none
Windows Server 2003 Cannot Logon to Domain after Computer Account Reset in ADUC

    Question

  • Hello,
    I performed a 'Reset Account' for a Windows 2003 Server in ADUC, and now I cannot logon to the server.  I receive a message that states "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your account was not found."  The computer account is still listed in ADUC.  Doug
    Tuesday, March 09, 2010 8:24 PM

Answers

  • Ok,
    You should mention before that we were talking about a certification authority that is important.
    Since that in your first thread you mentioned that you performed a Reset in the computer object, there's no turning back now, unless you restore the object from backup.
    IMO, the correct way to perform this in a CA, was to perform a reset computer account with netdom without the need to re-add or reset the computer account.

    Okay, the error that you're see (The parameter PSMS02 was unexpected) is generally caused by incorrect command line syntax. check that, the example that I provided before works ok in my environment. For example: Netdom Join %computername% IS DIFFERENT from Netdom %computername% Join. If the error says that the parameter PSMS02 was unexpected, that generally means that the variable %computername% is before or after something that SHOULDN'T be.

    Is likely that you need to remove before doing the Join to the domain, or you may get and error like "The computer is already in the specified domain - or something like that", normally this is corrected using the GUI to re-add the server to the domain, but doing it using netdom is different. If that is the case that means that you should do the netdom remove %computername% ...., then enable the computer account in ad, and then do the netdom Join %computername%....

    Obs:
    I see in your ip configuration that you've a dual NIc in the member server and in the DC. In the member server disable the unused NIC for the DC I don't see the other IP address, but if you've more than one NIC in your domain controller is likely that you'll have problems, multihomed DCs are not recommended and may cause issues. There're lots of identified issues related with multihomed Domain controllers issues. Do a search on the web and you will find lots of them.


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    • Marked as answer by Wilson Jia Friday, March 12, 2010 9:01 AM
    Wednesday, March 10, 2010 5:45 PM
  • I removed the CA from the server and then re-joined the server via the GUI.  I then re-installed the CA and everything is okay now. 

    I apologize for not mentioning that the server was a CA.  Thanks for all your help.  Doug

    • Marked as answer by Wilson Jia Friday, March 12, 2010 9:03 AM
    Wednesday, March 10, 2010 6:58 PM

All replies

  • Hello,
    I performed a 'Reset Account' for a Windows 2003 Server in ADUC, and now I cannot logon to the server.  I receive a message that states "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your account was not found."  The computer account is still listed in ADUC.  Doug

    That error is expected after you reset a computer account in AD :)
    To solve that you need to re-add the computer to the domain again. You don't need to move the computer to workgroup mode, just re-add it to the domain.


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Tuesday, March 09, 2010 8:26 PM
  • Hi Jorge,
    Thanks for the reply.  I peformed the following to re-add the server to the domain:  'netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com '.  I used the server's computer name and OU location of the server.  I'm still not able to logon to the domain.  Did I use the correct utility to re-add this server to the domain?  Thanks, Doug
    Tuesday, March 09, 2010 9:26 PM
  • Hi Jorge,
    Thanks for the reply.  I peformed the following to re-add the server to the domain:  'netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com '.  I used the server's computer name and OU location of the server.  I'm still not able to logon to the domain.  Did I use the correct utility to re-add this server to the domain?  Thanks, Doug

    - Okay, I assume that the Windows 2003 server is a member server, correct?
    - Confirm that you're resetting the Active Directory Account that corresponds to that server, after that you can re-ad the server again to Active directory.

    The command is:
    NETDOM JOIN %computername% /Domain:yourdomain /UserD:domainuser /PasswordD:*

    Notes:
    - Since that you already have a computer account in Active Directory in the correct OU, you shouldn't need to specify the OU path.
    - You must have permissions to Join computers into your Active Directory Domain.
    - Make sure that your server has the correct INTERNAL AD DNS configured under TCP/IP settings.
    - Rather than using the Netdom cmd, you can re-add your member server using the GUI, to do so follow:
    1. In the member server, right-click in your desktop computer icon and chose properties
    2. Select computer tab and click the "change" button.
    3. Select Domain check box and enter your NetBIOS domain name then click ok.
    4. Enter your domain credentials "Domain\Username" and your "password", click OK.
    If the computer was successfully added to the domain you should get a confirmation screen saying that your computer was added to the domain successfully and you need to reboot it. After reboot you should be able to logon without any problem.

    - There's another scenario that may be causing that error. Assuming that your domain as a trust with other domains (External Domains or Internal Child domains, etc...), make sure that you're using the correct domain to logon.

    - If all procedures explained here fail, please post the results for ipconfig /all (for that member server and your Domain Controller). Also try to explain a little bit more in detail about your current domain scenario, including configurations and the EXACT error messages that you're getting and when you get those.

