Can't Unjoin Domain

[mhsemcheski]

Hello,

I've got a problem with a Windows 2000 workstation on a Win2k3 domain.
The problem began when a domain policy was created that disabled signed
communications. A few machines (thankfully, not all of them) read this
policy and used it. Later, the policy was undone, but then none of the
machines that had enacted this policy could get the new one. And I
couldn't override the policy locally.

So, the solution seemed to be to unjoin and rejoin the computer to the
domain. The problem I'm having right now is, while the computer's
account was deleted from the active directory, the computer refuses to
join a workgroup.

When it is connected to the network and I try to join a workgroup, I
get "The session setup to the Windows NT or Windows 2000 Domain
Controller <Unknown> for the domain DOMAIN failed because the Domain
Controller does not have an account for the computer COMPUTER."

If I disconnect the network connection and try to join a workgroup, I
get "No Windows NT or Windows 2000 Domain Controller is available for
domain COMPUTER. The following error occurred:
There are currently no logon servers available to service the logon
request."

Isn't there a way to force the computerNo Windows NT or Windows 2000
Domain Controller is available for domain STRICK. The following error
occurred:
There are currently no logon servers available to service the logon
request."

I've tried this logged in as the local and domain administrator.
Neither works. I just want the computer to get back to a normal,
healthy relationship with the domain, but it seems I'll have to
convince it that it is no longer a member first.

Any ideas? Thanks

 

[Robert L [MS-MVP]]

Have you changed the computer from the member of domain to workgroup locally? If not, re-add the computer account on DC.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hello,

I've got a problem with a Windows 2000 workstation on a Win2k3 domain.
The problem began when a domain policy was created that disabled signed
communications. A few machines (thankfully, not all of them) read this
policy and used it. Later, the policy was undone, but then none of the
machines that had enacted this policy could get the new one. And I
couldn't override the policy locally.

So, the solution seemed to be to unjoin and rejoin the computer to the
domain. The problem I'm having right now is, while the computer's
account was deleted from the active directory, the computer refuses to
join a workgroup.

When it is connected to the network and I try to join a workgroup, I
get "The session setup to the Windows NT or Windows 2000 Domain
Controller <Unknown> for the domain DOMAIN failed because the Domain
Controller does not have an account for the computer COMPUTER."

If I disconnect the network connection and try to join a workgroup, I
get "No Windows NT or Windows 2000 Domain Controller is available for
domain COMPUTER. The following error occurred:
There are currently no logon servers available to service the logon
request."

Isn't there a way to force the computerNo Windows NT or Windows 2000
Domain Controller is available for domain STRICK. The following error
occurred:
There are currently no logon servers available to service the logon
request."

I've tried this logged in as the local and domain administrator.
Neither works. I just want the computer to get back to a normal,
healthy relationship with the domain, but it seems I'll have to
convince it that it is no longer a member first.

Any ideas? Thanks

 

[Mike]

"Have you changed the computer from the member of domain to workgroup
locally? If not, re-add the computer account on DC. "

I tried creating the computer account on the DC, and then rejoining it.
However, it says "A computer account has been found...", but when I
try to use that account I get "Access Denied..." and the event "Failed
to authenticate with \\dc.my.domain.com, a Windows NT or Windows 2000
domain controller for domain DOMAIN. "

On the DC, I see Failed Security events that are along the lines of
"Preauthentication Failed for COMPUTER..."

I think this may have something to do with the fact that on the
orphaned computer, the Local Security Settings for "Digitally Sign
Client Communication" are disabled. I can't seem to enable them. I
think they are being overridden by an old domain policy (and once that
domain policy changed, they were cut off and couldn't get a new policy.)

 

[Richard G. Harper]

I think Robert's suggesting that you log on with local machine credentials
(change the logon domain from DOMAIN NAME to MACHINE NAME), then attempt to
disjoin the domain.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Kurt]

Yes. You deleted the account from ADU&C instead of unjoining the computer,
so the computer account does not exist in AD. You'll need to log on as the
local administrator - maybe even pull the network plug or change the IP
address so the workstation can't resolve the domain, and unjoin. You'll get
an error that the computer was unjoined but the domain couldn't be
contacted. If you need to do this again, don't delete the computer account,
unjoin from the workstation.

