Sunday, October 21, 2007

What Happens When Computer account for Exchange server reset in Active directory



In active directory consist of objects. These objects are users, computers, OU (organizational units) etc. Each computer objects have a secure channel with their Domain controller. Over this secure channel the workstation and the DC (domain controller) are able to talk each other. In WIN2000 the computer account objects change their secret password every 30 days, old NT days this was done every 7 days. If for some reason the computer account is reset (domain admin reset it) Microsoft gives us the ability to reset that secure channel by using Netdom.exe.

Go to Joe's site (www.joeware.net) and locate WIN32 tools, this way we can tell the last
time that the computer changed its 'secret password'

  • Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
  • Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. In my scenario this was done on Exchange server. The computer account was reset and there was no way to log into the server, except server itself locally. Taking the server out from domain rebooting it, adding the server back to the domain worked. All exchange services were up and running after joining to domain with same name. Remember renaming Exchange will break the exchange and there will be no way to bring exchange back to the live from death, this is of course not supported by Microsoft.

Truthfully speaking, if I had to speculate, I would think resetting computer account for exchange would screw the exchange server. Taking the Exchange out from domain and adding it back is kind of worrying process especially in the production environment. Since I had no choice and little time to bring the exchange back online, I moved forward taking the server out fro domain and adding it back to the domain and saw all worked well Exchange server is up and running

Best

Oz ozugurlu

10 comments:

Anonymous said...

Hello there

Have ended up with the same situation on a live production enviroment.

I have the same reservations about the issues between exchange and re-joining the computer account (new SID etc) and so have avoided resettting the computer account.

I have tried a non-authoritative restore of the reset computer AD object and after replication I still cannot log into the machine.

Have been searching through KB's for a few hours now and pleased to have come accross your blog which has prompted me to give it a go... after another coffee!

Thanks for blogging your story!

Cheers

Tyson said...

Did you test this and what was the outcome. I'm now in the same scenerio!

Oz Ozugurlu said...

just re-add into domain, This happened in the production and I was able to bring the exchange back to the domain with no problems, it sounds scary but it will be just fine
oz

UNplugged said...

As far as I know, it doesn't hurt to reset the account as the computer joins the domain back with the same computer SID. So technically, resetting the Exchange Server account shouldn't hurt at all. I know the fear of the unknown but I think I have done so during my support days.

Daniel said...

This blog post was a lifesaver. Thanks from Sydney, Australia.

We had to change out the disks in the RAID5 array that contained our mailbox store. After a cascade of errors and problems, and an all-nighter by my colleague, we were at the stage where we couldn't log on to the domain on the Exchange server.

I found your blog post, and like you, we had to get Exchange back up and running (by this time it was 7:30AM on a Tuesday morning - 1 hour before people were due to start work)

We bit the bullet, removed the Exchange server from the domain, rebooted, re-added it, rebooted, and voila!

Exchange services are now working fine, ActiveSync and Webmail are fine, our Symantec Enterprise Vault is working, and our BES server is happy, as are we.

The Exchange server in question is part of an Exchange org that spans 2 sites, and contains 4 servers. The other servers are communicating with this one without problems.

Hope this comment helps confirm that the solution works for some other IT people who may be tearing their hair out as they read this page. It can be a bit daunting trying something that only 1 person has confirmed.

Also, make sure you don't delete the computer account for your Exchange server manually, as this will screw up the SID for that account.

Thanks again for posting this info.

Daniel

Jennifer said...

I have just started working from home and get my email from an exchange server via Entourage. On Sunday I noticed that my work email was "Not Connected". I sent an email to my boss on Monday morning and the IT guy advised that the server was "reset" over the weekend. What exactly does this mean and what is the purpose of resetting the server?

Thanks,
Jennifer

Oz Casey Dedeal said...

It sounds like, reboot (power down and up ) the server. To be honest it could be something else, most often IT people does use general expression to explain the bad things.

The right question to ask would be "why" ( root cause) and make sure it won’t happen again (-:

Cheers
ocd

Andy said...

FWIW I just did this in my test lab and it worked OK. Had a replica AD enviroment and Exchange, but had been shutdown for several months so everything had tombstoned. Did a sysvol restore of AD to get both DCs back online, the rejoined Exchange back to the domain and seems fine.

Anonymous said...

Hi there,

For fix this problem, just log on exchange server with administrator local account and use this command netdom /resetpwd /server:yourdomaincontroler /UserD:domain\administrator /PassworD:yourpassworddomain

Hope this help
Metos

Anonymous said...

Thanks Metos alot. I run the command as your posted and it worked very well. you save my life. I appreciate.