Have you ever removed a computer from an Active Directory (AD) domain, only to find that you can still ping it and connect to it via RDP? This confusing behavior is a common source of frustration for system administrators and is often a symptom of a larger issue: stale computer identities.

In a modern, hybrid environment, a single computer can have multiple identities across different systems. Understanding these identities is the key to resolving these conflicts and properly managing your devices.

This guide will explain the different identities a computer can have and provide a step-by-step process for cleanly managing them when a machine is removed from a domain.

A Computer’s Three Identities

In a typical hybrid environment, a Windows computer has at least three distinct identities:

  1. The DNS Record: This is an A (and possibly PTR) record in your DNS server that maps the computer’s hostname (e.g., host1) to its IP address.
  2. The Active Directory Object: This is the computer account object in your on-premises Active Directory. It is used for authentication and group policy.
  3. The Azure AD (Entra ID) Object: If you are using a hybrid setup, the computer may also have a corresponding object in Azure AD. This is used for cloud-based authentication and services like Intune.

The Problem: What Happens When You Disjoin a PC?

When you disjoin a computer from an AD domain, only the link to the Active Directory object is severed. The other two identities often persist:

  • The DNS record remains. Your DNS server doesn’t know the computer has left the domain, so it continues to resolve the hostname to its last known IP address. This is why you can still ping and RDP to the machine.
  • The Azure AD object remains. The device is often still registered in Azure AD, which can cause the Windows login screen to default to a cloud credential provider, effectively hiding the local login options.

This leads to the confusing state where the machine is reachable on the network but is difficult to log into locally.

Diagnosing the Issue: ping, RDP, and dsregcmd

You can quickly diagnose this state with a few simple commands.

  1. ping host1: If this succeeds, it confirms that a stale DNS record exists.
  2. RDP to host1: If you can connect via RDP (e.g., with a cached local admin credential like host1\administrator), it confirms the machine is online and reachable.
  3. dsregcmd /status: Once you have a session on the machine, run this command. If you see AzureAdJoined : YES, it confirms that a lingering cloud identity is the cause of your local login problems.

The Solution: A Step-by-Step Cleanup Process

To properly remove a computer and its lingering identities, follow these steps.

Step 1: Disconnect from Azure AD

First, you must remove the cloud identity. Run this command in an elevated PowerShell prompt on the machine: 

dsregcmd /leave
This will unregister the device from Azure AD. After a restart, the normal local login options should reappear.

Step 2: Rename the Computer

To prevent conflicts with the stale AD and DNS records, it’s a best practice to rename the computer before rejoining it to the domain. 

Rename-Computer -NewName "HOST1-NEW" -Restart

Step 3: Clean Up Stale AD and DNS Records

For good hygiene, you should now manually delete the old, stale records for the original hostname (host1) from your servers.

In Active Directory Users and Computers:

  • Find and delete the old computer object for host1.

In DNS Manager:

  • Find and delete the A (and PTR) records associated with host1.

You can also automate this with PowerShell: 

# Run this on a domain controller or a machine with RSAT tools
Remove-ADComputer -Identity "HOST1" -Confirm:$false
Remove-DnsServerResourceRecord -ZoneName "mydomain.local" -Name "host1" -RRType A -Force

Conclusion

A computer’s identity is more than just its Active Directory account. In a hybrid environment, you must also consider its DNS and Azure AD identities. When a disjoined computer seems to linger on the network, it’s almost always due to stale records in these other systems.

Related Reading: For a step-by-step guide on how to properly leave and rejoin a domain (and what to do if you get locked out), see Rejoin Windows PC to Active Directory Domain.

By following a clean process of disconnecting from Azure AD, renaming the computer, and cleaning up stale records, you can prevent these confusing conflicts and ensure that your devices have a clean, unambiguous identity on your network.