Rejoin a Computer from a Domain In One Easy Step!
PowerShell can save you from this headache by automating the entire repair procedure.
- By Adam Bertram
We all love our Active Directory domains. Being able to provide single sign-on authentication for users and computers is great. It's a secure solution that saves a ton of time -- cutting out the tedious process of managing workgroup computers. However, there are times when I want to fall on my own sword out of sheer frustration stemming from issues around Active Directory (AD). One of those issues is when a domain-joined computer loses its trust with the domain. Every Microsoft system administrator knows this error message:
This happens when the AD computer object password on the domain controller and the password on the computer are out of sync. To troubleshoot this, you may immediately try to reset the computer's account object in Active Directory, reboot the computer and hope for the best. But in my experience, this never works. The only true fix I've seen is to remove the workstation from the domain, reboot to apply the change, join it to the domain, and reboot again. This is a pain, but it doesn't have to be.
Using PowerShell, you can automate this entire process and never leave your desk! I put together a script that enables you to connect to a remote computer and rejoin it to the domain, including the two reboots. This saves a ton of time! Let's go over this script and how it works.
First, before we get into the script, you must meet a few requirements.
- The remote computer must be able to be pinged and able to accept Remote Procedure Call (RPC) connections. This can be a problem when the trust breaks and you have a Group Policy Object (GPO) configured to allow these settings.
- You must know the local administrator account password. You might get away with knowing any user account in the local administrators group, but only if that account has the appropriate rights to authenticate a Windows Management Instrumentation (WMI) connection via Distributed Component Object Model (DCOM).
- This may be obvious, but you also must have a domain account with rights to add a computer to the domain.
With the requirements out of the way, let's start with some preparatory, one-time work you'll need to do. During this script's execution, you're going to need two sets of credentials: an administrative local user account on the remote computer and a domain credential. To use these credentials without having to type a username and password every time, you must first export them to an XML file.
This only requires a couple lines of code each. Once done, you will not have to do this again if you ever need to use the script.
$LocalCred = (Get-Credential)
$LocalCred | Export-Clixml 'C:\LocalAdminCred.xml'
$DomainCred = (Get-Credential)
$DomainCred | Export-Clixml 'C:\DomainCred.xml
This simply creates two XML files. These files contain:
- The credentials to authenticate to the remote computer with a local account (when the trust is broken) .
- A domain account to use for permission to add the computer back to the domain (as well as detecting when the computer has come back after a reboot).
Here is a snippet of the main functionality of the script:
In a nutshell, this script does the following:
- Ensures the remote computer is online
- Creates the local and domain PSCredential objects to authenticate to the remote computer
- Removes the computer from the domain by using the Remove-Computer cmdlet—providing the local credential as permission to do so, and forcing a restart
- Waits for the remote computer to reboot
Once the computer comes back up, the script then does the following:
- Uses the Add-Computer cmdlet to remotely connect to the computer again, rejoins the computer to the domain and forces another restart.
- Waits for another reboot. And it's done!
To use the script, I've included all the proper cmdlet help. However, a good example may look something like this:
PS> Rejoin-Computer -Computername 'COMPUTER1' -DomainName 'mydomain.local' -UnjoinLocalCredentialXmlFilePath 'C:\LocalAdminCred.xml' -JoinDomainCredentialXmlFilePath 'C:\DomainCred.xml' -Verbose
This would connect to the computer COMPUTER1 and attempt to rejoin it to the domain mydomain.local using the local and domain credentials you created earlier. If everything works as designed, you will receive output that looks something like this:
If you'd like to try out this script, feel free to download it here. Use it, modify it and improve it in any way you see fit. Scripting should be about sharing; so if you are able to make it better, please post it on the TechNet Script Repository. Or better yet, blog about it! I'd love to hear how it has helped and if anyone was able to make it better!
Adam Bertram is an independent consultant, technical writer, trainer and presenter. Adam specializes in consulting and evangelizing all things IT automation mainly focused around Windows PowerShell. Adam is a Microsoft Windows PowerShell MVP, 2015 powershell.org PowerShell hero and has numerous Microsoft IT pro certifications. He is a writer, trainer and presenter and authors IT pro course content for Pluralsight. He is also a regular contributor to numerous print and online publications and presents at various user groups and conferences. You can find Adam at adamtheautomator.com or on Twitter at @adbertram.