Can't. It's a CA, and you can't change computer name or domain membership once you make it a CA...
********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 26, 2004 12:30 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Deleted computer account > > Remove it and re-add it to the domain? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, August 26, 2004 2:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Deleted computer account > > I've still got this problem. I've tried a bunch of things, > and learned a > lot... :-) I figured out how to use LDP to restore the > computer account from > the deleted objects OU, and now I see the object with the > correct creation > date. > I'm still unable to reset the secure channel, though. > I've tried cranking up logging for nltest, and came up with > the following > from the netlogon.log on the member server when running > nltest /sc_reset: > > 08/26 10:40:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for > I_NetServerAuthenticate3: 1761 (may be legitimate for 0xc0000022) > 08/26 10:40:57 [CRITICAL] ECCAD: NlSessionSetup: Session setup: cannot > I_NetServerAuthenticate 0xc0000022 > 08/26 10:40:57 [CRITICAL] ECCAD: NlSessionSetup: new password > is bad. Old > password is same as new password. > 08/26 10:40:57 [MISC] Eventlog: 3210 (1) "ECCAD" "\\evldc02.ECCAD.COM" > c0000022 "... > 08/26 10:40:57 [MISC] Didn't log event since it was already logged. > 08/26 10:40:57 [SESSION] ECCAD: NlSetStatusClientSession: Set > connection > status to c0000022 > 08/26 10:40:57 [SESSION] ECCAD: NlSetStatusClientSession: > Unbind from server > \\evldc02.ECCAD.COM (TCP) 0. > 08/26 10:40:57 [SESSION] ECCAD: NlSessionSetup: Session setup Failed > > The nltest /sc_reset command itself gives this error: > I_NetLogonControl > failed: Status = 5 0x5 ERROR_ACCESS_DENIED > > The 022 appears to be access denied, which is kind of a > catch-22 problem. I > can log onto the machine with local credentials, but when I > try to log in > with domain credentials, I get "windows cannot log you on, > either because > the domain controller is down or otherwise unavailable, or > because your > computer account was not found..." > I can map drives and do a runas, but only with the /netonly switch. > > Any ideas? > Thanks! > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: Charlie Kaiser [mailto:[EMAIL PROTECTED] > > Sent: Thursday, August 26, 2004 6:09 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Deleted computer account > > > > Tried that; it still gives me an access denied error. If I > run netdom > > using explicit credentials, as before, I get "the trust > relationship > > between this workstation and the primary domain failed". > > > > ********************** > > Charlie Kaiser > > MCSE, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > > > > > > -----Original Message----- > > > From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, August 25, 2004 5:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Deleted computer account > > > > > > How about on the CA just mapping the DC's C$ share with > the domain > > > admin account and then running netdom? > > > > > > Mike Thommes > > > > > > -----Original Message----- > > > From: Charlie Kaiser [mailto:[EMAIL PROTECTED] > > > Sent: Wed 8/25/2004 7:06 PM > > > To: [EMAIL PROTECTED] > > > Cc: > > > Subject: [ActiveDir] Deleted computer account > > > > > > > > > > > > OK; I've got an ugly one. > > > Got a VM that's running certificate services; it's the > root CA for > > > the > > > domain. Without going into details, the computer > account for the > > > server was > > > deleted from the domain. I can't get netdom or nltest > to reset it; > > > I get an > > > access denied. Netdom/add was able to recreate the > object, but that > > > might > > > have been a mistake. Still can't set the secure > channel, can't log > > > on with > > > domain credentials. > > > Since it's running cert services, I can't remove/rejoin > it to the > > > domain. > > > Anyone got a slick trick to get this one back? I'd hate > to rebuild > > > my CA > > > from scratch... > > > The only thing I can think of is an authoritative > restore from last > > > Friday's > > > backup. Haven't had to do one of those yet. > > > Any good documentation or better tricks? > > > Thanks! > > > > > > ********************** > > > Charlie Kaiser > > > MCSE, CCNA > > > Systems Engineer > > > Essex Credit / Brickwalk > > > 510 595 5083 > > > ********************** > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
