Shulou(Shulou.com)06/02 Report--

How to use Netdom.exe to reset the machine account password of a Windows Server domain controller

Refer to KB: https://support.microsoft.com/zh-cn/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

For: Windows Server 2019, all versionsWindows Server 2016 StandardWindows Server 2012 R2 Standard details

Use Netdom.exe to reset the machine account password

Summary

This article describes step by step how to use Netdom.exe to reset the machine account password of a domain controller in Windows Server.

Each Windows-based computer maintains a computer account password history that contains the current and previous passwords used for that account. When two computers try to authenticate each other, if the current password change is not received, Windows relies on the previous password. If the password sequence is changed more than twice, the computer involved may not be able to communicate and you may receive an error message. For example, you may receive an access denied error message when Active Directory replication occurs.

This behavior also applies to replication between domain controllers in the same domain. If the unreplicated domain controller resides in two different domains, take a closer look at the trust relationship.

You cannot use the Active Directory user and computer snap-in to change the computer account password, but you can use the Netdom.exe tool to reset the password. The Netdom.exe tool is included in the Windows support tools in Windows Server 2003. The Netdom.exe tool is also included in Windows Server 2008 R2 and Windows Server 2008.

The Netdom.exe tool can locally reset the account password on the computer (called the local password) and write this change to the computer account object of the computer on the Windows domain controller in the same domain. Write the new password to both locations at the same time, ensure that at least two computers involved in the operation are synchronized, and initiate Active Directory replication so that other domain controllers can receive the changes.

The following procedure describes how to use the netdom command to reset the computer account password. This procedure is most commonly used for domain controllers, but also applies to any Windows computer account.

You must run the tool locally from the Windows-based computer whose password you want to change. In addition, you must have local and administrative privileges on computer account objects in Active Directory to run Netdom.exe.

Use Netdom.exe to reset the machine account password

Install Windows Server 2003 support tools on the domain controller whose password you want to reset. These tools are located in the Support\ Tools folder on Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\ Tools folder, and then click install.

Note that this step is not required in Windows Server 2008 R2 and Windows Server 2008 because the Netdom.exe tool is included in these Windows versions.

If you want to reset the password for the Windows domain controller, you must stop the Kerberos key Distribution Center service and set its startup type to Manual.

Be careful

After restarting and verifying that the password has been successfully reset, you can restart the Kerberos key Distribution Center (KDC) service and set its startup type back to automatic. This causes a domain controller with the wrong computer account password to contact another domain controller to obtain an Kerberos ticket.

The Kerberos key Distribution Center service may have to be disabled on all domain controllers except one. If you can, do not disable domain controllers with global catalogs unless you encounter problems.

Delete the Kerberos ticket cache on the domain controller that received the error. You can do this by restarting your computer or by using KLIST, Kerbtes, or KerbTray tools. KLIST is included in both Windows Server 2008 R2 and Windows Server 2008. In Windows Server 2003, you can download KLIST for free in Windows Server 2003 Resource Kit Tools. To get this tool, visit the following Microsoft website:

Http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

At the command prompt, type the following command:

Netdom resetpwd / s:server / ud:domain\ User / pd:

This command is described as follows:

/ s:server is the name of the domain controller that is used to set the machine account password. This is the server on which KDC is running.

/ ud:domain\ User is the user account used to connect to the domain specified in the / s parameter. The format must be in domain\ User format. If this parameter is omitted, the current user account is used.

/ pd: used to specify the password of the user account specified in the / ud parameter. Use the asterisk () to prompt for a password.

For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and written to Server2 at the same time, and replication propagates the change to other domain controllers:

Netdom resetpwd / s:server2 / ud:mydomain\ administrator / pd:

Restart the server that has changed the password. In this example, it is Server1.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.