Menu

Cleanup Steps After Undo

Cleaning up NTDS Settings

If you use the Undo procedure, the DC will “disappear” from the viewpoint of remaining domain controllers. You may need to clean up the NTDS Settings metadata for the disappearing DC on the remaining domain controllers. For details see Clean up Active Directory Domain Controller server metadata (Microsoft Docs).

Resetting the Member Computer Account

If the computer was originally a member of a domain it will suddenly “reappear” as the member it was originally. If the computer “disappeared” many days ago, the domain controllers may have dropped the member computer account due to inactivity. This typically happens after 60 days.

To recreate and reset the member computer account use the following procedure:

1. On a domain controller press WIN+R.
2. In the Open box type dsa.msc and click OK. This will open Active Directory Users and Computers.
3. Delete the old computer account (if any) under Computers.
4. On the restored member computer Press WIN+R.
5. In the Open box type control and click OK. This will open the Control Panel.
6. Double-click on System.
7. Click on Change settings.
8. Click on the tab Computer Name.
9. Click the button Change. Select the option to leave the domain. Assign a temporary workgroup name. You will be asked to reboot.
10. On the domain controller re-create the computer account under Computers. This has the effect of resetting the password for the computer account.
11. On the restored member computer go back to Computer Name (see above). Click the button Change. Join the domain. You will be asked to reboot.

A faster method is to use the console utility NETDOM.EXE.

On the primary domain controller open an administrative console and type:

NETDOM.EXE RESET ComputerName /Domain:DomainName ↵
     /UserO:User /PasswordO:*

For ComputerName type the name of the restored member computer. For DomainName type the name of the domain. For User type the name of the local Administrator account on the restored computer (typically ComputerName\Administrator). Type in the computer's local administrator password when you are prompted. (Do not confuse it with the domain administrator password.)

Resetting the Domain Controller's Machine Account Password

If the computer was previously a domain controller for another domain or forest, it will suddenly “reappear” in the original domain. If there are other domain controllers in the original domain, and if more than 60 days have elapsed, you might be required to re-establish the shared secret with the other domain controllers. See Resetting the DC Shared Secret.