Rejoin a Single Domain Controller to It’s Domain


Post to Twitter Post to Facebook Post to StumbleUpon

Yes really it can be done. I found recently that I needed to do this and it worked.

I came into an environment where there were two domain controllers; actually 2 whole servers in the domain period. One of them was a 2012 R2 server Core running two incompatible roles: Hyper-V and they were Domain controllers with AD-FS. The other was a domain controller and file server. On both the firewalls were turned off. This combination on things resulted in a non-functional domain. Each server was operating in a bubble unable to communicate with the other.

This can happen in small businesses where an under qualified person learns about some new ideas and deploys them without understanding the impact that each role has on the other. With the advent of roles in Windows Server, you are now allowed to build a frankenserver but there’s nothing that says it will work. Microsoft just won’t stop you from doing something destructive. The onus is on you to obtain the knowledge before you deploy.

In this case, the Core server became unresponsive. All powershell commands resulted in error. Remote management tools were unable to connect. Since it wasn’t actually hosting any virtual machines yet we made the decision to abandon it and reload as a proper hyper-v server. Done with that server. On to the next. On the remaining server we seized the FSMO roles which it turned out where all held by the Core server which had stopped responding.

To seize roles follow this: https://support.microsoft.com/en-us/kb/255504/ You’ll see that this is old documentation but the process has not changed over the years. You can also use the GUI to accomplish the same.

The server had been and continued to throw a vast number of SChannel errors, DNS errors and AD Web Services Errors into the event logs. DcDiag /q detailed out a whole lot of failures as did dcdiag /test:DNS. The only thing that we had going for us was that although we were unable to open and manage the DNS server it did respond to queries. This was a glimmer of hope. I enabled and reset the Windows firewall so that AD would be able to communicate with the rest of the computers in the domain. As an aside, Windows Firewall should never be disabled. It’s actually too smart for that and will instead go into lockdown mode preventing the communications you were probably hoping would open up. Here’s a great article on managing the firewall.

http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012/revision/51.aspx

Since DNS management was saying that the administrator didn’t have permission to open it and the schannel errors were rampant it became obvious that the server was out of sync with its Active Directory. But it’s the one and only domain controller! Turns out this can still happen. So it was time to refresh it with the domain. Referring to an old blog post of ours (http://www.thirdtier.net/2012/02/how-do-rejoin-a-computer-to-the-domain-without-losing-its-sid/), I used the NetDom command. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot

Immediately after running this command, the server came to life again and I was able to run all of the management tools and start to work getting this server back within acceptable standards.

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations. Attend our next chat or webinar: http://www.thirdtier.net/events

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.