Computer accidentaly deleted from AD

[ceez]

A computer was deleted accidentaly from AD and now the user cant log in. This is a remote user else we would of just walked up to the workstation and remove/rejoin to domain.

I added the computer name manually but it does not show a DNS Name under the general properties tab, and under the operating system tab it does not show any info. I tried to log in via Term Srvcs but it still displays the typical error message ..."computer account not found..."

Is there a way to populate it so it works without having to walk the user through removing and rejoining domain?

Thanks for the help,

[fizban2]

unfortuantly you will have to remove the computer and readd it to the domain, no way around that, does the client have the ability to VPN in then you can unjoin the computer from the domain and rejoin it.

1. logon as an admin remove from the domain

2 logon as an admin after reboot and VPN to domain, rejoin the domain.

3. hopefully the users account is cached on the computer and you can have the users logon with there account on the computer now and vpn in, shoudl work fine now.

[ceez]

@!fizban2, thanks for the reply. I was hoping that there would be a way of doing this without getting the end user involved. You would figure that MS would have a way of adding a computer if deleted. oh well.

Thanks!

[nmX.Memnoch]

http://www.quest.com/object_restore_for_active_directory/

I have not used that, but it's supposed to let you restore Tombstoned objects.

EDIT: I found this article as well:

http://www.windowsitpro.com/Article/Articl...3167/43167.html

You don't have to register to download that utility.

Edited April 5, 2006 by nmX.Memnoch

[FrankE9999]

If you know the local administrator account name and password you can try the following.

Use netdom.exe which is part of the Windows 2003 Server CD Support Tools located on the Windows 2003 server CD. You can use this command to remotly add a computer to the domain although in this case you may have to use it to remove it from the domain first since the system already thinks it is in a domain.

NETDOM REMOVE /?

NETDOM JOIN /?

You could also try enabling remote desktop and logging in using the local administrator account. Howevet this may not work because of firewall settings.

reg.exe add "\\%1\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg.exe add "\\%1\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 0 /f

reg.exe add "\\%1\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 1 /f

[fizban2]

@memmnoch,

that is a pretty sweet tool, i wonder what downfalls that could be with reanimating things like that...i could see complications emass with that if it didn't happen right

[nmX.Memnoch]

Yeah, but SysInterals utilities are usually pretty high profile so I can't see them putting something out if it caused serious problems.

I tested it on my home domain and it showed me every object I've deleted (OUs, users, groups, etc) in the last few months (within the default Tombstone time). I didn't try restoring any of them though...and I only have one domain controller.

The only issue I could see would be the Tombstoned data not be replicated to other DC's correctly...but I'm sure they tested that as well.

I registered on the Quest site and got a phone call within an hour after doing so. They were gonna try to offer me some other products but I cut the guy short telling him it was just a "one time deal" type of them. I haven't tried their GUI utility yet though...I'll try to remember to do that tonight.

[cluberti]

http://support.microsoft.com/?kbid=840001 Edited April 5, 2006 by cluberti

[nmX.Memnoch]

Hehe...leave it to cluberti to have the officially supported method...

[cluberti]

[ceez]

wow, thanks to everyone for sharing your information.... I know there's a reason why I love this forum & msfn!

I'll try all the options and hopefully one of them will work. I also tried that ldap tool from the 03 server tools with no luck, even following MS instructions. Those kb's never work!

Thanks again,

ceez

[ceez]

ok my vote goes for the sysinternal tool

very simple to use and it seems like it worked. The user is not in so I cant have him try to log in to see if it "REALLY" works.

just ran adrestore -r and it enumerated all the objects, once I found what I needed I just selected "Y" to restore and BINGO, back in AD! I just had to enable it and assign the user name to the computer object.

thanks again,

ceez

[Guimou]

Hi,

Just to let you know I tested the NETDOM method mentioned by FrankE9999 on a very particuliar case.

Certificate Services were installed on one member server, and I "accidentally" deleted the computer account in AD. Not really accidental, but I was doing crash/recovery tests in a virtual environment. I even replaced the original machine by other ones with the same name (necessary for Certificate Services). After some tests i wanted to get back to my original machine. So I removed every trace of it in AD and tried to respawn it in the environment.

The problem was that because of Certificate Services installed, you cannot change its domain or workgroup membership (all options greyed out).

With a NETDOM REMOVE followed by a NETDOM JOIN and a reboot, original server was happy back in the domain!

I hope all of this makes sense because it can reveal really useful.

Guillaume.