Solved

Why Machine account password can be out of sync?

Posted on 2008-11-02
13
1,057 Views
Last Modified: 2013-12-05
Why Machine account password can be out of sync? I have 2 DCs in my single domain environment. One is running windows 2000 and the other one is windows 2003. I got access denied when doing replication through site and service. I know I have to reset the machine account password. But why it can be out of sync??? And on which DC I have to reset the password?
0
Comment
Question by:wuitsung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 22864578
Are using the correct account to do replication.
0
 

Author Comment

by:wuitsung
ID: 22864657
Can you explain in more detail? Thank you
0
 
LVL 13

Accepted Solution

by:
brent_caskey earned 100 total points
ID: 22864693
Around this time of year, the most common reason that I see domain controllers get out of sync is because of daylight savings time and the time not being correct on both domain controllers. I would check that the proper DST updates are on both computers.

mboppe is also correct - if you are not logged in with a user with the domain admin privileges, you will get an access is denied error.

As far as resetting the machine account password, here is a KB article that explains how to do this in detail: http://support.microsoft.com/kb/325850.

Whichever DC is the PDC emulator has a correct machine account password. You would need to run the command on the other one.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:wuitsung
ID: 22864713
Thank you very much brent_caskey!!
My situation is like this...
I have an old DC running win2000 server/AD-integrated in my single domain. It's quiet slow, so I decided to built a new DC. I built the new DC and successfully done dcpromo. now it's also AD-integrated. I also just successfully transferred  the 5 FSMO roles to the new DC. But when I tried to do replication from site and service (Both DC are GCs), I got "The following error occurred during the attempt to synchronize the domain controllers: Access is denied"....

I also run DCDIAG /FIX on new DC, I got one of the fail message: Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

So you think I have to reset password on the old DC?
0
 
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 50 total points
ID: 22864730
Check the eventviewer on both the DCs.You should have repliction errors. can you paste the errors are warnings over here.
0
 

Author Comment

by:wuitsung
ID: 22864922
I am not at the DC now. I will try to post the error message here next time.
Just another question.
C:\>netdom resetpwd /server:<servername> /userd:<username>\Administrator /passwordd:*

Do I enter the password of the domain administrator password here? or just anything?
0
 
LVL 13

Expert Comment

by:brent_caskey
ID: 22864958
with the *, it will prompt for a password
You would enter the password for the account listed - which is the Administrator password.
0
 

Author Comment

by:wuitsung
ID: 22864962
you mean I type * in the command line and I will get something popup to enter password? and for my last post, which DC should I reset the password? any idea? Thanx!!
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 150 total points
ID: 22869524
Run it on the server which is not holding PDCe FSMO role and reference the other server with /server-parameter.
The /passwordd:* gives you a password prompt on next line and will be hiding the typing of password from being echoed onscreen.
0
 

Author Comment

by:wuitsung
ID: 22869564
Thanx henjoh09!! But I just read a post and the guy successfully done by this way...... Does what he done not correct?

http://www.tek-tips.com/viewthread.cfm?qid=756697

His solution is at the last post.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 150 total points
ID: 22870702
I read through that post and he restarted the server, but I didn't understand it as he resetted the password on the server holding the PDCe FSMO.

I wouldn't do it on a server holding PDCe role without ensuring that I can move the FSMOs away from the server before doing it. It can otherwise end up with necessary FSMO-hijacking and other cleanup.

See KB for MS instructions about resetting computer password:
http://support.microsoft.com/kb/260575
0
 

Author Comment

by:wuitsung
ID: 22870870
Ok. I see. But I already moved all 5 FSMO roles to new DC. but the thing is when I run netdiag /fix, I got Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC....

So do you still suggest I reset pasword on old DC? Or it's better that I moved just PDC role back to old DC and reset password on new DC?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22882169
All FSMOs should be on working DCs.
What kind of errors do you have? Anything in eventlog?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question