Printer Friendly Version
A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.
SolarWinds Network Performance Monitor (NPM) automatically discovers new devices from any vendor and quickly identifies the slowest-performing devices on your network.
Drag and drop network devices onto custom network maps to automatically view connections between devices and real-time performance statistics. Use SolarWinds NPM to configure alerts to notify you when network performance drops below key thresholds and to keep an eye on wired and wireless device performance from a single pane of glass. Download SolarWinds NPM today and be monitoring your network in under an hour!
This is the error I got while attempting to log on by using a domain user account:
"The security database on the server does not have a computer account for this workstation trust relationship."
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
- By using SCONFIG
- By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the "1" key.
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error:
"Failed to join domain."
(Actually, I tried to get out of a domain, but no matter...)
So I tried using NETDOM. In the Command Prompt window I typed the following command:
netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************
I got an error:
"No mapping between account names and security IDs was done."
The command failed to complete successfully.
I also tried a variation of the username I used:
netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************
Still, same error.
Rats!
And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!
So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.
I created the server core computer account by clicking on the "Computers" container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account's object was disabled.
It's worth noting that I only encountered this specific issue on server core machines, and while it's possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.
