Server Computer Account has been deleted in AD - How do I recreate if I can no longer login to the domain?

dcrone
dcrone used Ask the Experts™
on
The most important server in my network (the one that has my Dispatching Database on it) computer account has been deleted from Active Directory Computers and Users. Since I now cannot login to the domain how can I unjoin (or whatever) the domain and then rejoin the domain? Or what is my best course of action?
Thanks in advance,
Darren
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
If you set it up, AD has a recycle bin.

If you didn't set up and enable the recycle bin, even domain joined machines have local (non-domain) admin accounts. If you don't have local admin accounts documented....things get dicey. Should be part of your disaster recovery plan....
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
You can use Domain Administrator to login to your computer. You've said computer account was deleted but I assume it wasn't domain admin.
You can log on as domain admin.
If domain admin account still exists on DC then login to DA Users and Computers and recreate user you've just lost.
dcroneIT Guy

Author

Commented:
Cliff, how do I check if there is an AD recycle bin? There probably isn't because I setup this server 10+ years ago. Tom, I didn't lose a user account, I lost the computer account ie. RSDISPATCH03 under computers listing in AD Users and Computers. Can I manually add a computer account in AD?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Nagendra Pratap SinghDesktop Applications Specialist

Commented:
You can defintely add the machine to the domain again. You need to have domain join rights. Domain Admin account will work in this case. Actually any user can join upto 10 computers to a domain unless set otherwise.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
So login to local profile and remove computer from domain.
Then login again ad add it again.

I assume you know local user and password.
dcroneIT Guy

Author

Commented:
Okay, how do I add the machine to the domain again? Using Active Directory Users and Computers?
IT Engineer
Distinguished Expert 2017
Commented:
dcrone....
If you login as LOCAL USER to affected computer you going to be able remove computer from domain.
Then after restart you going to be able ADD this computer to domain back using domain admin account
1. If the machine account has been deleted or corrupted, you cannot login as a domain admin. (as you have probably determined)
2. You need to know the local admin account credentials.
3. You cannot add a machine using ADUC, this needs to happen on the target box itself.
4. If you have lost the local account credentials, there are some utilities that may allow you to reset it. I have a link to one below. This is a little risky and can be complex, particularly if your machine has an unsupported RAID card.
5. It is a trivial matter to reset local account passwords on machines that you cna still log onto as a network admin. Go around and do this ASAP, to prevent geting into this mess again.

http://pogostick.net/~pnh/ntpasswd/
Kevin StanushApplication Developer

Commented:
You don't need to have the Recycle Bin enabled in order to undelete a directory object.  I wrote an article about this here:

https://www.experts-exchange.com/articles/28870/Undeleting-Objects-in-Active-Directory.html

While a restored user will have its SID and password restored, a computer might be a different story, as the secure channel password that the computer sets every 30 days or so might not be restored.  If you are planning to recreate the computer account anyway, its worth a try.  Or, you can delete a non-critical computer account that is known to work, then verify that its off the domain, then restore it, and see if its then able to access the domain.

You can always use the local account as others have suggested, and if you don't have that, there are still workarounds if you have physical access to the machine.  But try the undeletion first.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Restoring an account from tombstoned state will not restore group memberships AFAIR but the secure channel password will be restored. I mention this because I utilize computer groups quite a bit and others might too.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial