Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server 2008

Error when Attempting to Remove Windows Server 2008 Server Core from Domain

A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn’t log on to the machine by using the domain admin user account.

This is the error I got while attempting to log on by using a domain user account:

“The security database on the server does not have a computer account for this workstation trust relationship.”

The security database on the server does not have a computer account for this workstation trust relationship

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:

  • By using SCONFIG
  • By using NETDOM

Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the “1” key.

Resolving server core error, SCONFIG

I then attempted to remove the machine from the domain in order to later re-join it.

Remove machine from domain

I entered the right local credentials:

Enter local credentials

But no matter what I did, I got an error:

“Failed to join domain.”

(Actually, I tried to get out of a domain, but no matter…)

Failed to join domain

So I tried using NETDOM. In the Command Prompt window I typed the following command:

netdom /remove %computername% /domain:petri-labs.local /userd:administrator /passwordd:************

I got an error:

“No mapping between account names and security IDs was done.”

The command failed to complete successfully.

I also tried a variation of the username I used:

netdom /remove %computername% /domain:petri-labs.local /userd:petri-labs\administrator /passwordd:************

Still, same error.

No mapping between account names and security IDs was done

Rats!

And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!

So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.

I created the server core computer account by clicking on the “Computers” container > New > Computer.

Active Directory Users and Computers

I created the new computer object with a name that matches the name of the server core machine.

Create new computer object

Match name of server core machine

Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.

Create computer account object

Back in Active Directory Users and Computers, the computer account’s object was disabled.

Create computer account object

It’s worth noting that I only encountered this specific issue on server core machines, and while it’s possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (2)

2 responses to “Error when Attempting to Remove Windows Server 2008 Server Core from Domain”

  1. Thank you!!! I had tried all of the steps above including the netdom commands to no avail. Who would have thought that adding a machine to a domain controller it wasn’t on previously would be the fix? We have a test environment in our network that most machines are refreshed after several weeks to more current ones. The machine I was having issue with only exists in this Test environment and so the new AD server had no record of it. Why Microsoft would choose this route to unjoin a domain is beyond me. Again, thanks for this post.

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: