Domain Controller Machine Password Reset
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources.
This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute: repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline.
First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4.
There may be some tickets in the cache so we should also clear them using klist purge
Now it's time to change the machine password of the domain controller using the command
Replace the "lab\administrator" with an account on your domain with administrator privileges and "DC3" with a functional domain controller, preferably your PDC. Leave the asterisk since this will make the command prompt you for the password.
Now that the password has been changed, make sure that the KDC service is disabled and restart the computer.
Up until now, all steps are performed on the problematic domain controller.
When the server is restarted and the login screen appears, it's time to replicate. Issue the below commands to replicate from a functional domain controller to the one with the issue:
On the above screenshot, all the naming contexts are replicated from DC3 to DC4.
If don't get any errors on this step, enable the KDC service on the faulty domain controller and restart the machine. When it is back online, issue a repadmin /syncall /AdeP command to replicate. There should be no errors.
That's it. The domain controller is operational again. The last step is to run dcdiag and make sure there are no issues.
If you are using OMS to monitor your servers, you can use the Active Directory replication monitoring solution to verify that there are no issues. If not, you can download the Active Directory Replication Status Tool that can analyse your environment and provide insights on the replication.
Just a peek on the tool will show you any issues:
This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute: repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline.
First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4.
There may be some tickets in the cache so we should also clear them using klist purge
Now it's time to change the machine password of the domain controller using the command
netdom
resetpwd /s:dc3 /ud:lab\administrator /pd:*
Replace the "lab\administrator" with an account on your domain with administrator privileges and "DC3" with a functional domain controller, preferably your PDC. Leave the asterisk since this will make the command prompt you for the password.
Now that the password has been changed, make sure that the KDC service is disabled and restart the computer.
Up until now, all steps are performed on the problematic domain controller.
When the server is restarted and the login screen appears, it's time to replicate. Issue the below commands to replicate from a functional domain controller to the one with the issue:
On the above screenshot, all the naming contexts are replicated from DC3 to DC4.
If don't get any errors on this step, enable the KDC service on the faulty domain controller and restart the machine. When it is back online, issue a repadmin /syncall /AdeP command to replicate. There should be no errors.
That's it. The domain controller is operational again. The last step is to run dcdiag and make sure there are no issues.
If you are using OMS to monitor your servers, you can use the Active Directory replication monitoring solution to verify that there are no issues. If not, you can download the Active Directory Replication Status Tool that can analyse your environment and provide insights on the replication.
Just a peek on the tool will show you any issues: