Windows cannot connect to the domain…

As you may know, I’m a big fan of virtualization. At work, whenever I need to use Windows only applications, I fire up Virtual Box which is running an instance of Windows XP. A virtual machine like that covers pretty much all my needs. I also enjoy the fact that if that instance ever becomes infected with a virus, or somehow b0rks itself, I can always restore it to an earlier snapshot. Or at least so I thought.

It turns out that snapshots can sometimes be problematic, especially if your virtualized OS is tied into a Windows domain. I reverted snapshots few times before without any problems, but this time around I hit a snag. After I rolled the VM back, I found myself locked out of Windows. Every time I tried to log in, I was presented with this amusing little message:

Windows cannot connect to the domain, either because domain the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your network administrator for assistance.

This message popped up for every single username within the domain – including the domain administrator account. I was able to log into the machine as a local user though. My first instinct was to troubleshoot networking but as it turned out, it was working just fine. Upon logging in locally, I was able to access the internet, as well as the network shares. I could also ping the domain controller without any problems.

Some quick googling told me that this sometimes happens when you have two computers with the same name joined into the same domain. The DC gets confused and locks one or both of them out. I didn’t have a new computer – but an earlier version of the same one. I guess it was different enough to fool my Win 2k3 server into thinking it was some alien machine.

The question was, how to un-confuse the DC as to the identity of my Virtual Machine. Removing the computer name via Active Directory did not resolve the issue. Some more googling and basic trial and error led me to the following sequence that will fix this condition without hosing your user accounts:

  1. Remove the Computer from Active Directory

    You will need to Log into the DC and remove the entry with your computers name from Active Directory. Do not remove user accounts – just the computer. Needless to say, you need to be able to access the DC either physically or remotely. You may be able to get away not doing this step since we will be changing the name of the computer in the next step

  2. Change your computer name and domain

    Go to System Properties and change your computer name to something else. While you are there leave the domain and join some workgroup (doesn’t matter which one – just leave the domain). You can do both of these things at the same time – it’s all done on one screen.

    It should be fairly obvious that you will need to provide some sort of credentials with administrative privileges for your domain to leave it. Make sure you have them.

  3. Do not reboot

    When you leave the domain you will see a dialog telling you that you need to reboot. Do not listen to it. Just acknowledge the message, but do not close the System Properties window. If you do it, your machine will automatically reboot. Restarting at this point probably wouldn’t harm you but in my experience it’s just a waste of time. Instead, just go back to the name changing dialog.

  4. Re-join the domain

    Yup, just leave the workgroup and join the domain back. You will once a gain be prompted for domain administrator credentials. To be safe, do not change the name back to what it was before. We want to pretend this is a whole new computer being joined to the domain.

  5. Reboot

    The system will tell you to reboot again. Now it’s time to listen to it. Acknowledge the dialog, close the System Properties window and the machine will restart itself.

  6. Log in

    If everything went well, you should be able to log into the system with your domain bound username and see your regular environment unaffected by this exercise.

  7. ???
  8. Profit

This worked for me. Upon rebooting the VM I was able to log in without a problem. So I’m posting it here as a future reference. It is bound to happen again, if not to me then to you – and this is a quick and easy way to fix it.

Also, I apologize for the lack of funny in this post. It’s just one of these boring technical blogs that I feel compelled to post from time to time. Humor me. I promise to post something funny and/or entertaining by the end of the week.

This entry was posted in sysadmin notes and tagged . Bookmark the permalink.



11 Responses to Windows cannot connect to the domain…

  1. chris UNITED STATES Mozilla Firefox Debian GNU/Linux says:

    You can just remove the computer from the domain at the computer in my computer deauthing or not by dropping it into a workgroup and then reboot. Then just add it back to the domain. However this works with ldap samba pdc maybe not AD.

    Reply  |  Quote
  2. D UNITED STATES Internet Explorer Windows says:

    In my case computer account was disabled. Launched active directory searched for computer name R.click and enable. Done.

    Reply  |  Quote
  3. Mike UNITED STATES Internet Explorer Windows says:

    You just saved my weekend. I owe you a case of beer or something. Thanks

    Reply  |  Quote
  4. I UNITED STATES Internet Explorer Windows says:

    I have the same issue. Can you remove and add Exchange, SQL servers from domain domain without causing other AD issues? Thanks

    Reply  |  Quote
  5. Dinesh INDIA Internet Explorer Windows says:

    Am not sure if the length of the computer name (FQDN) would cause this or play up so try and keep the length to a ‘meaningful’ minimum characters/alphabets!

    Reply  |  Quote
  6. Pingback: Remotely Rename a Computer in a Windows Domain « Terminally Incoherent UNITED STATES WordPress

  7. JOhnBoB UNITED STATES Mozilla Firefox Windows says:

    I am not WORTHY! Thank you! You have saved me.

    Reply  |  Quote
  8. admincpn UNITED STATES Internet Explorer Windows says:

    AWESOME! Thanks for saving us a ton of work

    Reply  |  Quote
  9. Luca ITALY Internet Explorer Windows says:

    Thanks a lot. It save me a lot of time.

    Reply  |  Quote
  10. Daniel BELIZE Mozilla Firefox Windows says:

    Hi Luke, even though my situation is the same, the way I resolved the issue is as follow:
    My first PC where I created the VPC was Vista x32. Somehow, the network admin deleted it because he thought it was just an unused PC. However, I created it again, and when I tried to login to the domain, thats when I the message above appeared. What I did was to check with the network admin to see if my VPC existed. Of course, I had renamed it just so it can be clear that it was needed. We checked and I noticed that my VPC was not registered on the domain. I simply then went to add it to the domain, restarted, and login without any problems. I simply right-clicked on MyComputer->Properties, and under the ‘Computer Name’ tab, I clicked on the ‘Network ID’ button and followed the wizard.

    I double checked then with the network admin and whala … my VPC then appeared registered on the domain. I hope this helps someone else!!

    Reply  |  Quote
  11. Jordan UNITED STATES Google Chrome Windows says:

    Not only did this help me solve my problem, it made me laugh at work -thanks to the underwear gnome reference

    tyvm

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>