Is it possible to replace a machine (with the same ip) for an existing Computer Active directory Account

Aïssa Farid Daouadji 1 Reputation point
2022-01-11T14:29:04.057+00:00

Hi,

We have a fleet of machines (ec2) joined to an Active directory. Each time, the application is upgraded, we are creating an Image (AMI) baked with this upgraded application.
We wanted to deploy each time a new machine with the same hostname and join it to the Active Directory but we are facing issues.

So here my question : Could we replace a machine attached to a domain by another machine with the same ip and the same hostename?

Before adding my new machine, i'm trying to remove the existing AD Machine Account with this command:

Remove-ADComputer -Identity $ComputerName -Credential $Credential -Confirm:$false -Server "EU-FR-DCXX" -Verbose

but I get this error:

Add-Computer : Computer 'EC2AMAZ-LMCM016' failed to join domain 'eu.corp.xxxxxx.com' from its current workgroup 'WORKGROUP' with following error message: No mapping between
account names and security IDs was done

EDIT:

After executing diefferent commands. The error message changed, so I couldn't log to my machine. I get the following error message :
164266-nla-error.png

I fixed it by executing remotely this script :

(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)  

So After resolving the nla error I get another error:

164268-trust-relationship-error.png

After checking in the AD, there is now an Account for my machine...

I thought, that my unjoining the machine from the AD it will resolve my issue but I was wrong:

Remove-Computer -ComputerName $ComputerName -UnjoinDomainCredential $credential -Force -PassThru  

Remove-Computer : Failed to unjoin computer 'WWW-PP-WWW' from domain 'eu.xxxx.xxxx.com' with the following

error message: No mapping between account names and security IDs was done.

After removing the Account with the following command:

   Remove-ADComputer -Identity "EUA-PP-TKR410" -Credential $Credential -Confirm:$false -Server EU-FR-DC51 -Verbose  

And trying to join the Machine, I still get the error:

Add-Computer : Cannot add computer 'XX-PP-XXXX' to domain 'eu.corp.xxxx.com' because it is already in that domain.

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,739 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. Anonymous
    2022-01-11T14:34:49.667+00:00

    You can but beforehand delete the computer account from active directory then join the new computer to the domain.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Anonymous
    2022-01-11T15:19:58.557+00:00

  3. Anonymous
    2022-01-11T15:36:59.197+00:00

    Looks like you're trying to rename the computer twice. Might try what worked here.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/3750581d-ea45-489d-bac7-c8bc1135a126/addcomputer-with-newname-and-joinwithnewname-option?forum=winseverpowershell

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Limitless Technology 39,736 Reputation points
    2022-01-11T20:34:34.397+00:00

    Hello @Aïssa Farid Daouadji

    This is likely because the computer has still stale or orphaned objects in AD. By default AD recycle bin holds deleted objects for 180 days before permanently remove from the system.

    You can check if there is still account information in the AD Recycle bin running the next cmdlet:

    Get-ADObject -Filter 'isDeleted -eq $true -and Name -like "*DEL:*"' -IncludeDeletedObjects | Remove-ADObject -Confirm:$false  
    

    Hope this helps with your query,

    -------
    --If the reply is helpful, please Upvote and Accept as answer--


  5. Andreas Baumgarten 112.4K Reputation points MVP
    2022-01-11T21:53:04.55+00:00

    Based on the link DSPatrick provided above you should add a sleep 5 (or a longer wait time like 10 (10 seconds)) between line 1 and 2 of your script.

    It should look like this than:

    Rename-Computer -NewName $ComputerName
    sleep 5
    Add-Computer -DomainName $DomainName -Credential $Credential -OUPath $OUPath -force -Options JoinWithNewName,AccountCreate -Restart
    
    # Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/3750581d-ea45-489d-bac7-c8bc1135a126/addcomputer-with-newname-and-joinwithnewname-option?forum=winseverpowershell
    

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.