the following command:
netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************
I got an error:
"No mapping between account names and security IDs was done."
The command failed to complete successfully.
I also tried a variation of the username I used:
netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************
Still, same error.
No mapping between account names and security IDs was done
Rats!
And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!
So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.
I created the server core computer account by clicking on the "Computers" container > New > Computer.
Active Directory Users and Computers
I created the new computer object with a name that matches the name of the server core machine.
Create new computer object
Match name of server core machine
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Create computer account object
Back in Active Directory Users and Computers, the computer account's object was disabled.
Create computer account object
It's OK

No comments:

Post a Comment