• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1521
  • Last Modified:

Cannot find Computer Account after Domain Change

Hello,

I have a Windows 2008 SP2 x86 Server named 'Server1' in Domain A.

The Server is joined to Domain B, reboots, and Domain B authentication works successfully (as well as nltest indicates a secure channel connection to a DC in Domain B).

When I use ADUC to find the Computer Account for Server1 I get no results.

What is the best way to troubleshoot this?

Is there a way to check the default location for Domain Joins in Domain B and/or better tools I should be using to try and find the Account?  

Thank you!
0
CodexK2
Asked:
CodexK2
  • 8
  • 6
  • 3
1 Solution
 
Mike KlineCommented:
When you are conducting the search are you searching the entire directory? (a GC)  

I'm guessing if you connect to a DC in domain B you can find it...just want to verify.

Thanks

Mike
0
 
CodexK2Author Commented:
Hi Mike,

Yes - Domain B has two DC's (I've tried connecting to both thinking it might be a replication issue but neither DC sees the Computer Account).

I'm searching from the Parent Level of Domain B as well.

Thanks.
0
 
KenMcFCommented:
Have you verified the computer name and domain.
Run the following commands from the command prompt.
nltest /parentdomain
hostname

Also try to download ADFind from joeware.net
run this command from server1
adfind -default -f "&(objectcategory=computer)(name=server1)"
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
CodexK2Author Commented:
Hi Ken,

'nltest /parentdomain' returns the proper Domain Name
'hostname' returns the expected Server Name

The adfind query returns:

'0 Objects Returned'

If I manually create the computer account the same adfind query is able to find the object and specifies the DN in the OU location that I created.

Very puzzled as to why Domain Join isn't creating a Computer Account that I can find.

I have tried multiple Administrative Accounts as well with no luck -- the Accounts that I tried using to join the Domain in question are Domain Admins.

Is there something specific about the accounts I am using that I can check to see properties relative to joining Domains...?

Any other way to triage this?

Thank you.
0
 
KenMcFCommented:
Do you get any errors when joining the server to the domain? Are there any errors in the event log?

Try to join the server from the command line using netdom to see if that helps.

http://www.windowsitpro.com/article/domains2/how-can-i-join-a-domain-from-the-command-line-.aspx
0
 
CodexK2Author Commented:
Hi Ken,

After using netdom from the cmd line I am able to see the Computer Account (in the Computer OU via ADUC).

What is different about netdom vs. using the GUI to join a Domain - any logical reason why the GUI method doesn't create the Computer Account?

Some sort of Group Policy in effect here?

One thing to note (when using netdom) is that I also passed in the local Server Administrator creds:

netdom join %computername% /Domain:domain.com /Userd:domain\adminuser /Password:password /User0:administrator /Password0:password

Thank you.
0
 
KenMcFCommented:
CodexK2, I am really not sure why it worked with netdom and not through the GUI. Where there any errors when adding through the GUI or in the event log on the server?  Maybe Mike will have an idea or explanation. Where you using the same domain account to add through the GUI?
0
 
CodexK2Author Commented:
Hmmm...looks like the netdom join domain wasn't 100% successful -- Although I can login to the domain on the Server in question I cannot map to it via UNC, etc.

When I test the domain connection with nltest I get:

C:\Documents and Settings\Administrator>nltest /sc_verify:domain.com
Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT
Trust Verification Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT
The command completed successfully
0
 
KenMcFCommented:
How many Domain Controllers do you have in Domain B?

Can you post DCDiag and  repadmin /showrepl

Post IPConfig /all from each DC and Server1
0
 
CodexK2Author Commented:
Hi Ken,

There are (3) DC's in Domain B (originally I thought there were only (2).

At this time I am unable to run a DCDiag or repadmin on any of the DC's.

Is there any other way to triage this issue?

Thank you.
0
 
KenMcFCommented:
Why are you unable to run DCDiag or Repadmin?

Running DCDiag and Repadmin are needed to troubleshoot this. The problem could be replication between the domain controllers.
0
 
CodexK2Author Commented:
I need to coordinate with our AD team in order to accomplish this -- if it were a replication issue wouldn't connecting directly to each of the DC's and doing a Search point this out (or is there another method)?
0
 
KenMcFCommented:
You could use ADFind

adfind -h DCNAME -default -f "&(objectcategory=computer)(name=server1)"

Have you had one of the AD admins search for the computer object?
0
 
Mike KlineCommented:
Thanks for taking over on this one: I was out of pocket for a few days during the holidays.

Thanks

Mike
0
 
CodexK2Author Commented:
Hi Ken,

Looks like there might be a replication issue happening -- turns out there are 3 DC's and only one of them is holding the new Computer Account record.

Thanks for all of your help -- points awarded...
0
 
Mike KlineCommented:
Let us know if you open a new question about the replication issue...or Ken and I will most likely see it anyway :)
0
 
CodexK2Author Commented:
Thank you again - appreciate the help!

Looks like replication is configured properly but we have a Firewall restricting traffic...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now