How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller

Article ID: 260575 - View products that this article applies to.
This article was previously published under Q260575
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)
is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
(http://support.microsoft.com/lifecycle/)
.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)
is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
(http://support.microsoft.com/lifecycle/)
.
Expand all | Collapse all

On This Page

SUMMARY

Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).

This behavior is also applicable to replication between domain controllers of the same domain. If the domain controllers that are not replicating reside in two different domains, you should inspect the trust relationship more closely.

You cannot change the machine account password using the Active Directory Users and Computers snap-in, but you can reset the password using the Netdom.exe tool included in the Windows Support Tools.

The Netdom tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most commonly used on domain controllers, but also applies to any Windows machine account.

Because you cannot use Netdom remotely, you must run the tool from the Windows-based computer whose password you want to change. In addition, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.

Using Netdom to Reset a Machine Account Password

  1. Install the Windows Support Tools from the Support\Tools folder on the Windows CD-ROM on the domain controller whose password you want to reset.
  2. If you are attempting to reset the password for a Windows domain controller, it is necessary to stop the Kerberos Key Distribution Center service and set its Startup type to Manual prior to continuing with step 3.

    Note: After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center service and set its Startup type back to Automatic. Doing this forces the domain controller with the bad computer account password to contact another domain controller for a Kerberos ticket.
  3. At a command prompt, type the following command:
    netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*
    where Replication_Partner_Server_Name is the fully qualified DNS or NetBIOS name of a domain controller in the same domain as the local computer, and domainname\administrator_id is the NetBIOS domain name and administrator ID respectively, in the Security Accounts Manager (SAM) account name credentials format.

    The "*" value to the /PasswordD: parameter specifies that the password should be typed using hidden characters when the command is submitted. For example, the local computer (which happens to be a domain controller) is Server1 and the peer Windows domain controller name is Server2. If you run Netdom on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
    netdom resetpwd /server:server2 /userd:mydomain\administrator /passwordd:*
  4. Restart the server whose password was changed (in this example, Server1).

Back to the top | Give Feedback

Properties

Article ID: 260575 - Last Review: October 31, 2006 - Revision: 5.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbacl kbgpo kbhowto kbhowtomaster KB260575
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top