After restore computer object from AD GRT backup, unable to login to domain and requires to rejoin to domain.

Article:TECH156860  |  Created: 2011-03-29  |  Updated: 2013-04-17  |  Article URL http://www.symantec.com/docs/TECH156860
Article Type
Technical Solution


Issue



To delete computer object under Computers of Active Directory Users and Computers applet accidently. Attempt to restore the computer object from AD GRT backup. After restore computer object completely, that computer can not login to domain, requires to rejoin to domain once again.


Error



Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.


Environment



Window 2003 server.


Cause



When Active Directory deletes an object from the directory, it does not physically remove the object from the database,Instead, Active Directory will move the object to a special container called tombstone. Before tombstone expired, the deleted object will be restored from tombstone. By default a tombstoned object does not contain the password (Unicode-pwd) and thus the reanimated computer account’s password value will not match the password held on the workstation.  This is why you cannot login in to a workstation when the machine account is deleted.
 


Solution



1. Open ADSI Edit.
2. Go to Schema->CN=sCHEMA,CN=Configuration...->CN=Unicode-Pwd, open its properties.
3. Find attribute searchFlags, change its value from 0 to 8, then click OK.
4. To backup AD with GRT as schedule.
5. When the computer object is deleted accidently, to restore it from AD GRT backup directly.
The restore job will completed with exceptions:
V-79-40960-517 - Warning: On the domain controller, reset the account for this restored Active Directory computer, DC=<domain_name>,DC=com/DC=<domain_name>/CN=Computers/CN=<computer_name>, and then re-enable the computer's account by using the MIcrosoft Active Directory Users and Computers application. On the restored computer, add the computer to a workgroup, and then rejoin the domain.
Please ignore this exception and continue to next step.
6. Go to Active Directory Users and Computers, under Computers, that restored computer will be show up, but with red cross.
7. Right click that computer and click Reset Account.
8. You will be able to lonin to domain from that computer. (Sometimes the computer requires to reboot one time.)




Article URL http://www.symantec.com/docs/TECH156860


Terms of use for this information are found in Legal Notices