Locked out of DC
I've been a silly boy. Luckily this is in a test environment so it's not too much of an issue, but I would like to learn how to repair if possible:
We have a fresh R2 server set up with AD services, replicating with a main DC. We had another test machine, a client, set up with the SAME computer name on the domain. Was set up a few weeks ago and forgotten about. I renamed the client box to avoid the duplicate name, which has obviously taken the name out of AD, so the replicating AD server can no longer log in as the "security database on the server does not a have a computer account on the domain". D'oh.
I cannot log in locally, either as the domain admin, or .\admin. Cannot log in under safe mode with networking. I can log in with straight safe mode, but cannot do much as networking is not loaded.
What is the correct way to fix this stupid mistake?
Is the DC doing anything other than AD Controller? (The one you cant log in to?)
No, just AD / DNS replica
I would probably (there might be a better way but this is how I would do it)
Remove DC from AD using ntdsutil (Delete Failed DCs from Active Directory)
Build new server and DCPromo it. :)
As I say there might be a much better way but thats what springs to mind! :)
Edit: oooo 600th Post! :D
Can't you just create a new computer account for it in AD?
I dont think that would work (IMO, again, could be wrong) AD computers are special ones I think and cant just be Right Clicked > New Computer...
Originally Posted by detjo
Yea, wouldn't surprise me. Was looking for an easy way out really. I'd still give it a go, just in case.
Originally Posted by mmoseley
what server version is the other dc as you may be able to retrieve the computer account from ad recycle bin? failing that i assume being a test its not backed up so you cant roll back to a previous version of ad?
The other DC is straight 2008 (not R2). Making a new computer account does not work FYI.
Not to worry - was a test box so will re-do it.
I'm surprised you were able to add a workstation with the same name as a DC... if it's that easy to break a domain, I'm surprised no students have thought of this before.
When removing from the domain, the computer object is disabled and not removed as such. I'm not sure if there's something you can run in PowerShell or a CD you can boot from. I think this is more so for resetting passwords rather than re-enabling computer objects - especially for a DC.
Also for your reference, you can't login locally to a DC. Only member servers or workstations.