This step-by-step article describes how to use Netdom.exe to reset machine account passwords of a domain controller in Windows Server 2008 R2, in Windows Server 2008, or in Windows Server 2003.
Use Netdom.exe to Reset a Machine Account Password
- Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then clickÂ Install.Note This step is not necessary in Windows Server 2008 R2 and in Windows Server 2008 because the Netdom.exe tool is included in these Windows editions.
- If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type toÂ Manual.
- After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center (KDC) service and set its startup type back toÂ Automatic. This forces the domain controller that has the incorrect computer account password to contact another domain controller for a Kerberos ticket.
- You may have to disable the Kerberos Key Distribution Center service on all domain controllers except one. If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems.
- Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools.
- At a command prompt, type the following command:netdom resetpwd /s:server /ud:domain\User /pd:*A description of this command is:
- /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
- /ud:domain\User is the user account that makes the connection with the domain you specified in theÂ /s parameter. This must be inÂ domain\Userformat. If this parameter is omitted, the current user account is used.
- /pd:* specifies the password of the user account that is specified in theÂ /udparameter. Use an asterisk (*) to be prompted for the password.
For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
- Restart the server whose password was changed. In this example, this is Server1.