locked
how to restore deleted computer account in Active directory RRS feed

  • Frage

  • hi

    how to restore deleted computer account in Active directory from system state backup

    OS windows 2003 r2

    thankz

    • Typ geändert pbbergs [MSFT] Mittwoch, 1. August 2012 11:58 Not a discussion, this is to solve a problem
    Mittwoch, 1. August 2012 09:21

Antworten

  • Exactly who are creating these duplicate names? Are they Domain Administrators, or someone delegated the task?

    • If they are domain admins, instruct them to put in a service ticket requesting to create a computer name, then you can evaluate and approve the request whether it's legit or not.
    • If someone delegated the task, then my suggestion is to remove that part of their permissions, and instruct them to put in a service ticket requesting the creation.

    .

    I recommend also reducing the ability for a regular domain user to add a machine account to the domain by reducing the "ms-DS-Machine-Account-Quota" Attribute value from the default 10 to 0:

    Windows Server 2008: Changing The Default ms-DS-Machine-Account-Quota Attribute
    http://www.korabtech.com/2010/05/windows-server-2008-changing-default-ms.html

    Default limit to number of workstations a user can join to the domain
    http://support.microsoft.com/kb/243327

    .

    .

    If you feel our responses and the above info was not helpful:

    You need to resolve whatever the issue is in your domain that is causing it. My feeling is you have a replication issue among the DCs.

    To help you with this, we need the config and other info we had asked you to post, but you haven't posted that info other than posting symptoms.

    I can understand if you can't post it due to your company's security policy, therefore the best recommendation to fix this is to contact Microsoft Support, and they can remote into your system and resolve this whole thing for one small fee. Here's a list of phone numbers if you choose this option:

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Als Antwort markiert kezhils Montag, 6. August 2012 06:27
    Montag, 6. August 2012 05:44

Alle Antworten

  • Hi Kezhil,

    Yes you can restore AD from backup, or restore the deleted account with LDP.exe to show the Deleted Object Container if garbage time/Tomb stone life time not have passed . You can use LDP or ADRESTORE to restore the computer account from the previous backup.

    Have a look on the below articles.

    http://edmckinzie.wordpress.com/2008/02/06/how-to-restore-deleted-machine-accountsactive-directory-adrestoreunicode-pwdsearchflag/

    Recovering Deleted Items in Active Directory
    www.petri.co.il/recovering-deleted-items-active-directory.htm



    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    • Bearbeitet iamrafic Mittwoch, 1. August 2012 09:41 typo
    Mittwoch, 1. August 2012 09:38
  • Hello,

    see details in http://technet.microsoft.com/en-us/library/cc779573.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Mittwoch, 1. August 2012 10:09
  • hi

    thanks for your replay

    1. my actual problem is i can able to add two computers with same name this my first porblem

          for example first i added comp1 on 31july2012 and this comp1 is working fine

          next i have added another one computer with same name comp1 on 1aug2012 ADS also accept to add this then i check in computer folder in AD it shows comp1   created date 31july2012 and modified date 1aug2012

    2. second time i add comp1 it overwrite the old same name computer in AD, so i cant able to log on first added computer comp1 

         and i get the following error msg "the security database on the server does not have a computer account for this worksation trust relationship"

    3. if i remove newly added comp1 from AD after that also i cant able to  logon old computer comp1 and i get the following error msg

              trust relationship between worksation and primary domain controller failed

     how to solve this issue

    Mittwoch, 1. August 2012 11:10
  • Even tough you restore the deleted computer account, you need to reset the secure channel either disjoing & rejoining or use Joe's tool. If you have set SearchFllag attribute for the Unicode-pwd attribute prior to deletion, then there is no option other then resetting the secure channel.

    http://www.joeware.net/freetools/tools/machinepwd/index.htm

    To me simplest option is rejoin those system in the domain, considering the number is not too large because it will be more simpler then performing authoritative restore by taking one of the DC into the DSRM mode & then allowing change to be replicated to all other DC's in the domain/forest.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 11:24
  • hi

    in my case on sQL server database server name is overwited

    now i cant able to login that server and some domain accounts pointed to sql server services,  application support providers team dont accept dejoin/rejoin

    pls give the best sollution to solve this issue

    i dejoined newly added same name computer after that also i cant login the server the following error msg i m getting

    • Bearbeitet kezhils Mittwoch, 1. August 2012 11:42
    Mittwoch, 1. August 2012 11:38
  • hi

    in my case on sQL server database server name is overwited

    now i cant able to login that server and some domain accounts pointed to sql server services,  application support providers team dont accept dejoin/rejoin

    pls give the best sollution to solve this issue

    Post this thread to the SQL server forum & they might help you better on this. Their SQL & AD experts both are there,so you might get better suggestion.

    http://social.technet.microsoft.com/Forums/en-us/category/sqlserver


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 11:42
  • hi awinish

    i dont want add two computer with same in AD

    how to solve this issue, how its happened

    Mittwoch, 1. August 2012 11:52
  • Did you remove all the related computer object, host records etc from the add before re-adding the SQL server with same hostname? If not the error is expected.Either use new name or clean all the references before re-using the old hostname.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 12:02
  • You can't have two computers with the same name in your domain.  There is no way to do this.  Once you joined the newer computer to the domain the older machines trust relationship was destoyed with the new relationship object.  Unless you rename one of these there is nothing that can be done.

