How do Rejoin a Computer to the Domain without Losing it’s SID 28


Post to Twitter Post to Facebook Post to StumbleUpon

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

  1. In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
  2. In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
  3. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
  4. In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:DomainDomainController  No rejoin. No reboot.

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.

28 thoughts on “How do Rejoin a Computer to the Domain without Losing it’s SID

  • Tobi

    Hi there, nice tip!
    But what exactly do you mean with “re-join without un-joining the computer to the domain” This doesn’t realy makes sense to me. Once a computer is part of a domain, you can only leave the domain by joining a workgroup or am i wrong here? I might be able to directly re-join the domain from the temporay workgoup without a reboot in betweene…. is that what we are talking about here?

    kind regards,

    tobi

    • Jason

      You can rejoin the domain easily by using the “wizard” (System properties –> Computer Name tab and clicking “Network ID…” .

      This will give you the option to rejoin the domain without actually disjoining.

  • MikeJ

    Hi, I just want to make sure the above will resolve my issue.
    I lost a Server 2003 domain and had to reinstall from scratch and recreate users, shares and I added manually the computer names to the AD
    Obviously I am getting Event id 5513 on the server because the SID on my XP systems is not recognized. I’ve tried right-clicking the computer in AD and selecting the Reset option but not working.
    Now unjoining and rejoining the computers does work but I loose the profile and it is time consuming.

    Will suggestion #3 above work for me?

    Thanks

  • Todor

    @MikeJ

    Re-Installing the Machine means you LOST your SID, there is no way to apply the solution above.

    It works only for broken connection btwn Computer and the AD.

    As you mentioned only disjoin and re-join work in such situations if you have freshed install on the machine which crashed.

    Cheers mate!

  • Andy

    Hey Amy,

    I have a similar situation but slightly different. My AD crashed and I am building a new one. The client machines are all happy and have not noticed the change. I am thinking about starting to readd them but I do not want them to loose their user data that is attached to their logins to the old same domain. If I readd them would it make a new GUID and thus made new user folders for them?

    Please feel free to email me if this is to confusing for a comment board.

    Thanks,
    Andy

    • Third Tier

      Joining to a new domain is a completely different story. I would recommend in the WET, Windows Easy Transfer. Be sure to download the latest one from Microsoft.com/downloads it will make this process a lot less painful.

  • Pingback: Our Top 10 Most Popular Blog Posts |

  • kerwin

    hi I am new in this field, I need to add the new workstation win 7 in domain group. the original user using xp already in domain group now how can I move doc,desktop and setting to win 7 without lost he sid. we are use sbs2008 with exchange

  • brett williams

    What I do is remote into the machine as local admin and then run powershell on the non domain joined machine and then use:

    Test-COmputerSecureChannel –Credential Domain\adm.william -Repair

    It will return “true” if it is successful. Sometimes I need to run the command a couple of times.

    If it fails I use the local admin account to demote the pc to a workgroup and one it has dropped to a workgroup I use my Domain admin account to immediately rejoin it to the domain. Upon a reboot it has rejoined the domain.

    We get a lot of these with windows 7 pc not talking to our 2003 Server. Once we change to Server 2012 we expect this issue to go away.

  • Linas

    Sorry trying to figure out your instructions
    Step one is in AD rite click
    Not sure what you are clicking on and on what computer
    The domain controller or on the disconnected domain controller
    I try on the active domain controller in Active Directory Users and computers under Domain Controllers
    I see the disconnected domain controller and I try the rite click and I get an error
    “Sever Atlas-DC02 is a domain controller. You cannot reset the password on this object”
    Everything is grayed out under Computer Name Changes so cannot rejoin Domain
    Not sure what to try next?

