Sometimes you go on a cleanse and decide it’s fine to move around computers in your directory, or perhaps forgot to disconnect the network from VM clone causing conflict in the directory.
Power losses, bad time, machine- or machine’s password resets are a few of other things that can cause a computer’s relationship with the domain to break.
Forcing the machine to leave the broken relationship and rejoin the domain will fix this but may also cause loss of data from the lingering files of a roaming user profile, for instance.
This is also not an option if the machine happens to be an Enterprise Certificate Authority. CAs cannot be unbound from AD while they hold the role.
To test that a machine has a valid relationship with the domain, launch an Administrative PowerShell and run
Test-ComputerSecureChannel right away you’ll get a true or false.
If it’s false, fix it with
Test-ComputerSecureChannel -Repair -Credential firstname.lastname@example.org.
BTW, it’s fine if you try to repair where it’s not broken.
If you run this on a domain controller, you’ll get a huge error.
You’ll need to use an account with privileges to domain-join; you’ll be fine using a Domain Admin’s or an Enterprise Admin’s account.
A new window will pop up to enter the account’s password, the user account will be prepopulated. Despite the nonsensical redundancy,
-Credential switch is needed in the PowerShell syntax.