How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 domain controller

文章翻譯 文章翻譯
文章編號: 325850 - 檢視此文章適用的產品。
全部展開 | 全部摺疊

在此頁中

結論

This step-by-step article describes how to use Netdom.exe to reset machine account passwords of a Windows Server 2003 domain controller.

Each Windows-based computer maintains a machine account password history that contains the current and previous passwords that are used for the account. When two computers try to authenticate with each other and a change to the current password is not yet received, Windows relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may not be able to communicate, and you may receive error messages. For example, you may receive "Access Denied" error messages when Active Directory replication occurs.

This behavior also applies to replication between domain controllers of the same domain. If the domain controllers that are not replicating reside in two different domains, look at the trust relationship more closely.

You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool. The Netdom.exe tool is included in the Windows Support Tools.

The Netdom.exe tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most frequently used on domain controllers, but also applies to any Windows machine account.

You must run the tool locally, from the Windows-based computer whose password you want to change. Additionally, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.exe.

Use Netdom.exe to Reset a Machine Account Password

  1. Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then click Install.
  2. If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.

    Notes
    • After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center (KDC) service and set its startup type back to Automatic. This forces the domain controller that has the incorrect computer account password to contact another domain controller for a Kerberos ticket.
    • You may have to disable the Kerberos Key Distribution Center service on all domain controllers except one. If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems.
  3. Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools.
  4. At a command prompt, type the following command:
    netdom resetpwd /s:server /ud:domain\User /pd:*
    A description of this command is:
    • /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
    • /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
    • /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.
    For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
    netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
  5. Restart the server whose password was changed. In this example, this is Server1.

屬性

文章編號: 325850 - 上次校閱: 2007年12月3日 - 版次: 8.2
這篇文章中的資訊適用於:
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
關鍵字:?
kbhowto kbhowtomaster kbactivedirectory kbnetwork kbgpo kbacl KB325850
Microsoft及(或)其供應商不就任何在本伺服器上發表的文字資料及其相關圖表資訊的恰當性作任何承諾。所有文字資料及其相關圖表均以「現狀」供應,不負任何擔保責任。Microsoft及(或)其供應商謹此聲明,不負任何對與此資訊有關之擔保責任,包括關於適售性、適用於某一特定用途、權利或不侵權的明示或默示擔保責任。Microsoft及(或)其供應商無論如何不對因或與使用本伺服器上資訊或與資訊的實行有關而引起的契約、過失或其他侵權行為之訴訟中的特別的、間接的、衍生性的損害或任何因使用而喪失所導致的之損害、資料或利潤負任何責任。

提供意見

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com