{"id":103,"date":"2018-11-13T11:54:59","date_gmt":"2018-11-13T11:54:59","guid":{"rendered":"http:\/\/172.23.1.43\/?p=103"},"modified":"2022-06-07T22:26:14","modified_gmt":"2022-06-07T22:26:14","slug":"active-directory-password-reset-on-a-pdc","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2018\/11\/13\/active-directory-password-reset-on-a-pdc\/","title":{"rendered":"Active Directory – Password Reset on a PDC"},"content":{"rendered":"\n
I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not properly up and running, and so 2 different password were register on my 2 DCs, this remember that IPv6 is the preferred network in Windows and been like that since Vista.<\/p>\n\n\n\n
Nothing new in the this article, but just some precision, as the documentation can be confusing sometimes and we tend to forget things.<\/p>\n\n\n\n
The architecture is the following:<\/p>\n\n\n\n
DC1<\/span> : Server 2012R2<\/p>\n\n\n\n DC2<\/span> : Server 2016 (All FMSO hosted) – The culprit<\/p>\n\n\n\n First thing to check is the DNS and point the network card of DC2<\/span> to the working DC, as DC2<\/span> DNS server might not be working properly, in my case DC2<\/span> didn’t had IPv6 records while DC1<\/span> had them and since the DNS zone is replicated via AD, we clearly see an issue here.<\/p>\n\n\n\n\n\n\n\n Restart DC2<\/span>, this will help for resolution and initiate AD with a correct DNS server.<\/p>\n\n\n\n Stop Kerberos Key Distribution Center service and put it on Manual on DC2<\/span>, when you do Kerberos will use another Domain controller for it, if you want to target a specific one, modify the host file so the domain resolve to the DC you want or disable all KDC on every DC you don’t want to targeted, can be cumbersome.<\/p>\n\n\n\n Purge System Kerberos tickets<\/p>\n\n\n\n To reset the password of a computer, you need to use the following command (don’t do it yet read on):<\/p>\n\n\n\n or<\/p>\n\n\n\n If you follow this documentation :\u00a0https:\/\/support.microsoft.com\/en-us\/help\/288167\/error-message-target-principal-name-is-incorrect-when-manually-replica<\/a>, it state that server_name should be the PDC emulator however this is not true, it should be a healthy server doesn’t have to be the PDC and in my case it make a huge difference! This is described in this documentation :\u00a0https:\/\/support.microsoft.com\/en-us\/help\/325850\/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows<\/a><\/p>\n\n\n\n So the correct command is to be run on DC2<\/span><\/strong> targeting DC1<\/strong><\/span>, like so:<\/p>\n\n\n\n Now you can try to force replication, it should succeed, if not maybe other issue are at hand.<\/p>\n\n\n\n Solved my problem in my case and now everyone is up and running correctly.<\/p>\n","protected":false},"excerpt":{"rendered":" I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not…<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[35699,27731],"tags":[672890820,672890821],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/103"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":8,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":764,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/103\/revisions\/764"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}KLIST -li 0x3e7 purge<\/code><\/pre>\n\n\n\n
netdom resetpwd \/s:server_name \/ud:DOMAIN\\Admin \/pd:*<\/code><\/pre>\n\n\n\n
netdom resetpwd \/server:server_name \/userd:DOMAIN\\Admin \/passwordd:*<\/code><\/pre>\n\n\n\n
netdom resetpwd \/s:DC1 \/ud:DOMAIN\\Administrator \/pd:*<\/code><\/pre>\n\n\n\n