Q329873, problems with DC's machine account, need help!

[Jeremy Lang]

So a DC's machine account was corrupted by a misguided attempt to get a
couple Mac OSX 10.3 machines to participate in AD. The (cr)Apples have been
taken off the network (almost with a hammer).

I found a couple MS knowledge base articles that seemed to help, especially
Q329873 which told me to run nltest /sc_change_pwd:%domain name% and reboot.
This had worked like a charm (eventually... there's some kind of caching
mechanism that delays it's working on some systems), but over the weekend
many machines started having the same problem again, though the DC wasn't
having trouble running 'Active Directory users and computers' or dcdiag
today like it did Friday evening. (DCdiag passes every test.)

It manifests with workstations access to this server (even by
\\%servername% ) getting the result:
Logon Failure: The target account name is incorrect. It doesn't happen if
they access it by \\%serverIPaddr% but this is our main fileserver and print
server, so that's obviously not good enough. Doing the nltest thing again
today seems to have fixed it (except on one or two that are still having
problems... caching?) but I need a permanent way to fix this problem.

With further searching today I found Q216393. Looks like exactly what I
need, but netdom will not work as it's supposed to. I don't know if it's
being caused by the real problem or just that it doesn't recognize our
domain name (it's unfortunately single-level, i.e. no .com ending, but had
been working fine). Here's what I get:

netdom reset %server% /domain:%domain%

The secure channel from %server% to %domain% was not reset.
The specified domain either does not exist or could not be contacted.

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

I tried adding the trailing period to the domain name, \\%domainname%, and a
couple other things. Anybody have any ideas??

 

[Jeremy Lang]

So, for posterity (please post to the thread if you have a similar issue and
this helps)...

I bit the bullet and spent $100 for MS email support. The person I got was
very helpful and didn't ask stupid questions already answered in my initial
email. I strongly recommend this service, though the timing didn't work so
well, so I had to wait a day for each response (maybe because I sent the
initial query in the evening it got assigned to an overnight person)...
Within three days of my initial query I had several steps to try:

The first was deleting the manual connection objects I'd created to
troubleshoot another problem a long time ago, not sure if they had any
effect on this problem.

The second was resetting the computer account passwords by stopping the
Kerberos Key Distribution service, setting it to manual, entering the
following command on both DCs (enter as one line, a space between the name
and /userd):
netdom resetpwd /server:%OTHER_DC_ServerName%
/userd:%DomainName%\administrator /passwordd:%AdminAcctPassword%
After the reboot I restarted the service and set it back to auto.

Finally I checked a couple things in ADSI Edit and forced replication,
everything's been fine for the week since then.

I'm very grateful to Redmond and volunteer to join any torches and
pitchforks team headed to Cupertino. The initial problem was partially my
fault but never would've happened on a PC (ok, you stupid little Macintosh,
what I obviously really want is for you to come up on the domain with the
same name as the PDC, don't warn me that you're actually using that name
instead of any name related to the name in the *computer name* box over in
the sharing control panel, and then go ahead and overwrite that DC's
computer account...). Since there's no way the Apple would ever be able to
unbind the DC's name and since I didn't want the ones so effected touching
the network again in that configuration I reformatted them. Everything's
happy now, though I haven't gone anywhere near the Active Directory entry in
the Directory Services utility again. Yet...