Article ID: 257288 - View products that this article applies to.
This article was previously published under Q257288
This article describes how to repair a Windows 2000 domain controller whose machine account has been deleted. There are two known scenarios for this problem:
Identifying the ProblemDomain controller-to-domain controller communication uses the machine account for authentication. If the machine account is missing, no domain controller is able to authenticate the "broken" domain controller, the "broken" domain controller is not authenticated by any other domain controllers, and the Directory service is unable to replicate.
To be sure the missing machine account is blocking Active Directory replication, run the following command on the computer you suspect is missing its machine account:
dcdiag /s:localhostIf the machine account is missing, the following error message is displayed:
In addition, if the machine account is deleted while Dcpromo is running on the server that is becoming a replica of an existing domain, the following event log message from Security Accounts Manager (SAM) is displayed during system startup:
Error: The server servername is missing its machine account. Try running with the /repairmachineaccount option.
Typically, Dcpromo does not work if it detects that the server's machine account is deleted. For example, when replicating the "critical" domain objects (the non-cancelable portion of Active Directory promotion) Dcpromo checks to make sure the local server's machine account is successfully replicated.
Event ID: 16405
Text: During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up.
However, during the cancelable replication phase of Dcpromo, the machine account may be deleted. At this point, it is too late to roll back the changes. Dcpromo finishes the replication without error messages. When you restart the computer, Event ID 16405 is displayed. No Windows 2000 component deletes machine accounts unless explicitly directed by the user in administrator tools, including the Domain Users and Computers snap-in. Therefore, this situation can only occur because of an accidental user action, which is very rare.
Recovery Case 1: Steady State Scenario and Active Directory Backup of the Domain ExistsHaving a recent backup of Active Directory for the domain is the best-case scenario for recovery. Use the following steps for recovery:
Recovery Case 2: No Backup or the Account Was Deleted During Dcpromo
Dcdiag Success MessagesThe following message is displayed when Dcdiag successfully recovers the machine account:
This Domain Controller's machine account has been successfully restored. Please demote and promote this machine to ensure all state is correctly rebuilt.
In this case, the recovery is successful and you should demote and then re-promote the server.
Dcdiag Error MessagesThe following error messages may be displayed when Dcdiag is attempting to recover the machine account:
Error: Unable to find another Domain Controller to help repair our account
This message indicates Dcdiag could not find another domain controller to create the machine account. Make sure another domain controller is currently running and accessible from the broken domain controller.
Error: The machine account %1 could not be created on %2 because %3.
The %3 parameter is a Win32 error message that indicates why the attempt to create a machine account was unsuccessful. A common reason is insufficient credentials (access denied).
Error: The machine account %1 password could not be reset on %2 because %3. Please reset the account on %3.
The %3 parameter is a Win32 error message that indicates why the attempt to set the password of the account on server %2 was unsuccessful. A common reason is insufficient credentials. You can perform the "Reset Password" action on server %2 using the Users and Computers snap-in on server %2. This error does not block the recovery operation.
Error: The Key Distribution Center could not be stopped because %1.
The %1 parameter is a Win32 text error message that indicates why the KDC could not be stopped. You can try to stop the service manually by typing the following command:
net stop kdc
Error: The replication from %1 failed because %2.
The attempt to replicate the machine account from server %1 was unsuccessful because of Win32 error message %2. This error prevents the recovery from working. You can try to manually force a replication cycle using the Sites and Services snap-in locally on the broken domain controller. Note that if you cannot set the password, the operation is unsuccessful.
Error: The attempt to repair the machine account failed because %1.
This error message is only printed in unresolved situations; there may a resource error causing the problem. The %1 parameter is a Win32 error message that explains the problem.