none
can't login after renaming domain controller

    Question

  • Instead of using DCpromo to demote a domain controller I decided to rename it instead.  I then removed the Domain Controller from AD and then rebooted it.  I am now getting "The security database on the server does not have a computer account for this workstation trust relationship"  I then proceeded to login locally and that does not work as well, it says the password is incorrect but it is the only password I use right now for both of my servers when I had setup them up.  Looking at the event logs in the other domain controller I get Kerberos errors such as this  

    "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVERNAME$"

    Is there anyway I can get this to work without restoring the server?  This is not a production box and I tried this way to see if it would work.  I'd prefer not to restore this if there is way to get this fixed.

    Monday, January 16, 2012 3:36 PM

All replies

  • The server is Windows 2008 R2 Enterprise.
    Monday, January 16, 2012 3:36 PM
  • Since you have rename the DC you are not able to login to DC you need to restore the backup to work.

    Renaming the DC will not demote the DC.You need to run dcpromo to do graceful demotion or dcpromo /forceremoval for demote DC forcefully if graceful demotion is not possible.

    If you have multiple dc in the environment reload the OS on the problematic DC and promote the server back as DC.|

    You need to run metadata cleanup to remove the instances of fail DC and then promote the server back as DC.
    http://www.petri.co.il/delete_failed_dcs_from_ad.htm

    If the current DC was fsmo role holder you need to seize the role on other DC.
    http://www.petri.co.il/seizing_fsmo_roles.htm

    Alternately you can restore the DC if you have valid systemstate backup.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.




     



    Monday, January 16, 2012 3:50 PM
  • When a server is promoted to domain controller, local accounts becomes domain account. You should have demoted it and during wizard it gives an option to setup password for the local admin which can be used to login post AD removal.If you have DSRM mode password, you can login with that password, else options are bleak. You can refer article if it works else no other option apart from restoring from the backup.

    http://blogs.technet.com/b/meacoex/archive/2011/08/15/reset-your-windows-sever-2008-r2-domain-controller-administrator-password.aspx

    If you can't login to the server, then you can login even to perform restoration.You only have option to install everything from fresh if above posted link doesn't work.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Monday, January 16, 2012 3:58 PM
    Moderator
  • Since this box not in production, you want to login this server somehow .

    Is that your requirment, If this server physical box or VM

    If its a physical box you can use live cd to get in and also you can reset admin password (hope your demote thing completly finish)

    Then it s just a server.

     


    Microsoft TechNet Forum Bandara
    Monday, January 16, 2012 4:50 PM
  • Hello,

    renaming a DC isn't a problem if done correct, even without demoting.

    But if you remove a DC from AD UC, sounds that you have deleted it, without demoting then you have to restore from AD aware backup or start fresh with that machine and if the domain has other DCs also a metadata cleanup is required.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 16, 2012 6:08 PM
  • Hello,

    Instead of using DCpromo to demote a domain controller I decided to rename it instead.  I then removed the Domain Controller from AD and then rebooted it.  I am now getting "The security database on the server does not have a computer account for this workstation trust relationship" 

    That is perfectly normal as the DC no longer have an account in your AD database.

     I then proceeded to login locally and that does not work as well, it says the password is incorrect but it is the only password I use right now for both of my servers when I had setup them up.  Looking at the event logs in the other domain controller I get Kerberos errors such as this  

    Here you need the DSRM password if you want to logon using DSRM mode.

    If you have a healthy DC / DNS / GC server that is left in your domain, you can just proceed like that:

    • Perform a metadata cleanup
    • Re-install the deleted server
    • Clean the left DNS records of the old DC
    • Promote the new server as a DC and make it a DNS and GC server

    You can also solve your problem by restoring your DCs using an AD-aware backup that dates before the appearance of your problem.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. 

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, January 16, 2012 8:12 PM
  • Ok I restored the virtual server using backup chain.  A third party program that does backups for virtual servers.  I can now login but still having errors here is one.   Windows Error Code 1787: 'ERROR_NO_TRUST_SAM_ACCOUNT'  This is one of a few.  It looks like its still not completely back in the domain.  Any ideas on this?
    Tuesday, January 17, 2012 7:58 PM
  • Hello,

    "A third party program that does backups for virtual servers"

    Which program is it and was it an AD aware backup, so no snapshot or file copy from the VM?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, January 17, 2012 8:02 PM