Cannot join domain as member server "Specified user already exists"??

Hello!
 Have a 2003 server which was an AD server and was demoted and was still a member of the domain.  After some time, was unable to login to the domain, so have been logging in locally.  For some reason, the server cannot see the rest of the domain.  DNS on this server wasnt pointed to itself and had since been corrected.  (does a DNS server have to be an AD controller?- does this have to "propogate"?)  I saw somewhere with a similar problem that it should be unjoined and rejoined, however, get this error, that the "user already exists".  I am assuming its not the "user" but the computer name in AD.  so I located it in AD and deleted it.  Then went to re-join, and rec'd the same error.  Is there anywhere else I need to delete or tell the system / AD this server is no longer part of the domain so it can rejoin?  Am I missing something else?

 Thanks!
LVL 1
Lorenzo CricchioPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
Confirm that all metadata associated with this server's domain controller account has been successfully removed, as follows: http://support.microsoft.com/kb/216498
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chikenheadCommented:
When you add a server as a DC there are routes created by the KCC (knowledge consistancy checker) for replication that are not removed when you demote or remove the server.  
you have to use ntdutils to clean this up
0
wingateslCommented:
if the kb show above does not work, you can always change the name of the server, join it back to the domain and then change the name back after it has been joined. This cleans up things pretty good.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Lorenzo CricchioPresidentAuthor Commented:
I tried the link http://support.microsoft.com/kb/216498, and didnt see the server in step 12, which, if I understand correctly, means it was demoted successfully.. I dont know where else to look for data regarding this server (named server3).  
 WINGATESL:  I dont know if its a good idea to change the name to something else,  join the domain, then change it back to its original name.  Is that wise changing a computer name (server or workstation) once it is added to the domain?  When I try to rename it back to server3, wont I just get the same problem?

 Thanks!
 
0
wingateslCommented:
It is perfectly fine to rename a machine after it is joined to the domain. I can fix a lot of SID related issues (which is what you have here). I have done this many times with demoted domain controllers that Metadata Cleanup would not get rid of. The idea of this came from microsoft while on a support call.
0
Lorenzo CricchioPresidentAuthor Commented:
Apparently I did not get rid off all references to Server3.  I was able to rename it, then re-join the domain, however, when I went back to name it Server3, it came up with the same error. "The following error occurred while trying to rename the computer to "Server3"  The account already exists. (which is what I assumed may be a problem in my response)
Beyond removing it from Active directorty users and computers, where else would I need to remove it?
0
LauraEHunterMVPCommented:
See if it is still listed in AD Sites & Services - I often need to delete a DC from this console even after it has been demoted and/or metadata cleanup'ed.
0
Lorenzo CricchioPresidentAuthor Commented:
Server3 is listed in there.  When I go to delete it, it states "Server3 is a container and contains other objects...."  I deleted the two references to server1 and server4 (two ADCs). I go to delete it again, it says are you sure, I click yes, then it states "Do not delete Server3 container object.  Server3 contains objects representing domain controller Server3 and possibly other domain controllers.  To delete these objects, demote  the domain  controllers using DCPROMO.."  It goes on to say that if I want to delete those items, I will need to demote all of them, then delete them once at a time.

  Ok.. So I dont want to a) get rid of the domain completely (which is what I think its telling me I need to do,) and b) remove any of the other domain controllers.
  I deleted the objects in the server3 container, but still cannot delete it.  When I go through DCPROMO on server3 to demote it, it looks as if it is going to install rather than remove AD.  There were no error messages when I demoted it, which seemed to have went smoothly some time ago.    
 Some additional background:  The server was a DC and Exchange was installed on it.  Exchange was uninstalled successfully, it was then demoted, then exchange reinstalled (its a hot server).
 
 Thanks for your help.
0
Lorenzo CricchioPresidentAuthor Commented:
I had gone through the steps that Laura had suggested, however, it wasnt specified that these steps need to be done not only on the server having the issue, but the server(s) its trying to connect to.  I had to (reluctantly) employ MS to correct.  Sure enough, the secure channel was broken between sites.
This is from the tech:
"  Stopped the KDC service on server4 disabled it. Ran Klist and purged the machine and user tickets. Ran the command “netdom resetpwd /server:server2 /userd:picomfgsales.com\administrator /passwordd:*” to reset the secure channel."
  Server4 is a domain controller at a different site where server3 is a member server.  They are connected via VPN tunnel to server1 and server2 (both AD).  The steps above were done on server3.  Note NTFRS also needs to be running on the AD servers to replicate the data (which I thought was only necessary if DFS was employed across several servers)
 Will give partial credit to Laura for her step in the right direction.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.