     






    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    • Proposed as answer by Wilson Jia Wednesday, March 10, 2010 1:45 AM
    Wednesday, March 10, 2010 12:14 AM
  • Hi Jorge,
    Thanks for your help.

    The Windows 2003 server is a member server.

    I performed the
    'NETDOM JOIN %computername% /Domain:yourdomain /UserD:domainuser /PasswordD:*' on the server using the logon credentials of an Enterprise and Domain Admin account, and I receive the following message: "The parameter PSMS02 was unexpected."  Unfortunatley, I am unable to join the server via GUI, as the "Change" button is grayed out because the server is running as a CA. 


    We are running a single Active Directory domain with no external trusts.


    Here is the 'IPConfig /all' from the member server.

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : PSMS02
       Primary Dns Suffix  . . . . . . . : MIS.GOV
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : MIS.GOV

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
     VBD Client)
       Physical Address. . . . . . . . . : 00-19-B9-C9-4F-80
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.30.1.45
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.30.1.1
       DNS Servers . . . . . . . . . . . : 10.30.1.8
                                           10.20.1.209
       Primary WINS Server . . . . . . . : 10.30.1.8

    Ethernet adapter Local Area Connection 2:

       Media State . . . . . . . . . . . : Media disconnected
       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
     VBD Client) #2
       Physical Address. . . . . . . . . : 00-19-B9-C9-4F-82




    Here is an 'IPConfig /all' from the DC in the server's AD Site.

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : dc4
       Primary Dns Suffix  . . . . . . . : MIS.GOV
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : MIS.GOV

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
     VBD Client) #2
       Physical Address. . . . . . . . . : 00-13-72-62-F2-5A
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.30.1.8
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.30.1.1
       DNS Servers . . . . . . . . . . . : 10.30.1.8
                                           10.20.1.209
       Primary WINS Server . . . . . . . : 10.30.1.8
       Secondary WINS Server . . . . . . : 10.20.1.209



    Thank you,
    Doug

     

    Wednesday, March 10, 2010 2:35 PM
  • You need to reset the secure channel of that 2003 member server with the DC, to reset the secure channel use the netdom utility, if the command files on the member server, you can try resetting the secure channel from the DC.

    http://technet.microsoft.com/en-us/library/cc776879(WS.10).aspx

     

    Wednesday, March 10, 2010 5:13 PM
  • Ok,
    You should mention before that we were talking about a certification authority that is important.
    Since that in your first thread you mentioned that you performed a Reset in the computer object, there's no turning back now, unless you restore the object from backup.
    IMO, the correct way to perform this in a CA, was to perform a reset computer account with netdom without the need to re-add or reset the computer account.

    Okay, the error that you're see (The parameter PSMS02 was unexpected) is generally caused by incorrect command line syntax. check that, the example that I provided before works ok in my environment. For example: Netdom Join %computername% IS DIFFERENT from Netdom %computername% Join. If the error says that the parameter PSMS02 was unexpected, that generally means that the variable %computername% is before or after something that SHOULDN'T be.

    Is likely that you need to remove before doing the Join to the domain, or you may get and error like "The computer is already in the specified domain - or something like that", normally this is corrected using the GUI to re-add the server to the domain, but doing it using netdom is different. If that is the case that means that you should do the netdom remove %computername% ...., then enable the computer account in ad, and then do the netdom Join %computername%....

    Obs:
    I see in your ip configuration that you've a dual NIc in the member server and in the DC. In the member server disable the unused NIC for the DC I don't see the other IP address, but if you've more than one NIC in your domain controller is likely that you'll have problems, multihomed DCs are not recommended and may cause issues. There're lots of identified issues related with multihomed Domain controllers issues. Do a search on the web and you will find lots of them.


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    • Marked as answer by Wilson Jia Friday, March 12, 2010 9:01 AM
    Wednesday, March 10, 2010 5:45 PM
  • I removed the CA from the server and then re-joined the server via the GUI.  I then re-installed the CA and everything is okay now. 

    I apologize for not mentioning that the server was a CA.  Thanks for all your help.  Doug

    • Marked as answer by Wilson Jia Friday, March 12, 2010 9:03 AM
    Wednesday, March 10, 2010 6:58 PM
  • Great, that's another valid option when CAs are new and don't have any cert issued, otherwise you would need to recover the CA from backup rather then removing the CA role and re-installing it....
    In future with the same kind of errors you may do a reset the server pw account without having to perform the reset it in AD.
    When performing resets in AD computer objects you have to re-add them (using GUI or Netdom) because they lost the "affinity" with the AD object. For most scenarios the fastest way is to do reset for that computer object and then re-add them to the domain, but for CAs, DCs and other critical Server roles, normally, is better (from my perspective) to solve the problems without having to remove them from the Domain.

     

     


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Wednesday, March 10, 2010 8:03 PM