Lost trust on a domain controller

I renamed a DC using netdom. The command completed successfully, but after I rebooted and tried to login, I get:

The security database on the server does not have a computer account for this workstation trust relationship

I know that this can be resolved by removing the server from the domain and re-adding it, but how do I fix the error on a domain controller?
CorinneSpearsAsked:
Who is Participating?
 
Felicia KingConnect With a Mentor Commented:
Why not just demote the server and then repromote it using DCPromo.exe?
I know it sounds extreme, but what will you lose in the process if you do it off hours?
netdom.exe doesn't always work, but if you haven't tried that, then please do.
0
 
Brian PiercePhotographerCommented:
0
 
CorinneSpearsAuthor Commented:
Yes, I'm at step 4 and it failed. I renamed 3 DC's over the last week allowing 24 hours between each rename. This is the last DC, and of course, the problematic one.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
CorinneSpearsAuthor Commented:
The problem is I can't log onto the server anymore. Since it lost it's trust, domain accounts don't work, and by default server 2008 disabled the local admin account.
0
 
Felicia KingCommented:
If the server is a domain controller, it doesn't require trust to logon. You should be able to pull the network cable and logon with any of the domain admin accounts. Remember that domain accounts on a domain controller ARE local accounts as far as the server is concerned. The AD database on a DC is just like the local SAM database on a member server or workstation. It may be checking with the other DCs if the network cable is in though. If you pull the network cable, you might be able to trick it and let you logon with cached credentials.
0
 
CorinneSpearsAuthor Commented:
With the cable unplugged, if I try to login with a domain account (one that has logged in before or not) I get:

The security database on the server does not have a computer account for this workstation trust relationship.

If I try to login with the administrator account and the password from before I dcpromo'd it, I get:

Your account has been disabled. Please see your system administrator.
0
 
Felicia KingCommented:
I regularly use Active Boot Pro to reset and/or enable local admin accounts.
http://www.ntfs.com/bootdisk_quest_proversions.htm
However, I have never tried it on a server with RAID. It very well might not be able to see the drives that are attached to the RAID controller as it might not have the RAID drivers necessary. Otherwise, the product works like a champ.
Is there possibility of booting into DS restore mode and trying a non-authoritative restore of AD? Not sure if that would do anything, but I would try it before rebuilding the server from scratch.
0
 
CorinneSpearsAuthor Commented:
To gain access to the server, I logged into another domain controller and manually created a computer account with the same name as the new name I had added to the server, the one I was trying to change to. I had to wait 4 hours for replication, but then I was able to log into the domain controller. Then, I dcpromo'd it, removed all the additional netbios names, and re-promoted it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.