....kurt

I think Robert's suggesting that you log on with local machine credentials
(change the logon domain from DOMAIN NAME to MACHINE NAME), then attempt to
disjoin the domain.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

"Have you changed the computer from the member of domain to workgroup
locally? If not, re-add the computer account on DC. "

I tried creating the computer account on the DC, and then rejoining it.
However, it says "A computer account has been found...", but when I
try to use that account I get "Access Denied..." and the event "Failed
to authenticate with \\dc.my.domain.com, a Windows NT or Windows 2000
domain controller for domain DOMAIN. "

On the DC, I see Failed Security events that are along the lines of
"Preauthentication Failed for COMPUTER..."

I think this may have something to do with the fact that on the
orphaned computer, the Local Security Settings for "Digitally Sign
Client Communication" are disabled. I can't seem to enable them. I
think they are being overridden by an old domain policy (and once that
domain policy changed, they were cut off and couldn't get a new policy.)

 

[Mike]

Even if the network is unplugged, when I try to join a workgroup, I get
access denied. This is true either with the administrator account, or
with a user from the administrators group.

Same thing happens on a computer that is still a member of the domain
which I am trying to unjoin.

 

[Richard G. Harper]

Yes, that's right; and it will continue to happen unless you log on with THE
LOCAL ADMINISTRATOR ACCOUNT name and password - the one that was created
when Windows 2000 or XP was first installed. Not a domain account - not ANY
domain account.

You must change the logon type from domain logon to local logon (change from
the name of the domain in the logon box to the name of the computer in the
logon box) and then use a local Administrator account.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Mike]

Right, I've logged on as the local administrator, and it won't let me
remove the computer from the domain, or join a work group. I have also
tried it as a local user that happens to be in the administrators group
(and yes, administrator is in the administrators group).

I can't login with a domain account, so for this thread, assume I'm
talking about local accounts unless I say otherwise. As for the other
computer I mentioned, lets forget about it for now. I think whatever
its problem is, its the same as the one in question (some kind of
policy that can not be undone.)

Here's something I think might be noteworthy. As the local
administrator (or any other user I can conjure), I can not stop the
w32time service or change the time. This is notable because when I try
to unjoin the computer from the domain, I get an "Access Denied" error,
and I get a security failure audit for... w32time. Access Denied.

So, I think in programming terms whats happening is that part of the
unjoining process is restarting w32time. When Windows tries to stop or
restart w32time, an exception is thrown (or an error is logged) which
is what I'm seeing. Its not that I don't have permission to remove the
computer from the domain, but w32time is somehow on steroids and blocks
it.

I've tried rebooting into safemode to stop w32time from starting but
couldn't figure out how. I can't disable the service or switch it from
automatic to manual. My ultimate goal is unrelated to time, but since
an audit failure involving w32time is the only error I see, I guess
that is a new angle to look at.

Totally lost on what transpired here, but I'd love to here it if anyone
has any theories.

 

[Richard G. Harper]

I think you are using a non-Administrator account, or you're using the
Administrator account but it's been gelded and turned into a
non-Administrator account. In order to have the process work you must log
on with an account that's a member of the local Administrator group.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Mike]

Well, what you're suggesting seems possible. I've checked that the two
users I've tried with were members of the Administrators group.
Whether that group could have been 'gelded' (good way to put it) I
don't know. Anyone know a way to check?

Any thoughts on how to resolve this if that is the case?

 

[Richard G. Harper]

You'd need to know who has Administrator rights on the laptop, not the
domain. If you don't know this and you don't know who does, you're moving
into the realm of hacking the computer and the local SAM database, something
I neither have the time or inclination to do. If I get that far in the
doo-doo, I nuke and pave the box.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Mike]

Is there a guarantee that anyone has administrator rights on the
computer? There's one local user and the original administrator
account. They are the only the local accounts. The only local group
is the Administrators group. Any guarantee that its members (both of
the local users) are administrators, and that it has not been gelded?
Is there an ungeld function anywhere (probably have to be an
administrator to perform it anyway.)

I'm going to be really disappointed if I have to nuke this computer.

 

[Richard G. Harper]

In theory it's quite possible that no local Administrator account exists, as
a careless administrator could have stripped admin rights from the
Administrator account and no other account was granted admin rights in its
place.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm