Skip navigation

I'm receiving errors from DCs in my domain, which state that the target Principal Name is incorrect or that access is denied when I attempt to replicate AD data or to perform some domain-modification functions. What's going on?

A. I recently experienced this problem when I started a DC that I hadn't used for a while and wanted to demote, but the demotion kept failing. The problem was that the DC's computer account with the domain had expired and its services could no longer communicate with other DCs in the domain. I solved the problem by resetting the DC's account. To do so, perform these steps:

  1. Log on to the DC that's having the problems.
  2. Ensure that the Windows Support Tools are installed (We'll be using the Netdom tool, which is part of the support tools.)
  3. Start the Microsoft Management Console (MMC) Computer Management snap-in (Start, Programs, Administrative Tools, Computer Management).
  4. Scroll down to the "Services and Applications" section and select the Services subleaf.
  5. Double-click the Kerberos Key Distribution Center (KDC) service.
  6. Set its startup type to Disabled and click OK.
  7. Reboot the DC.
  8. When the DC restarts, open a command prompt and run this command:
    netdom resetpwd /server: <PDC FSMO role holder of domain>
      /userd:<domain administrator> /passwordd:<domain admin password> 
  9. You should see a confirmation message stating that the machine account has been reset.
  10. Restart the Computer Management snap-in.
  11. Scroll down to the "Services and Applications" section and select the Services subleaf.
  12. Double-click the KDC service.
  13. Set its startup type to Automatic and click OK.
  14. Reboot the DC.

The DC should now function correctly.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.