This trick comes to be via my Active Directory study group. I suggest that everyone join a
Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. )
The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.
Instead of doing that we can just reset the secure channel. There are a couple of ways do this:
- In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
- In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
- In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
- In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:DomainDomainController No rejoin. No reboot.
Originally posted in 2012 this popular post was migrated over from our previous blog
Make your IT business better than the competition. Help for IT Pros, TechYourBooks, Super Secret News, Women in IT Scholarship program, Ransomware Prevention Kit, 365 Security kit and more. https://www.thirdtier.net
3 thoughts on “How to rejoin a computer without losing it’s SID”
I don’t understand how to “re-join without un-joining the computer to the domain.” I can’t seem to do it in the Windows GUI and your article doesn’t list a command to use. Could you please elaborate?
this legacy article offers four methods for you to use and it’s all spelled out.
I believe some of the confusion may be a couple things for this original comment:
1. Are they going into domain settings from the affected end host or the domain controller?
2. If so from the endpoint, are you going through the Accounts setting to rejoin by Connecting to the domain again?
Just things to make clear for people who don’t have a lot of repetitions doing this. I think most communities at this point set instructions as if they were talking to others who are doing this for the first time. Other than that, great article!