Solved

Cannot find Computer Account after Domain Change

Posted on 2010-11-26
17
1,411 Views
Last Modified: 2012-05-10
Hello,

I have a Windows 2008 SP2 x86 Server named 'Server1' in Domain A.

The Server is joined to Domain B, reboots, and Domain B authentication works successfully (as well as nltest indicates a secure channel connection to a DC in Domain B).

When I use ADUC to find the Computer Account for Server1 I get no results.

What is the best way to troubleshoot this?

Is there a way to check the default location for Domain Joins in Domain B and/or better tools I should be using to try and find the Account?  

Thank you!
0
Comment
Question by:CodexK2
  • 8
  • 6
  • 3
17 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34220634
When you are conducting the search are you searching the entire directory? (a GC)  

I'm guessing if you connect to a DC in domain B you can find it...just want to verify.

Thanks

Mike
0
 

Author Comment

by:CodexK2
ID: 34220638
Hi Mike,

Yes - Domain B has two DC's (I've tried connecting to both thinking it might be a replication issue but neither DC sees the Computer Account).

I'm searching from the Parent Level of Domain B as well.

Thanks.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34221724
Have you verified the computer name and domain.
Run the following commands from the command prompt.
nltest /parentdomain
hostname

Also try to download ADFind from joeware.net
run this command from server1
adfind -default -f "&(objectcategory=computer)(name=server1)"
0
 

Author Comment

by:CodexK2
ID: 34222866
Hi Ken,

'nltest /parentdomain' returns the proper Domain Name
'hostname' returns the expected Server Name

The adfind query returns:

'0 Objects Returned'

If I manually create the computer account the same adfind query is able to find the object and specifies the DN in the OU location that I created.

Very puzzled as to why Domain Join isn't creating a Computer Account that I can find.

I have tried multiple Administrative Accounts as well with no luck -- the Accounts that I tried using to join the Domain in question are Domain Admins.

Is there something specific about the accounts I am using that I can check to see properties relative to joining Domains...?

Any other way to triage this?

Thank you.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34222889
Do you get any errors when joining the server to the domain? Are there any errors in the event log?

Try to join the server from the command line using netdom to see if that helps.

http://www.windowsitpro.com/article/domains2/how-can-i-join-a-domain-from-the-command-line-.aspx
0
 

Author Comment

by:CodexK2
ID: 34222965
Hi Ken,

After using netdom from the cmd line I am able to see the Computer Account (in the Computer OU via ADUC).

What is different about netdom vs. using the GUI to join a Domain - any logical reason why the GUI method doesn't create the Computer Account?

Some sort of Group Policy in effect here?

One thing to note (when using netdom) is that I also passed in the local Server Administrator creds:

netdom join %computername% /Domain:domain.com /Userd:domain\adminuser /Password:password /User0:administrator /Password0:password

Thank you.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34222991
CodexK2, I am really not sure why it worked with netdom and not through the GUI. Where there any errors when adding through the GUI or in the event log on the server?  Maybe Mike will have an idea or explanation. Where you using the same domain account to add through the GUI?
0
 

Author Comment

by:CodexK2
ID: 34223423
Hmmm...looks like the netdom join domain wasn't 100% successful -- Although I can login to the domain on the Server in question I cannot map to it via UNC, etc.

When I test the domain connection with nltest I get:

C:\Documents and Settings\Administrator>nltest /sc_verify:domain.com
Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT
Trust Verification Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT
The command completed successfully
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 27

Expert Comment

by:KenMcF
ID: 34223654
How many Domain Controllers do you have in Domain B?

Can you post DCDiag and  repadmin /showrepl

Post IPConfig /all from each DC and Server1
0
 

Author Comment

by:CodexK2
ID: 34225615
Hi Ken,

There are (3) DC's in Domain B (originally I thought there were only (2).

At this time I am unable to run a DCDiag or repadmin on any of the DC's.

Is there any other way to triage this issue?

Thank you.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34225745
Why are you unable to run DCDiag or Repadmin?

Running DCDiag and Repadmin are needed to troubleshoot this. The problem could be replication between the domain controllers.
0
 

Author Comment

by:CodexK2
ID: 34225765
I need to coordinate with our AD team in order to accomplish this -- if it were a replication issue wouldn't connecting directly to each of the DC's and doing a Search point this out (or is there another method)?
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 34225887
You could use ADFind

adfind -h DCNAME -default -f "&(objectcategory=computer)(name=server1)"

Have you had one of the AD admins search for the computer object?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34230853
Thanks for taking over on this one: I was out of pocket for a few days during the holidays.

Thanks

Mike
0
 

Author Comment

by:CodexK2
ID: 34231790
Hi Ken,

Looks like there might be a replication issue happening -- turns out there are 3 DC's and only one of them is holding the new Computer Account record.

Thanks for all of your help -- points awarded...
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34231998
Let us know if you open a new question about the replication issue...or Ken and I will most likely see it anyway :)
0
 

Author Comment

by:CodexK2
ID: 34232992
Thank you again - appreciate the help!

Looks like replication is configured properly but we have a Firewall restricting traffic...
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now