  • Jesus Barrera

    Hi,
    I have an issue with a laptop loosing its “Trust Relationship” with the Server.
    I’ve un-joined and re-joined only to have the user’s profile reset and start fresh, no files were lost but the bosses are picky and they did not like that.
    Will the first solution allow me to rejoin the domain without having a completely new user profile?
    –Thank You,

    • Third Tier

      No new profile should be required. Sometimes though if a laptop is going to be out of the office regularly for more than 30 days it is best not to join them to the domain

  • Shin Onoda

    Option 1 is easy enough and it worked for me in the past, a couple of times. I tired to do 3 and 4 so it can be easier and quicker. Are they supposed to be run on a PC which has a broken trust or run on a domain controller? Probably you could provide more clarifications for those who are less technical? Thanks.

    Shin

  • Pingback: Rejoin a Single Domain Controller to It’s Domain |

  • Carlos Diaz

    If you don’t want to lose the SSID machine try:
    1.- On AD ComputerAccount rght button reset account

    In the machine client (with administrator logged)
    2.-netdom remove machineName /domain:YourDomain /userd:YourAdminUser /passwordd:*
    3.-netdom join machineName /domain:YourDomain /userd:YourDomainAdmin /passwordd:*

    • Aldrin Satsatin

      hi Carlos,

      What do you mean by the above comment?

      Just to clarify the procedures:
      1.- On AD ComputerAccount rght button reset account

      Comment: ( Question : is there anything that i need to do with my client for this to take effect or only reboot my client )

      In the machine client (with administrator logged)
      2.-netdom remove machineName /domain:YourDomain /userd:YourAdminUser /passwordd:*

      Comment: ( this is for the client only right? no need to do anything on the AD )

      3.-netdom join machineName /domain:YourDomain /userd:YourDomainAdmin /passwordd:*

      Coment: ( this is for the client only right? no need to do anything on the AD )

  • Shawn G

    Hello — Thanks so much for all the interesting and helpful content provided here. I have a situation on my network where my workstations are in a frozen state. Each time the machine is rebooted it loads a fresh image of windows 7. These machines are on a windows server 2003 domain. The problem i’m having is that over a period of time (30 days or more) the domain controller with loose contact with the workstation because I believe it updates the sid’s as a security measure. And since the workstation image is at a frozen state and read only.. the sids contained within that image are out of date/sync.

    Is there a possible solution so that I can change the update frequency for the DC so that it doesn’t keep modifying the sid’s so much (change the update freq to xxx days, mins, hours, seconds) so it doesn’t loose contact with the workstation? Or maybe run a command at startup that would buy it another xxx amount of time in the future? I hope this makes sense… I have only a few weeks left and have had no solution for almost 3 months.. Any help would be appreciated..

    Thanks for your time

    Shawn G

  • Florisz

    I tried all the above and the 2 options mentioned in the comments, but none work for my Windows Server 2012 R2 server in Azure that lost its domain connection to the DC that is also a Windows Server 2012 R2 in Azure.
    No firewall in place(for the test).
    It lost it’s connection after I did a ‘stop’ for the server in the Azure Dashboard and later a ‘start’.

    • Third Tier

      It shouldn’t matter that those VM’s are in Azure. If you aren’t getting an error then that leaves you with the manual unjoin/rejoin.

      You might want to also make sure that your IP address on the server didn’t change. When you stop a server in Azure it releases the IP.

  • Michael Duvall

    you have a great site, very helpful! In the above article on rejoining a pc to a domain, you suggest to just reset the secure channel, which sounds very logical to me. My question is: in solution #1 you say a reboot is required, do you mean a reboot of the pc or the server? I assume it is the pc, but just checkin.
    Thanks for all your hard work.

  • Michael Duvall

    Hello again,
    regarding rejoining win7 pc’s to domain without losing SID, is there anything that could have been done prior to moving win7 pc’s to different offices within building, that would allow reconnecting to domain without the necessity to rejoin the domain? We just changed the location of many of our staff and upon booting computers at new desks, several of the pc’s would not connect to the network (win server 2003), mostly win7 machines. The winxp machines seemed to connect no problem. Any light you can shed on this problem will surely help the next time we move offices(hopefully not again in this millenium)!
    Thanks,
    Michael