What causes a computer to fall off the domain?
PowerShell How-To Show Rejoin a Computer from a Domain In One Easy Step!PowerShell can save you from this headache by automating the entire repair procedure. We all love our Active Directory domains. Being able to provide single sign-on authentication for users and computers is great. It's a secure solution that saves a ton of time -- cutting out the tedious process of managing workgroup computers. However, there are times when I want to fall on my own sword out of sheer frustration stemming from issues around Active Directory (AD). One of those issues is when a domain-joined computer loses its trust with the domain. Every Microsoft system administrator knows this error message: [Click on image for larger view.]This happens when the AD computer object password on the domain controller and the password on the computer are out of sync. To troubleshoot this, you may immediately try to reset the computer's account object in Active Directory, reboot the computer and hope for the best. But in my experience, this never works. The only true fix I've seen is to remove the workstation from the domain, reboot to apply the change, join it to the domain, and reboot again. This is a pain, but it doesn't have to be. Using PowerShell, you can automate this entire process and never leave your desk! I put together a script that enables you to connect to a remote computer and rejoin it to the domain, including the two reboots. This saves a ton of time! Let's go over this script and how it works. First, before we get into the script, you must meet a few requirements.
With the requirements out of the way, let's start with some preparatory, one-time work you'll need to do. During this script's execution, you're going to need two sets of credentials: an administrative local user account on the remote computer and a domain credential. To use these credentials without having to type a username and password every time, you must first export them to an XML file. This only requires a couple lines of code each. Once done, you will not have to do this again if you ever need to use the script. $LocalCred = (Get-Credential)$LocalCred | Export-Clixml 'C:\LocalAdminCred.xml' $DomainCred = (Get-Credential) This simply creates two XML files. These files contain:
Here is a snippet of the main functionality of the script: [Click on image for larger view.]In a nutshell, this script does the following:
Once the computer comes back up, the script then does the following:
To use the script, I've included all the proper cmdlet help. However, a good example may look something like this: This would connect to the computer COMPUTER1 and attempt to rejoin it to the domain mydomain.local using the local and domain credentials you created earlier. If everything works as designed, you will receive output that looks something like this: [Click on image for larger view.]If you'd like to try out this script, feel free to download it here. Use it, modify it and improve it in any way you see fit. Scripting should be about sharing; so if you are able to make it better, please post it on the TechNet Script Repository. Or better yet, blog about it! I'd love to hear how it has helped and if anyone was able to make it better! About the Author Adam Bertram is a 20-year veteran of IT. He's an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io. What causes a computer to lose its trust relationship with the domain?One of the main reasons a computer may lose trust relationship with a domain is due to a change in the computer's password. If the password on the computer is changed, the computer will no longer be able to authenticate with the domain and will be considered a security risk.
How long until a computer loses domain trust?By default, the period is 30 days; the maximum can be set to 999 days; Domain controller: Refuse machine account password changes — disallows password changes on domain controllers.
How do you tell if a computer is off the domain?You can quickly check whether your computer is part of a domain or not. Open the Control Panel, click the System and Security category, and click System. Look under “Computer name, domain and workgroup settings” here. If you see “Domain”: followed by the name of a domain, your computer is joined to a domain.
How do I put my computer back on a domain?Navigate to System and Security, and then click System. Under Computer name, domain, and workgroup settings, click Change settings. Under the Computer Name tab, click Change. Under Member of, click Domain, type the name of the domain that you wish this computer to join, and then click OK.
|