Article ID: 257288
Article Last Modified on 3/1/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q257288
SUMMARY
This article describes how to repair a Windows 2000 domain controller whose machine account has been deleted. There are two known scenarios for this problem:
- The account is deleted during the installation of a domain controller.
- The domain controller is in a "steady state" for some time, and then its machine account is deleted.
In both situations, you can use Dcdiag.exe to resolve the problem. In the second situation, you can use an authoritative restore operation if a backup is available.
MORE INFORMATION
Identifying the Problem
Domain controller-to-domain controller communication uses the machine account for authentication. If the machine account is missing, no domain controller is able to authenticate the "broken" domain controller, the "broken" domain controller is not authenticated by any other domain controllers, and the Directory service is unable to replicate.
To be sure the missing machine account is blocking Active Directory replication, run the following command on the computer you suspect is missing its machine account:
dcdiag /s:localhost
If the machine account is missing, the following error message is displayed:
In addition, if the machine account is deleted while Dcpromo is running on the server that is becoming a replica of an existing domain, the following event log message from Security Accounts Manager (SAM) is displayed during system startup:
Typically, Dcpromo does not work if it detects that the server's machine account is deleted. For example, when replicating the "critical" domain objects (the non-cancelable portion of Active Directory promotion) Dcpromo checks to make sure the local server's machine account is successfully replicated.
However, during the cancelable replication phase of Dcpromo, the machine account may be deleted. At this point, it is too late to roll back the changes. Dcpromo finishes the replication without error messages. When you restart the computer, Event ID 16405 is displayed. No Windows 2000 component deletes machine accounts unless explicitly directed by the user in administrator tools, including the Domain Users and Computers snap-in. Therefore, this situation can only occur because of an accidental user action, which is very rare.
Recovery Case 1: Steady State Scenario and Active Directory Backup of the Domain Exists
Having a recent backup of Active Directory for the domain is the best-case scenario for recovery. Use the following steps for recovery:
- Perform an authoritative restore operation of the domain controller's machine account on a domain controller (for example, domain controller A) other than the broken domain controller (for example, domain controller B). Domain controller A should be a replication partner of domain controller B. You can check this in the Sites and Services snap-in. If domain controller B has a connection object from domain controller A, domain controller B replicates from domain controller A.
NOTE: For more information about an authoritative restore operation, refer to the Directory service resource kit documentation. - On domain controller B, turn off Key Distribution Center by typing the following command:
net stop kdc
- On domain controller B, use the Sites and Services snap-in to perform a Replicate Now operation on the connection object for domain controller A; that is, force a replication cycle from domain controller A to domain controller B. Domain controller B replicates in its machine account, and starts to perform normally again.
Recovery Case 2: No Backup or the Account Was Deleted During Dcpromo
- Run Dcdiag.exe with the following command-line option:
dcdiag /s:localhost /repairmachineaccount
NOTE: When you use this command-line option, Dcdiag must be run locally on the computer you want to fix.
The logged on user running the command should either be a domain administrator, or you should pass domain Administrator credentials into Dcdiag.exe through command-line parameters. Even if the domain controller machine account is deleted, you can still log on to the domain controller using a domain account.
- If this action is successful, Dcdiag creates a machine account for the server on another domain controller in the domain, and then replicates over the change, using the credentials provided (or the logged on user's credentials). The domain controller can now perform Directory Service replication.
- Demote and then re-promote the server to ensure that state is properly reconstructed. For example, some services (for example, the File Replication Service) keep state under the machine account that would have been deleted when the machine account was deleted.
Dcdiag Success Messages
The following message is displayed when Dcdiag successfully recovers the machine account:
In this case, the recovery is successful and you should demote and then re-promote the server.
Dcdiag Error Messages
The following error messages may be displayed when Dcdiag is attempting to recover the machine account:
This message indicates Dcdiag could not find another domain controller to create the machine account. Make sure another domain controller is currently running and accessible from the broken domain controller.
The %3 parameter is a Win32 error message that indicates why the attempt to create a machine account was unsuccessful. A common reason is insufficient credentials (access denied).
The %3 parameter is a Win32 error message that indicates why the attempt to set the password of the account on server %2 was unsuccessful. A common reason is insufficient credentials. You can perform the "Reset Password" action on server %2 using the Users and Computers snap-in on server %2. This error does not block the recovery operation.
The %1 parameter is a Win32 text error message that indicates why the KDC could not be stopped. You can try to stop the service manually by typing the following command:
net stop kdc
The attempt to replicate the machine account from server %1 was unsuccessful because of Win32 error message %2. This error prevents the recovery from working. You can try to manually force a replication cycle using the Sites and Services snap-in locally on the broken domain controller. Note that if you cannot set the password, the operation is unsuccessful.
This error message is only printed in unresolved situations; there may a resource error causing the problem. The %1 parameter is a Win32 error message that explains the problem.
Keywords: kbinfo KB257288