    Rejoin the sql server machine to the domain, this will recreate the trust relationship.  If you had any spn's associated with the domain you will have to rebuild those if need be.
    http://technet.microsoft.com/en-us/library/bb735885.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Mittwoch, 1. August 2012 12:05
  • no i didnt re-add sql server machine

    i only remove newly added computer with same sql server name


    • Bearbeitet kezhils Mittwoch, 1. August 2012 12:39
    Mittwoch, 1. August 2012 12:10
  • hi

    but i can able to add two machines in same name

    how is it possible any other problem in our ADS or.............

    and im getting the following error msg when the computer join time pls tell me why im geting this erro msg

    Mittwoch, 1. August 2012 12:47
  • Considering the machine has same IP, cleanup all the references esp from the DNS & AD, reuse the new name & join the machine to the domain & it should work without any issue.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 12:51
  • ok awinish

    why its accept same name two different computers


    • Bearbeitet kezhils Mittwoch, 1. August 2012 13:36
    Mittwoch, 1. August 2012 13:26
  • ok awinish

    why its accept same to two different computers

    It might have contacted another DC where this records doesn't exists, because once you try to join a machine in the domain, it is not necessary only single DC will be contacted in the same site but it can be any DC due to round robin behavior of the DC.Also, when machine is disjoint or removed from the domain, the computer objects remain in the AD marked as disable until its deleted explicitly. Also, records in the DNS is not removed immediately, but its dnsTombstoned attribute is marked true for later deletion.

    So, use new name instead of the old name & rejoin the machine back to the domain. Also, if you are using same IP, make sure its references are removed from the DNS & allowed to replicated to other DC, so that it shouldn't give you any error during rejoining of the machine.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 13:37
  • ok in my case object updated in all server after i can able to join with same name

    Mittwoch, 1. August 2012 13:48
  • ok in my case object updated in all server after i can able to join with same name

    Absolutely, there is no issue in reusing the same hostname or IP as long as they are cleaned from the AD.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Mittwoch, 1. August 2012 13:54
  • ok host name and ip shows in ad, dns

    in my case sql server(name: dser4006) added 2011 and its working fine day to day they are monitoring and taking backup its entry updated in all domain controllers

    day before yesterday we added one windows2008r2 with same name: dser4006, our AD accept the same computer name dser4006 

    but its newly added dser4006(2012) over written on old one now our AD showing dser4006 created date 30/9/2012 and modified date is current date

    we have system state backup 29 & 30aug2012

    is it possible to restore dser4006 computer account only, i think restore that computer object is a better solution

    pls advice to choose correct way to solve this issue


    • Bearbeitet kezhils Donnerstag, 2. August 2012 03:52
    Donnerstag, 2. August 2012 03:52
  • In this case I would recommend to disjoin the server(Win2008 R2) assuming it is not DC from domain delete the dns record of server from DNS console.Rename the Win2008 R2 server  hostname to new and join the server to domain.Also change the IP address if same IP address is used.

    There may be case if SQL machine is rebooted the secure channel may be broken and you need to disjoin the machine from domain and join it again to domain.Ensure that local admin credentail of SQL PC are working or reset the same before you reboot SQL machine.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Donnerstag, 2. August 2012 07:15
  • ok thank you i will try that

    today i tried two computers with same name:testcomp

    1st pc added afer 10am in domain (compute name:testcomp)and its replicated to all servers

                           this testcomp compter object created in AD today after 10am

    2nd pc added with same name testcomp on 1pm

                           i can able to add without any intimations and error msg, after adding  this computer, i cant able to login 1st added pc and

                           AD shows testcomp object modified time 1pm, so computer object modified in AD without any alert . its very difficult for me i am facing lot of problems in management level

                           pls tell me how AD accept two differnt pc's with same name , why its not give alert msg and how its possible pls guide me i want to submit report.

                           is it possible via script , if possible how to check


    • Bearbeitet kezhils Donnerstag, 2. August 2012 09:35
    Donnerstag, 2. August 2012 09:33
  • You can't add two different machines with the same name, the second one steps on top of the first one.  There is no way around this, they have to have different names.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Als Antwort vorgeschlagen Ace Fekay [MCT] Donnerstag, 2. August 2012 16:38
    Donnerstag, 2. August 2012 11:48
  • kezhill,

    I don't understand why you're trying to add a duplicate computer name? Can you explain the reason behind that?

    And if it's just for testing purpose to prove you can do or not do it, I understand, but in a production environment? Maybe I'm missing something.

    .

