Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
This behavior is also applicable to replication between domain controllers of the same domain. If the domain controllers that are not replicating reside in two different domains, you should inspect the trust relationship more closely.
You cannot change the machine account password using the Active Directory Users and Computers snap-in, but you can reset the password using the Netdom.exe tool included in the Windows Support Tools.
The Netdom tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.
The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most commonly used on domain controllers, but also applies to any Windows machine account.
Because you cannot use Netdom remotely, you must run the tool from the Windows-based computer whose password you want to change. In addition, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.
Install the Windows Support Tools from the Support\Tools folder on the Windows CD-ROM on the domain controller whose password you want to reset.
If you are attempting to reset the password for a Windows domain controller, it is necessary to stop the Kerberos Key Distribution Center service and set its Startup type to Manual prior to continuing with step 3.
Note: After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center service and set its Startup type back to Automatic. Doing this forces the domain controller with the bad computer account password to contact another domain controller for a Kerberos ticket.
where Replication_Partner_Server_Name is the fully qualified DNS or NetBIOS name of a domain controller in the same domain as the local computer, and domainname\administrator_id is the NetBIOS domain name and administrator ID respectively, in the Security Accounts Manager (SAM) account name credentials format.
The "*" value to the /PasswordD: parameter specifies that the password should be typed using hidden characters when the command is submitted. For example, the local computer (which happens to be a domain controller) is Server1 and the peer Windows domain controller name is Server2. If you run Netdom on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers: