How to Recover from a Deleted Domain Controller Machine Account in Windows 2000 (257288)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q257288

SUMMARY

This article describes how to repair a Windows 2000 domain controller whose machine account has been deleted. There are two known scenarios for this problem:
  1. The account is deleted during the installation of a domain controller.
  2. The domain controller is in a "steady state" for some time, and then its machine account is deleted.
In both situations, you can use Dcdiag.exe to resolve the problem. In the second situation, you can use an authoritative restore operation if a backup is available.

MORE INFORMATION

Identifying the Problem

Domain controller-to-domain controller communication uses the machine account for authentication. If the machine account is missing, no domain controller is able to authenticate the "broken" domain controller, the "broken" domain controller is not authenticated by any other domain controllers, and the Directory service is unable to replicate.

To be sure the missing machine account is blocking Active Directory replication, run the following command on the computer you suspect is missing its machine account:

dcdiag /s:localhost

If the machine account is missing, the following error message is displayed:
Error: The server servername is missing its machine account. Try running with the /repairmachineaccount option.
In addition, if the machine account is deleted while Dcpromo is running on the server that is becoming a replica of an existing domain, the following event log message from Security Accounts Manager (SAM) is displayed during system startup:
Source: SAM
Event ID: 16405
Level: Error
Text: During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up.
Typically, Dcpromo does not work if it detects that the server's machine account is deleted. For example, when replicating the "critical" domain objects (the non-cancelable portion of Active Directory promotion) Dcpromo checks to make sure the local server's machine account is successfully replicated.

However, during the cancelable replication phase of Dcpromo, the machine account may be deleted. At this point, it is too late to roll back the changes. Dcpromo finishes the replication without error messages. When you restart the computer, Event ID 16405 is displayed. No Windows 2000 component deletes machine accounts unless explicitly directed by the user in administrator tools, including the Domain Users and Computers snap-in. Therefore, this situation can only occur because of an accidental user action, which is very rare.

Recovery Case 1: Steady State Scenario and Active Directory Backup of the Domain Exists

Having a recent backup of Active Directory for the domain is the best-case scenario for recovery. Use the following steps for recovery:
  1. Perform an authoritative restore operation of the domain controller's machine account on a domain controller (for example, domain controller A) other than the broken domain controller (for example, domain controller B). Domain controller A should be a replication partner of domain controller B. You can check this in the Sites and Services snap-in. If domain controller B has a connection object from domain controller A, domain controller B replicates from domain controller A.

    NOTE: For more information about an authoritative restore operation, refer to the Directory service resource kit documentation.
  2. On domain controller B, turn off Key Distribution Center by typing the following command:

    net stop kdc

  3. On domain controller B, use the Sites and Services snap-in to perform a Replicate Now operation on the connection object for domain controller A; that is, force a replication cycle from domain controller A to domain controller B. Domain controller B replicates in its machine account, and starts to perform normally again.

Recovery Case 2: No Backup or the Account Was Deleted During Dcpromo

  1. Run Dcdiag.exe with the following command-line option:

    dcdiag /s:localhost /repairmachineaccount

    NOTE: When you use this command-line option, Dcdiag must be run locally on the computer you want to fix.

    The logged on user running the command should either be a domain administrator, or you should pass domain Administrator credentials into Dcdiag.exe through command-line parameters. Even if the domain controller machine account is deleted, you can still log on to the domain controller using a domain account.
  2. If this action is successful, Dcdiag creates a machine account for the server on another domain controller in the domain, and then replicates over the change, using the credentials provided (or the logged on user's credentials). The domain controller can now perform Directory Service replication.
  3. Demote and then re-promote the server to ensure that state is properly reconstructed. For example, some services (for example, the File Replication Service) keep state under the machine account that would have been deleted when the machine account was deleted.

Dcdiag Success Messages

The following message is displayed when Dcdiag successfully recovers the machine account:
This Domain Controller's machine account has been successfully restored. Please demote and promote this machine to ensure all state is correctly rebuilt.

In this case, the recovery is successful and you should demote and then re-promote the server.

Dcdiag Error Messages

The following error messages may be displayed when Dcdiag is attempting to recover the machine account:
Error: Unable to find another Domain Controller to help repair our account

This message indicates Dcdiag could not find another domain controller to create the machine account. Make sure another domain controller is currently running and accessible from the broken domain controller.

Error: The machine account %1 could not be created on %2 because %3.

The %3 parameter is a Win32 error message that indicates why the attempt to create a machine account was unsuccessful. A common reason is insufficient credentials (access denied).

Error: The machine account %1 password could not be reset on %2 because %3. Please reset the account on %3.

The %3 parameter is a Win32 error message that indicates why the attempt to set the password of the account on server %2 was unsuccessful. A common reason is insufficient credentials. You can perform the "Reset Password" action on server %2 using the Users and Computers snap-in on server %2. This error does not block the recovery operation.

Error: The Key Distribution Center could not be stopped because %1.

The %1 parameter is a Win32 text error message that indicates why the KDC could not be stopped. You can try to stop the service manually by typing the following command:

net stop kdc

Error: The replication from %1 failed because %2.

The attempt to replicate the machine account from server %1 was unsuccessful because of Win32 error message %2. This error prevents the recovery from working. You can try to manually force a replication cycle using the Sites and Services snap-in locally on the broken domain controller. Note that if you cannot set the password, the operation is unsuccessful.

Error: The attempt to repair the machine account failed because %1.

This error message is only printed in unresolved situations; there may a resource error causing the problem. The %1 parameter is a Win32 error message that explains the problem.

Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbinfo KB257288
©2003 Microsoft Corporation. All rights reserved.