This step-by-step article describes how to use Netdom.exe to
reset machine account passwords of a domain
controller in Windows Server 2008 R2, in Windows Server 2008, or in Windows Server 2003.
Each Windows-based computer maintains a machine account
password history that contains the current and previous passwords that are used
for the account. When two computers try to authenticate with each other and a
change to the current password is not yet received, Windows relies on the
previous password. If the sequence of password changes exceeds two changes, the
computers involved may not be able to communicate, and you may receive error
messages. For example, you may receive "Access Denied" error messages when
Active Directory replication occurs.
This behavior also applies to
replication between domain controllers of the same domain. If the domain
controllers that are not replicating reside in two different domains, look at
the trust relationship more closely.
You cannot change the machine
account password by using the Active Directory Users and Computers snap-in, but
you can reset the password by using the Netdom.exe tool. The Netdom.exe tool is
included in the Windows Support Tools for Windows Server 2003. The Netdom.exe tool is also included in Windows Server 2008 R2 and in Windows Server 2008.
The Netdom.exe tool resets the
account password on the computer locally (known as a "local secret") and writes
this change to the computer's computer account object on a Windows domain
controller that resides in the same domain. Simultaneously writing the new
password to both places ensures that at least the two computers involved in the
operation are synchronized, and starts Active Directory replication so that
other domain controllers receive the change.
The following procedure
describes how to use the netdom
command to reset a machine account password. This procedure is
most frequently used on domain controllers, but also applies to any Windows
You must run the tool locally, from the
Windows-based computer whose password you want to change. Additionally, you
must have administrative permissions locally and on the computer account's
object in Active Directory to run Netdom.exe.
Use Netdom.exe to Reset a Machine Account Password
- Install the Windows Server 2003 Support Tools on the domain
controller whose password you want to reset. These tools are located in the
Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools,
right-click the Suptools.msi file in the Support\Tools folder, and then click Install.
Note This step is not necessary in Windows Server 2008 R2 and in Windows Server 2008 because the Netdom.exe tool is included in these Windows editions.
- If you want to reset the password for a Windows domain
controller, you must stop the Kerberos Key Distribution Center service and set
its startup type to Manual.
- After you restart and verify that the password has been
successfully reset, you can restart the Kerberos Key Distribution Center
(KDC) service and set its startup type back to Automatic. This forces the domain controller that has the incorrect computer
account password to contact another domain controller for a Kerberos
- You may have to disable the Kerberos Key Distribution Center service on all domain controllers except one. If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems.
- Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site:
- At a command prompt, type the following command:
netdom resetpwd /s:server /ud:domain\User /pd:* A description of this command is:
For example, the local domain controller computer is
Server1 and the peer Windows domain controller is Server2. If you run
Netdom.exe on Server1 with the following parameters, the password is changed
locally and is simultaneously written on Server2, and replication propagates
the change to other domain controllers:
- /s:server is the name of the domain controller to use for setting the
machine account password. This is the server where the KDC is running.
- /ud:domain\User is the user account that makes the connection with the domain you
specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is
- /pd:* specifies the password of the user account that is specified in
the /ud parameter. Use an asterisk (*) to be prompted for the password.
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
- Restart the server whose password was changed. In this
example, this is Server1.