There are times when you may need to reset the Domain Controller computer object passwords.
NOTE: You will have to move the PDC role to another DC in order to perform this task on the DC that currently holds this FSMO role.
- Logon to a Domain Controller as a Domain Admin with an interactive session.
- Temporarily Stop the “Kerberos Key Distribution Center” Service and set it’s Startup to Manual
- Run the following command:
“netdom resetpwd /s:DC01 /ud:DOMAIN\DomAdmin /pd:*
- Enter the password the account specified above
- Restart the “Kerberos Key Distribution Center” Service and set it’s Startup to Automatic
You can pull the pwdLastSet field of the Domain Controllers to verify that the password did actually update.
In certain instances dealing with Cybersecurity & Incident Response you may need to perform this action twice on all Domain Controllers.