A. I recently experienced this problem when I started a DC that I hadn't used for a while and wanted to demote, but the demotion kept failing. The problem was that the DC's computer account with the domain had expired and its services could no longer communicate with other DCs in the domain. I solved the problem by resetting the DC's account. To do so, perform these steps:
- Log on to the DC that's having the problems.
- Ensure that the Windows Support Tools are installed (We'll be using the Netdom tool, which is part of the support tools.)
- Start the Microsoft Management Console (MMC) Computer Management snap-in (Start, Programs, Administrative Tools, Computer Management).
- Scroll down to the "Services and Applications" section and select the Services subleaf.
- Double-click the Kerberos Key Distribution Center (KDC) service.
- Set its startup type to Disabled and click OK.
- Reboot the DC.
- When the DC restarts, open a command prompt and run this command:
netdom resetpwd /server: <PDC FSMO role holder of domain> /userd:<domain administrator> /passwordd:<domain admin password>
- You should see a confirmation message stating that the machine account has been reset.
- Restart the Computer Management snap-in.
- Scroll down to the "Services and Applications" section and select the Services subleaf.
- Double-click the KDC service.
- Set its startup type to Automatic and click OK.
- Reboot the DC.
The DC should now function correctly.
2 comments
Hide comments