2021 Annual Petri Reader Survey - We want to know what's important to you! 2021 Annual Petri Reader Survey - We want to know what's important to you!
Windows Server 2008

Fixing "Windows cannot connect to the domain" Errors

Sometimes, after extended periods of time when a computer which is a member of an Active Directory domain was taken offline and then brought online, or when some sort of cloning or imaging method or even a virtualization software snapshot mechanism was used on a domain member, you may get an error similar to this:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

No matter what you do, you will not be able to log on to the computer by using a domain account. The only possible solution for logging on could be to use a local user account.

Note: In most cases, unless this has been specifically disabled by the administrator, you may be able to log on using a domain user account if you disconnect the network cable from the computer. This will only work if you’re using a user account that has successfully logged on to that computer in the past, and again, unless it has been specifically disabled by the administrator.

Note: If you’ve used a cloning software and cloned a computer that was a member of a domain you should know 2 things:

  1. Never clone a domain member. You now know why.
  2. Never clone a Windows-based computer that is supposed to operate in an Active Directory domain and/or on any type of network, without properly using SYSPREP on the computer PRIOR to cloning it.

After logging on you may see some or all of the following events in the Event Viewer.

NETLOGON 3210

This computer could not authenticate with \\WIN2003-SRV1.petrilabs.local, a Windows domain controller for domain PETRILABS, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

LSASRV 40961

The Security System could not establish a secured connection with the server cifs/WIN2003-SRV1.petrilabs.local.  No authentication protocol was available.

W32Time 18

The time provider NtpClient failed to establish a trust relationship between this computer and the petrilabs.local domain in order to securely synchronize time. NtpClient will try again in 15 minutes. The error was: The trust relationship between this workstation and the primary domain failed. (0x800706FD)

And possibly others.

So why does this error happen?

The short story is that somehow there is a computer account password mismatch. The Windows-based domain member thinks that its machine account password is something X, while the domain controller believes it to be something Y. Because of this, the computer cannot authenticate itself to the domain controller(s), and thus you get this error. Read my Working with Domain Member Virtual Machines and Snapshots article for one possible reason for this to happen.

How do I fix this error?

Well, there are basically 2 methods of fixing it.

Method #1 – Using the GUI

This method may be the easiest one to perform, and it requires a double reboot of the client computer.

Note that the following screenshots are taken on a Windows XP Pro machine, but other Microsoft-based operating systems are pretty much similar.

1. Right-click My Computer (or simply Computer in the Start menu, depending on your version of OS), select Properties.

2. In the Computer Name tab, click on the Change button. Then change the Member of option from the AD domain to a Workgroup.

3. Enter a workgroup name. Any name. Press Ok.

4. You’ll be prompted to enter the credentials of a user with administrative rights.

5. You’ll get a confirmation message.

6. You’ll need to reboot the computer.

After rebooting, you need to login locally to the computer, and join it to the domain. Basically, same procedure as above, but if you feel you don’t remember the exact steps please read my Joining a Domain in Windows XP Pro and/or Joining a Domain in Windows 7 articles.

Method #2 – Using the Command Line

You can use the netdom.exe tool from support tools.

Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

Note: In Windows Server 2008/Windows 7, netdom is already available on the system, no need to download anything.

Open a Command Prompt window and type:

netdom.exe remove winxp-cl1 /Domain:petrilabs.local /userd:petrilabs\administrator /passwordd:***************

At this moment, the computer account will show with a red X in Active Directory Users and Computers.

BTW, it seems that using netdom.exe will save you one reboot…

Next type:

netdom.exe join winxp-cl1 /Domain:petrilabs.local /userd:petrilabs\administrator /passwordd:***************

Reboot the computer.

Now all will work well.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (15)

15 responses to “Fixing “Windows cannot connect to the domain” Errors”

  1. Virtual Machine Snapshots: Avoiding Authentication Errors

    [...] to the point where the error occurred and you cannot log-in, you will need to read my Fixing "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer [...]
  2. “Windows cannot connect to the domain” Hatası « Yusuf Karakuş

    [...] fazla bilgi için https://petri.com/fixing-windows-cannot-connect-to-the-domain-errors.htm Share this:TwitterFacebookLike this:BeğenBe the first to like this [...]
  3. 9 Error Domain Sites | Web Hosting Services

    [...] How to Repair Windows Cannot Connect to the Domain ErrorsMay 24, 2010 Detailed instructions on how to use the 2 methods to repair windows cannot connect to the domain [...]
  4. Windows Cannot Connect to the Domain | 2H Networks

    [...] Source: https://petri.com/fixing-windows-cannot-connect-to-the-domain-errors.htm [...]
  5. This computer could not authenticate with Domain Controller - Babyraj.com

    [...] In other versions  the solution can be found at this link https://petri.com/fixing-windows-cannot-connect-to-the-domain-errors.htm [...]
  6. Liam

    By following your instructions, I can now no longer log-in at all! I can't even change around the domain settings after changing it to workgroup. These instructions have made my life very difficult. You should have included warnings about the risks of changing from domain to workgroup!!
    • Hernan Oliva

      I do not know what you did Liam, but in my case I followed Method # 1 and worked perfect for me. Remember, when you After rebooting, you need to login locally to the computer, and join it to the domain and at this time you have to login using a user and password which is on the domain already.
      • Liam

        Right. I was following Method #1 on an office computer. It would be helpful if your instructions warned that you must know the local password before changing the computer from a domain member to a workgroup member. I didn't know the local password so I had to pay $50 to get buy a software program that would allow me to change the local password in order to log back into the computer. My main point is there should be a clear warning in your instructions that you must know the local password, which is distinct from the domain password, before changing the computer to a workgroup member and rebooting. If you don't know the local password, you are effectively locked out of that computer.
        • Joseph King

          If you had a read of the Petri Forums, there is one called Forgot Administrator Password. This has several examples of how to access your machine using FREE tools to blank the Administrator Password so you are NOT effectively locked out of the machine. On a second note. if you didn't know you required the Local Administrator password to get back into the machine after removing it from the Domain, you need to do some serious reading or really find a new line of work. Hell, Google would have told you how to access a machine that you didn't have the password for. It really isn't that difficult.
    • gage

      You simply are too stupid to be in this line of work.
  7. Mike

    Perhaps you should stop blaming others and take responsibility for your own incompetence.
  8. Hud59

    Thanks so much for these instructions!!! What a life saver! We had a power outage overnight and one of my servers would not allow me to log on. Apparently it's domain account got corrupted. I had done this a long time ago with a PC but had forgotten about it so when it happened to my server I searched Google, found your fix and it worked beautifully! Thanks again!!!
  9. tradesmen1

    thanks a million for your help guys, it worked!!!
  10. rado

    After dis-joining the domain and a reboot I'm still presented with the ctrl+alt+del and guess what, the machine is still on the domain.. Really weird, because I got no complains removing it from the domain using admin credentials and even got welcome to the W workgroup message?! Any ideas?

Leave a Reply

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.