Archive for June, 2017|Monthly archive page

Workstation re-join to domain

microsoft_p73_05967_windows_server_2012_r2_1025605Sometimes… it happens.

You have a joyful domain with some workstations in it, and suddenly a workstation decides (or the PDC decides for that) that it would be great to exit the domain. And just to be sure you won’t understand what happened, when a legitimate user wants to logon it obtain such a message from the login attempt:

The trust relationship between this workstation and the primary domain failed.

There are many causes (human in front of all) for a workstation to leave a domain. But behind prevention of this problem, how can we solve it once it happened?

It happened yesterday to a Client of mine and I was asked to solve the problem. I had to Google around a little bit, but looking for the above message let me found some information about the problem itself and some workaround. All of those requires you to access your workstation with a local administrative account, but what if that workstation has been installed years ago, not by you, and nobody knows who is the local administrator and/or the password (even the person that is supposed to have installed that workstation)?

Well I found this workaround that at least let me enter the workstation, make the appropriate adjustment and then solve the problem. I can’t assure this will work again or it will work for you, but it worths to try.

  1. disconnect network cable (or turn off WiFi). This is to ensure that the workstation won’t reach the PDC when requesting logon
  2. perform logon normally with the user account. You might ask how is it possible, as the network connection has been cut out in the previous step. This can be done because Windows locally caches credentials in the event the PDC is not reachable…
  3. reconnect network cable
  4. open Computer Management. You will be asked for an Administrator account to use; as we don’t know who is the local administrator on the workstation, enter domain Administrator credentials (and cross your fingers)
  5. If Computer Management appears, switch to the Local User and Groups definitions. If Computer Management does not appears… you have finished to follow this guide. You’d better search a different approach.
  6. Normally the local Administrator account is disabled, but at least one local user should belong to Administrators group
  7. Select that user and reset its password. As you didn’t remember the password before, you might want to take note of the new password somewere, in the event you’ll have to use it…
  8. Pressing WIN+PAUSE will bring you to the System Status. Here you have to select the Advanced Properties, and you’ll be asked for an administrative account again. You can use once again the domain administrator credentials.
  9. Select the Network Identification tab. You will see the PC is currently joined to the domain, even though this is not working. You have to select to join a Workgroup, then give it a name (for instance TEMPGROUP).
  10. You’ll be asked for credentials of a user which can unjoin workstation from domain. Once again you’ll have to enter domain administrator credentials. You’ll be warned also that a local (administrative) account must be enabled on the workstation. We ensured it on step 7
  11. Once did, we have to restart the PC
  12. Upon PC restarting you can access it with the local administrative account given in step 7
  13. Then you will press WIN+PAUSE once again, select Advanced Properties, navigate to Network Identification tab and select to join a domain
  14. Enter the domain name, then you’ll be asked for domain administrator’s credentials
  15. Enter them, and your workstation will re-join to the domain
  16. Reboot the PC and then logon as the workstation’s normal user

That’s it.

It worked for me to rejoin a Windows 7 Pro workstation to a Windows Server 2012 R2 domain. I think that it could be used with different Client and Server O.S.. Let me know!