.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
I'm receiving errors from DCs in my domain, which state that the target Principal Name is incorrect or that access is denied when I attempt to replicate AD data or to perform some domain-modification functions. What's going on?
John Savill
April 14, 2005
1 Min Read
A. I recently experienced this problem when I started a DC that I hadn't used for a while and wanted to demote, but the demotion kept failing. The problem was that the DC's computer account with the domain had expired and its services could no longer communicate with other DCs in the domain. I solved the problem by resetting the DC's account. To do so, perform these steps:
Log on to the DC that's having the problems.
Ensure that the Windows Support Tools are installed (We'll be using the Netdom tool, which is part of the support tools.)
Start the Microsoft Management Console (MMC) Computer Management snap-in (Start, Programs, Administrative Tools, Computer Management).
Scroll down to the "Services and Applications" section and select the Services subleaf.
Double-click the Kerberos Key Distribution Center (KDC) service.
Set its startup type to Disabled and click OK.
Reboot the DC.
When the DC restarts, open a command prompt and run this command:
netdom resetpwd /server: /userd: /passwordd:You should see a confirmation message stating that the machine account has been reset.
Restart the Computer Management snap-in.
Scroll down to the "Services and Applications" section and select the Services subleaf.
Double-click the KDC service.
Set its startup type to Automatic and click OK.
Reboot the DC.
The DC should now function correctly.
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)