JSI Tip 6345. How do I recover from a deleted domain controller machine account?

If the machine account is missing, the 'broken' domain controller cannot be authenticated and the Directory service is unable replicate.

To determine if the machine account is missing:

1. On the 'broken' domain controller, open a CMD prompt.

2. Type dcdiag /s:localhost and press Enter.

3. If the machine account is missing, you will receive:

Error: The server <servername> is missing its machine account. Try running with the /repairmachineaccount option.

NOTE: If machine account was deleted during the DCPROMO process of becoming a replica domain controller in an existing domain, a restart would display the following event log entry on the 'broken' DC:

Source: SAM
Event ID: 16405
Level: Error
Description: During the installation of the Directory Service, this server's machine account was deleted
             hence preventing this Domain Controller from starting up.
If the machine account was deleted from a domain controller that had been working:

1. Perform an authoritative restore, using a recent backup, of the domain controller's machine account on a different domain controller (DCA). Use the Active Directory Sites and Services snap-in to verify that DCA is a replication partner of DCBrokenZ. If DCB has a connection object from DCA, then DCB replicates from DCA

NOTE: On DCB, open a CMD prompt and stop the Key Distribution Center by typing:

net stop kdc

2. On DCB, use the Active Directory Sites and Services snap-in to perform a Replicate Now on the connection object from DCA.

If you DO NOT have a recent backup or if the machine account was deleted during DCPROMO:

1. On DCB, log on with domain administrator credentials.

2. Open a CMD prompt and type:

dcdiag /s:localhost /repairmachineaccount

NOTE: You could pass domain administrator credentials on the dcdiag command line.

3. Dcdiag will create a machine account for DCB on another domain controller and then replicate. You should receive:

This Domain Controller's machine account has been successfully restored. Please demote and promote this machine to ensure all state is correctly rebuilt.

4. After an appropriate wait for replication to finish, demote and re-promote DCB to insure that state is properly reconstructed, as some services keep state under the machine account.

Possible Dcdiag error messages:

Error: Unable to find another Domain Controller to help repair our account.

Dcdiag could not find another domain controller to create the machine account.

Error: The machine account %1 could not be created on %2 because %3.

Where %3 is a Win32 error, likely dealing with access denied.

  Error: The machine account %1 password could not be reset on %2 because %3. Please reset the account on %3.

Where %3 is a Win32 error, likely dealing with access denied. This error does NOT prevent recovery.

Error: The Key Distribution Center could not be stopped because %1.

Try stopping it manually using net stop kdc.

Error: The replication from %1 failed because %2.

Try to manually force replication using the Active Directory Sites and Services snap-in to perform a Replicate Now on the connection object from DCA.

Error: The attempt to repair the machine account failed because %1.

Look up the error using tip 161.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish