Avatar of dcrone
dcrone
Flag for United States of America asked on

Server Computer Account has been deleted in AD - How do I recreate if I can no longer login to the domain?

The most important server in my network (the one that has my Dispatching Database on it) computer account has been deleted from Active Directory Computers and Users. Since I now cannot login to the domain how can I unjoin (or whatever) the domain and then rejoin the domain? Or what is my best course of action?
Thanks in advance,
Darren
Active Directory

Avatar of undefined
Last Comment
Shaun Vermaak

8/22/2022 - Mon
Cliff Galiher

If you set it up, AD has a recycle bin.

If you didn't set up and enable the recycle bin, even domain joined machines have local (non-domain) admin accounts. If you don't have local admin accounts documented....things get dicey. Should be part of your disaster recovery plan....
Tom Cieslik

You can use Domain Administrator to login to your computer. You've said computer account was deleted but I assume it wasn't domain admin.
You can log on as domain admin.
If domain admin account still exists on DC then login to DA Users and Computers and recreate user you've just lost.
dcrone

ASKER
Cliff, how do I check if there is an AD recycle bin? There probably isn't because I setup this server 10+ years ago. Tom, I didn't lose a user account, I lost the computer account ie. RSDISPATCH03 under computers listing in AD Users and Computers. Can I manually add a computer account in AD?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Nagendra Pratap Singh

You can defintely add the machine to the domain again. You need to have domain join rights. Domain Admin account will work in this case. Actually any user can join upto 10 computers to a domain unless set otherwise.
Tom Cieslik

So login to local profile and remove computer from domain.
Then login again ad add it again.

I assume you know local user and password.
dcrone

ASKER
Okay, how do I add the machine to the domain again? Using Active Directory Users and Computers?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Nagendra Pratap Singh

ASKER CERTIFIED SOLUTION
Tom Cieslik

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mal Osborne

1. If the machine account has been deleted or corrupted, you cannot login as a domain admin. (as you have probably determined)
2. You need to know the local admin account credentials.
3. You cannot add a machine using ADUC, this needs to happen on the target box itself.
4. If you have lost the local account credentials, there are some utilities that may allow you to reset it. I have a link to one below. This is a little risky and can be complex, particularly if your machine has an unsupported RAID card.
5. It is a trivial matter to reset local account passwords on machines that you cna still log onto as a network admin. Go around and do this ASAP, to prevent geting into this mess again.

http://pogostick.net/~pnh/ntpasswd/
Kevin Stanush

You don't need to have the Recycle Bin enabled in order to undelete a directory object.  I wrote an article about this here:

https://www.experts-exchange.com/articles/28870/Undeleting-Objects-in-Active-Directory.html

While a restored user will have its SID and password restored, a computer might be a different story, as the secure channel password that the computer sets every 30 days or so might not be restored.  If you are planning to recreate the computer account anyway, its worth a try.  Or, you can delete a non-critical computer account that is known to work, then verify that its off the domain, then restore it, and see if its then able to access the domain.

You can always use the local account as others have suggested, and if you don't have that, there are still workarounds if you have physical access to the machine.  But try the undeletion first.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Shaun Vermaak

Restoring an account from tombstoned state will not restore group memberships AFAIR but the secure channel password will be restored. I mention this because I utilize computer groups quite a bit and others might too.