Error when Attempting to Remove Windows Server 2008 Server Core from Domain
A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn’t log on to the machine by using the domain admin user account.
This is the error I got while attempting to log on by using a domain user account:
“The security database on the server does not have a computer account for this workstation trust relationship.”
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:
- By using SCONFIG
- By using NETDOM
Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the “1” key.
I then attempted to remove the machine from the domain in order to later re-join it.
I entered the right local credentials:
But no matter what I did, I got an error:
“Failed to join domain.”
(Actually, I tried to get out of a domain, but no matter…)
So I tried using NETDOM. In the Command Prompt window I typed the following command:
netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************
I got an error:
“No mapping between account names and security IDs was done.”
The command failed to complete successfully.
I also tried a variation of the username I used:
netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************
Still, same error.
And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!
So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.
I created the server core computer account by clicking on the “Computers” container > New > Computer.
I created the new computer object with a name that matches the name of the server core machine.
Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.
Back in Active Directory Users and Computers, the computer account’s object was disabled.
It’s worth noting that I only encountered this specific issue on server core machines, and while it’s possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.