Why Machine account password can be out of sync?

Why Machine account password can be out of sync? I have 2 DCs in my single domain environment. One is running windows 2000 and the other one is windows 2003. I got access denied when doing replication through site and service. I know I have to reset the machine account password. But why it can be out of sync??? And on which DC I have to reset the password?
wuitsungAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Malli BoppeCommented:
Are using the correct account to do replication.
0
wuitsungAuthor Commented:
Can you explain in more detail? Thank you
0
brent_caskeyCommented:
Around this time of year, the most common reason that I see domain controllers get out of sync is because of daylight savings time and the time not being correct on both domain controllers. I would check that the proper DST updates are on both computers.

mboppe is also correct - if you are not logged in with a user with the domain admin privileges, you will get an access is denied error.

As far as resetting the machine account password, here is a KB article that explains how to do this in detail: http://support.microsoft.com/kb/325850.

Whichever DC is the PDC emulator has a correct machine account password. You would need to run the command on the other one.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

wuitsungAuthor Commented:
Thank you very much brent_caskey!!
My situation is like this...
I have an old DC running win2000 server/AD-integrated in my single domain. It's quiet slow, so I decided to built a new DC. I built the new DC and successfully done dcpromo. now it's also AD-integrated. I also just successfully transferred  the 5 FSMO roles to the new DC. But when I tried to do replication from site and service (Both DC are GCs), I got "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"....

I also run DCDIAG /FIX on new DC, I got one of the fail message: Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

So you think I have to reset password on the old DC?
0
Malli BoppeCommented:
Check the eventviewer on both the DCs.You should have repliction errors. can you paste the errors are warnings over here.
0
wuitsungAuthor Commented:
I am not at the DC now. I will try to post the error message here next time.
Just another question.
C:\>netdom resetpwd /server:<servername> /userd:<username>\Administrator /passwordd:*

Do I enter the password of the domain administrator password here? or just anything?
0
brent_caskeyCommented:
with the *, it will prompt for a password
You would enter the password for the account listed - which is the Administrator password.
0
wuitsungAuthor Commented:
you mean I type * in the command line and I will get something popup to enter password? and for my last post, which DC should I reset the password? any idea? Thanx!!
0
Henrik JohanssonSystems engineerCommented:
Run it on the server which is not holding PDCe FSMO role and reference the other server with /server-parameter.
The /passwordd:* gives you a password prompt on next line and will be hiding the typing of password from being echoed onscreen.
0
wuitsungAuthor Commented:
Thanx henjoh09!! But I just read a post and the guy successfully done by this way...... Does what he done not correct?

http://www.tek-tips.com/viewthread.cfm?qid=756697

His solution is at the last post.
0
Henrik JohanssonSystems engineerCommented:
I read through that post and he restarted the server, but I didn't understand it as he resetted the password on the server holding the PDCe FSMO.

I wouldn't do it on a server holding PDCe role without ensuring that I can move the FSMOs away from the server before doing it. It can otherwise end up with necessary FSMO-hijacking and other cleanup.

See KB for MS instructions about resetting computer password:
http://support.microsoft.com/kb/260575
0
wuitsungAuthor Commented:
Ok. I see. But I already moved all 5 FSMO roles to new DC. but the thing is when I run netdiag /fix, I got Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

So do you still suggest I reset pasword on old DC? Or it's better that I moved just PDC role back to old DC and reset password on new DC?
0
Henrik JohanssonSystems engineerCommented:
All FSMOs should be on working DCs.
What kind of errors do you have? Anything in eventlog?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.