2

I have a 2008 functional level domain in a 2003 functional level forest, with DCs running Server 2008 and 2008 R2.

A number of member servers & computers are virtual machines. Sometimes these get rolled back to prior snapshots and sometimes this breaks trust. Usually I am able to resolve this easily in this manner:

  1. Disconnect the network;
  2. Log in as the domain admin, which works using cached credentials;
  3. Reconnect the network;
  4. Run netdom resetpwd /server:<DC-name> /userd:<dom>\<dom-admin> /passwordd:*

I've had no trouble doing this with more recent Windows versions, but I'm finding this doesn't work on a Server 2003 R2 member server. Instead it just gives me this error:

The machine account password for the local machine could not be reset
The specified domain either does not exist or could not be contacted

I'm not sure if I'm doing something wrong or if it's even possible in 2003 R2.

I also tried resetting the machine account via AD Users & Computers but it seemed to have no effect.

The DCs can be pinged fine from the server, and the domain is fine otherwise. I've also tried net useing the IPC$ share on a DC and that works, too. Their NETLOGON and SYSVOL also show up in net view. The member worked fine prior to rolling back. In fact, not much has changed, other than the member machine account password.

Kevin
  • 1,580
  • 4
  • 23
  • 35
  • Are you _sure_ that you want to roll back a domain controller with snapshots? It's only safe if your roll back the _entire_ infrastructure at the same time.. – pauska Apr 21 '13 at 13:42
  • @pauska Definitely wouldn't want to roll back a DC! No, it's just a member server, not a DC. – Kevin Apr 21 '13 at 13:43
  • 3
    If you know that these machines are going to be rolled back regularly you could change their accounts to never expire their passwords. – mrdenny Apr 21 '13 at 14:00

2 Answers2

6

The easiest and most expedient thing to do would be to unjoin then rejoin the domain.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Was hoping you weren't gonna say that.. :) I figured maybe there was a more "clean" way. In this case fortunately the member didn't have much of anything referenced in AD. – Kevin Apr 21 '13 at 14:06
  • 3
    Even if it did, an unjoin and rejoin would resolve everything. The computer account remains intact. I've had to do this countless times when migrating Windows VM's from one HV cluster to another. It's often weeks before an exported VM can be started up in its new cluster and in that time frame the machine password often changes on the source machine rendering the trust on the destination machine invalid. I simply unjoin then rejoin the destination machine to the domain to essentially reset the machine account password. – joeqwerty Apr 21 '13 at 14:34
0

You can also use netdom to reset the computer account. See Microsoft KB article 325850 for more details.

The basic command is

netdom resetpwd /s:server /ud:domain\User /pd:*

/s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.

/ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.

/pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.

Community
  • 1
Rex
  • 7,895
  • 3
  • 29
  • 45
  • This is what I normally do and it works on newer systems, but as mentioned, it doesn't seem to work on 2003 R2 member servers (I suspect in that version it only works for DCs...) – Kevin Apr 22 '13 at 01:02