A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn't log on to the machine by using the domain admin user account.
Achieve instantaneous visibility into user & group permissions with the free Permissions Analyzer Tool for Active Directory!
- Get a complete hierarchical view of the effective permissions & access rights for a specific file folder (NTFS) or share drive
- Easily see what permissions a user has for an object and why (group membership or direct permissions)
- See it all from a totally cool desktop dashboard
This is the error I got while attempting to log on by using a domain user account:
"The security database on the server does not have a computer account for this workstation trust relationship."
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
- By using SCONFIG
- By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the "1" key.
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error:
"Failed to join domain."
(Actually, I tried to get out of a domain, but no matter...)
So I tried using NETDOM. In the Command Prompt window I typed the following command:
netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************
I got an error:
"No mapping between account names and security IDs was done."
The command failed to complete successfully.
I also tried a variation of the username I used:
netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************
Still, same error.
And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!
So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.
I created the server core computer account by clicking on the "Computers" container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account's object was disabled.
It's worth noting that I only encountered this specific issue on server core machines, and while it's possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.