    FYI, normally you can't add a duplicate computer name, group name, user name, etc, and it will show an error when trying to do it. However, the reason you may be able to add a duplicate computer is there may possibly be a replication problem between your DCs, and one of the DCs you are trying to add it is no longer replicating and doesn't see the current computer name in AD. To better help with this possibility, post the following to help diagnose this, if it exists:

    • How many AD Sites do you have?
    • Unedited ipconfig /all from a your DCs
    • Event log errors: Check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Post the Event ID# and Source name in the event, and the server name it came from.
    • repadmin /showreps > c:\rep-showreps.txt                            (From each DC - This switch shows if the partitions have replicated or not)
    • repadmin /replsum > c:\rep-replsummary.txt                        (From each DC - View replication summary. You can also use the output to create report)

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Donnerstag, 2. August 2012 16:44
  • ok thank you i will try that

    today i tried two computers with same name:testcomp

    1st pc added afer 10am in domain (compute name:testcomp)and its replicated to all servers

                           this testcomp compter object created in AD today after 10am

    2nd pc added with same name testcomp on 1pm

                           i can able to add without any intimations and error msg, after adding  this computer, i cant able to login 1st added pc and

                           AD shows testcomp object modified time 1pm, so computer object modified in AD without any alert . its very difficult for me i am facing lot of problems in management level

                           pls tell me how AD accept two differnt pc's with same name , why its not give alert msg and how its possible pls guide me i want to submit report.

                           is it possible via script , if possible how to check


    Are you using images that haven't been Sysprepped to create computers?

    You should be prompted with an error when adding a duplicate named computer account whie joining a machine to the domain. From your description, it sure seems like the computers are un-Sysprepped images.

    And getting the error below, is also one of the symptoms of duplicate SIDs:

    .

    Can you elaborate exactly how you are adding a computer account (joining a machine to the domain, or manually creating it in ADUC), and are you using imaging?

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Freitag, 3. August 2012 01:55
  • no im not using imaging

    Freitag, 3. August 2012 11:37
  • Why is this thread continuing?  I don't see any additional issues.  You can't have duplicate names in a domain.

    Is there something else that hasn't been answered?

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Freitag, 3. August 2012 12:05
  • hi pbbergs

     we can able to add two pc's with same name and different ip's, second added pc overwritten on first added pc

    my issue is still continue (i have checked more than 5 times)

    its not possible in AD environment but it happened to us

    we are finding the solution to solve this issue

    thanks to all

    Sonntag, 5. August 2012 12:00
  • hi

    in my case on sQL server database server name is overwited

    now i cant able to login that server and some domain accounts pointed to sql server services,  application support providers team dont accept dejoin/rejoin

    pls give the best sollution to solve this issue

    i dejoined newly added same name computer after that also i cant login the server the following error msg i m getting

    hi all

    Today morining i find the solution for above mentioned issue "the trust relationship between this workstion and the primary domain failed"

    i got a solution from the follwoing web sites

    http://www.cievo.sk/2012/02/21/reset-computer-accounts-in-active-directory-domain/

    and

    http://www.networknet.nl/apps/wp/archives/1938

    I excecuted the netdom.exe resetpwd /server:domaincontroller /userD:domain\administrator /passwordD:password command then restart the server

    afer restarting the server error message ("the trust relationship between thi workstion and the primary domain failed") gone. i can able to logon to server with doamin credentials.

    but our AD accept duplicate name issue still continue........................................................

    Thanks for all your support

    Montag, 6. August 2012 05:13
  • Exactly who are creating these duplicate names? Are they Domain Administrators, or someone delegated the task?

    • If they are domain admins, instruct them to put in a service ticket requesting to create a computer name, then you can evaluate and approve the request whether it's legit or not.
    • If someone delegated the task, then my suggestion is to remove that part of their permissions, and instruct them to put in a service ticket requesting the creation.

    .

    I recommend also reducing the ability for a regular domain user to add a machine account to the domain by reducing the "ms-DS-Machine-Account-Quota" Attribute value from the default 10 to 0:

    Windows Server 2008: Changing The Default ms-DS-Machine-Account-Quota Attribute
    http://www.korabtech.com/2010/05/windows-server-2008-changing-default-ms.html

    Default limit to number of workstations a user can join to the domain
    http://support.microsoft.com/kb/243327

    .

    .

    If you feel our responses and the above info was not helpful:

    You need to resolve whatever the issue is in your domain that is causing it. My feeling is you have a replication issue among the DCs.

    To help you with this, we need the config and other info we had asked you to post, but you haven't posted that info other than posting symptoms.

    I can understand if you can't post it due to your company's security policy, therefore the best recommendation to fix this is to contact Microsoft Support, and they can remote into your system and resolve this whole thing for one small fee. Here's a list of phone numbers if you choose this option:

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Als Antwort markiert kezhils Montag, 6. August 2012 06:27
    Montag, 6. August 2012 05:44
  • Ace Fekay

    your are correct replecations issue is there i am going to resolve this issue and one more hang issue found in our PDC

    if im trying to ping any ip or machine in our PDC its goes to hang or give the blue dump

    i serching the solution for this hang issue,  this is operating system related issue i thoroughly checked.

    thank you

    Montag, 6. August 2012 06:27