Cleanup Steps After Undo

Cleaning up NTDS Settings

If you use the Undo procedure, the DC will “disappear” from the viewpoint of remaining domain controllers. You may need to clean up the NTDS Settings metadata for the disappearing DC on the remaining domain controllers. For details see the Microsoft Knowledge Base article How To Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion (KB216498).

Resetting the Member Computer Account

If the computer was originally a member of a domain it will suddenly “reappear” as the member it was originally. If the computer “disappeared” many days ago, the domain controllers may have dropped the member computer account due to inactivity. This typically happens after 7-14 days.

To recreate and reset the member computer account use the following procedure:

1. On a domain controller click on Control Panel -> Administrative Tools -> Active Directory Users and Computers. Delete the old computer account (if any) under Computers.
2. On the restored member computer click on Control Panel -> System. Click on the tab Computer Name. Click the button Change. Select the option to leave the domain. Assign a temporary workgroup name. You will be asked to reboot.
3. On the domain controller re-create the computer account under Computers. This has the effect of resetting the password for the computer account.
4. On the restored member computer go back to Control Panel -> System. Click on the tab Computer Name. Click the button Change. Join the domain. You will be asked to reboot.

A faster method is to use the console utility NETDOM.EXE. NETDOM.EXE can be found in the Windows Server 2000/2003 Support Tools, located on the Windows Server CD/DVD. (It is standard on Windows Server 2008.)

On the primary domain controller open an administrative console and type:

NETDOM.EXE RESET ComputerName /Domain:DomainName /UserO:User /PasswordO:*

For ComputerName type the name of the restored member computer. For DomainName type the name of the domain. For User type the name of the local Administrator account on the restored computer (typically ComputerName\Administrator). Type in the computer's local administrator password when you are prompted. (Do not confuse it with the domain administrator password.)

Resetting the DC Shared Secret

If the computer was previously a domain controller for another domain or forest, it will suddenly “reappear” in the original domain. If there are other domain controllers in the original domain, and if more than 14 days have elapsed, you may be required to re-establish the shared secret with the other domain controllers. This is because the domain controllers change their shared security secrets every 14 days.

To reset the shared secret you must fix the computer's DC machine account. Open an administrative console and use the utility DCDIAG.EXE. DCDIAG.EXE can be found in the Windows Server 2003 Support Tools, located on the Windows Server 2003 CD/DVD. (It is standard on Windows Server 2008.)

Run DCDIAG on the restored computer.

DCDIAG.EXE /s:DomainController /u:Domain\UserName /p:* /test:MachineAccount /fix

For DomainController type the name of the restored computer. If necessary add the /u and /p switches to provide the domain administrator account and password. In some cases you may need to add the option /FixMachineAccount or /RecreateMachineAccount.