SUMMARY
Each Windows-based computer maintains a machine account
password history containing the current and previous passwords used for the
account. When two computers attempt to authenticate with each other and a
change to the current password is not yet received, Windows then relies on the
previous password. If the sequence of password changes exceeds two changes, the
computers involved may be unable to communicate, and you may receive error
messages (for example, "Access Denied" error messages when Active Directory
replication occurs).
This behavior is also applicable to replication
between domain controllers of the same domain. If the domain controllers that
are not replicating reside in two different domains, you should inspect the
trust relationship more closely.
You cannot change the machine
account password using the Active Directory Users and Computers snap-in, but
you can reset the password using the Netdom.exe tool included in the Windows
Support Tools.
The Netdom tool resets the account password on the
computer locally (known as a "local secret") and writes this change to the
computer's computer account object on a Windows domain controller that resides
in the same domain. Simultaneously writing the new password to both places
ensures that at least the two computers involved in the operation are
synchronized, and starts Active Directory replication so that other domain
controllers receive the change.
The following procedure describes
how to use the
netdom command to reset a machine account password. This procedure is
most commonly used on domain controllers, but also applies to any Windows
machine account.
Because you cannot use Netdom remotely, you must
run the tool from the Windows-based computer whose password you want to change.
In addition, you must have administrative permissions locally and on the
computer account's object in Active Directory to run Netdom.
back to the topUsing Netdom to Reset a Machine Account Password
- Install the Windows Support Tools from the Support\Tools
folder on the Windows CD-ROM on the domain controller whose password you want
to reset.
- If you are attempting to reset the password for a Windows
domain controller, it is necessary to stop the Kerberos Key Distribution Center
service and set its Startup type to Manual prior to continuing with step
3.
Note: After you restart and verify that the password has been
successfully reset, you can restart the Kerberos Key Distribution Center
service and set its Startup type back to Automatic. Doing this forces the
domain controller with the bad computer account password to contact another
domain controller for a Kerberos ticket. - At a command prompt, type the following command:
netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*
The "*"
value to the /PasswordD: parameter specifies that the password should be typed using
hidden characters when the command is submitted. For example, the local
computer (which happens to be a domain controller) is Server1 and the peer
Windows domain controller name is Server2. If you run Netdom on Server1 with
the following parameters, the password is changed locally and is simultaneously
written on Server2, and replication propagates the change to other domain
controllers: netdom resetpwd /server:server2 /userd:mydomain\administrator /passwordd:*
- Restart the server whose password was changed (in this
example, Server1).
back to the top