Hijacked DC Name


  • One of our (now ex)  technicians mistakenly renamed a workstation the exact same name as our DC that holds FSMO roles.  Then, realizing his mistake, renamed the PC.  The result is our DC was renamed in AD Users and Computers but the DC still has the old name.  When we try to log into the DC we predictably get the message “The security database on the server does not have a computer account for this workstation trust relationship”.  I read through many articles about the error but this exact situation seems unique to us.  

    So far to remedy the situation we have taken these steps: Changed the renamed DC attributes in AD to the old name (GUIDS still won't match); logged on to another DC and seized the FSMO roles; powered down the renamed DC; removed all DNS entries; added the IP address to a spare NIC in the new FSMO role holder;  altered the settings in DNS to allow DNS queries on the new FSMO holder (so machines looking for a DNS server would be routed to one able to handle the request).

    My question is threefold: (1) did we shoot ourselves in the foot by having another DC seize the FSMO roles?; (2) is there any way to salvage the renamed DC without a complete rebuild? (3) If we do need to rebuild the server what steps, outside of deleting the orphaned DC attributes from AD, do we need to take?

    Any insight will be appreciated.

    Saturday, May 04, 2013 6:01 AM


All replies

  • Hi AFI,

    I think discussion on this topic can give us solution, just let me know, technicians can make mistake but DC can not make mistake to allow duplicate account name in same domain. Kindly explain.


    Anup Kumar

    Saturday, May 04, 2013 11:42 AM
  • Hello,

    strange that you where able to rename a domain machine and don't getting an error during rename process. Or was this done WITHOUT connection to the domain?

    Anyway, as you have seized the FSMO roles to another DC and removed all entries from the "problem" DC you also have to run metadata cleanup to remove it from the AD database and then I would start new with the server from scratch to avoid any kind of problems.

    If you don't like to do it then at least run dcpromo /forceremoval, WIHTOUT BEING CONNECTED TO THE DOMAIN, and then bring the machine to workgroup. AGAIN you have to run metadata cleanup PRIOR bringing the machine back to the domain.

    NOW add it again to the domain.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, May 04, 2013 4:08 PM
  • You need to proceed like the following:

    1. Do a metadata cleanup: Run dsa.msc and then remove the old DC computer account. Also, run dssite.msc and then remove its NTDS settings and then the DC reference there
    2. Re-install the old DC or isolate it and then run dcpromo /forceremoval to force its demotion

    Once done, you can promote it again and transfer back the FSMO roles to it.

    There is no need to alter any DNS settings as the new FSMO holder will register its DNS records by itself. Please remove the manually set records and then proceed like the following on the DCs you have:

    1. Run ipconfig /registerdns
    2. Restart netlogon service

    Like that, DCs should be registered automatically in your DNS system.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Sunday, May 05, 2013 3:22 PM
  • The DC functionality is broken due to rename & there is no option to get it back w/o correcting FRS object which doesn't get updated rename, so the option left is demoting and promoting it back can be the better suited solution for you. The DC is different from member server & there are number of the places where DC hostname is registered & doesn't get updated if its not renamed properly, but in your case, it happened by mistake, so only option left transfer all the FSMO role, demote the DC(if its force removal, perform metadata cleanup), reinstall the clean OS instal & if desired, promote it back as an DC.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup  

    Awinish Vishwakarma - MVP

    My Blog:

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, May 06, 2013 6:40 AM
  • Hi,
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
    Best Regards
    Thursday, May 09, 2013 5:48 AM