+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 R2 Thread, Locked out of DC in Technical; I've been a silly boy. Luckily this is in a test environment so it's not too much of an issue, ...
  1. #1

    Join Date
    Jan 2007
    Location
    The Console
    Posts
    236
    Thank Post
    22
    Thanked 29 Times in 23 Posts
    Rep Power
    22

    Locked out of DC

    I've been a silly boy. Luckily this is in a test environment so it's not too much of an issue, but I would like to learn how to repair if possible:

    We have a fresh R2 server set up with AD services, replicating with a main DC. We had another test machine, a client, set up with the SAME computer name on the domain. Was set up a few weeks ago and forgotten about. I renamed the client box to avoid the duplicate name, which has obviously taken the name out of AD, so the replicating AD server can no longer log in as the "security database on the server does not a have a computer account on the domain". D'oh.

    I cannot log in locally, either as the domain admin, or .\admin. Cannot log in under safe mode with networking. I can log in with straight safe mode, but cannot do much as networking is not loaded.

    What is the correct way to fix this stupid mistake?

  2. #2
    mmoseley's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    752
    Thank Post
    109
    Thanked 105 Times in 80 Posts
    Blog Entries
    2
    Rep Power
    44
    Is the DC doing anything other than AD Controller? (The one you cant log in to?)

  3. #3

    Join Date
    Jan 2007
    Location
    The Console
    Posts
    236
    Thank Post
    22
    Thanked 29 Times in 23 Posts
    Rep Power
    22
    No, just AD / DNS replica

  4. #4
    mmoseley's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    752
    Thank Post
    109
    Thanked 105 Times in 80 Posts
    Blog Entries
    2
    Rep Power
    44
    I would probably (there might be a better way but this is how I would do it)

    Remove DC from AD using ntdsutil (Delete Failed DCs from Active Directory)
    Build new server and DCPromo it.

    As I say there might be a much better way but thats what springs to mind!

    Edit: oooo 600th Post!
    Last edited by mmoseley; 25th February 2013 at 10:52 AM. Reason: 600th Post

  5. #5
    detjo's Avatar
    Join Date
    Feb 2008
    Posts
    356
    Thank Post
    13
    Thanked 48 Times in 39 Posts
    Rep Power
    31
    Can't you just create a new computer account for it in AD?

  6. #6
    mmoseley's Avatar
    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    752
    Thank Post
    109
    Thanked 105 Times in 80 Posts
    Blog Entries
    2
    Rep Power
    44
    Quote Originally Posted by detjo View Post
    Can't you just create a new computer account for it in AD?
    I dont think that would work (IMO, again, could be wrong) AD computers are special ones I think and cant just be Right Clicked > New Computer...

  7. #7
    detjo's Avatar
    Join Date
    Feb 2008
    Posts
    356
    Thank Post
    13
    Thanked 48 Times in 39 Posts
    Rep Power
    31
    Quote Originally Posted by mmoseley View Post
    I dont think that would work (IMO, again, could be wrong) AD computers are special ones I think and cant just be Right Clicked > New Computer...
    Yea, wouldn't surprise me. Was looking for an easy way out really. I'd still give it a go, just in case.

  8. #8


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,619
    Thank Post
    229
    Thanked 860 Times in 738 Posts
    Rep Power
    297
    what server version is the other dc as you may be able to retrieve the computer account from ad recycle bin? failing that i assume being a test its not backed up so you cant roll back to a previous version of ad?

  9. #9

    Join Date
    Jan 2007
    Location
    The Console
    Posts
    236
    Thank Post
    22
    Thanked 29 Times in 23 Posts
    Rep Power
    22
    The other DC is straight 2008 (not R2). Making a new computer account does not work FYI.

    Not to worry - was a test box so will re-do it.

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    I'm surprised you were able to add a workstation with the same name as a DC... if it's that easy to break a domain, I'm surprised no students have thought of this before.

    When removing from the domain, the computer object is disabled and not removed as such. I'm not sure if there's something you can run in PowerShell or a CD you can boot from. I think this is more so for resetting passwords rather than re-enabling computer objects - especially for a DC.

    Also for your reference, you can't login locally to a DC. Only member servers or workstations.

SHARE:
+ Post New Thread

Similar Threads

  1. Locked out of Google Apps
    By ticker in forum Internet Related/Filtering/Firewall
    Replies: 14
    Last Post: 30th March 2011, 12:13 PM
  2. HELP locked out of Windows XP pro
    By jessen_62 in forum Windows
    Replies: 6
    Last Post: 5th March 2009, 04:30 PM
  3. Accounts locked out after DC reboot
    By gibit in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 25th February 2009, 10:49 PM
  4. Locked out of a server after resetting account
    By OverWorked in forum Windows
    Replies: 14
    Last Post: 23rd February 2008, 09:00 PM
  5. Locked Out Of Windows XP Domain Machine
    By mrcrazy04 in forum Windows
    Replies: 9
    Last Post: 15th March 2007, 05:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •