Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Reset local administrator password on a DC
Reset local administrator password on a DC [message #159231] Mon, 27 July 2009 10:59 Go to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
I need to reset the local password on a DC so I can dcpromo –demote it

This is an old Windows 2003 Domain Controller and no one can remember
the local password. Is it the “DSRM” or the “ntdsutil” that I run at
the command line?

I have tried looking and have seen both. But they mostly talk about
server 2000.


Can anyone point me in the right direction?
Re: Reset local administrator password on a DC [message #159233 is a reply to message #159231] Mon, 27 July 2009 11:05 Go to previous messageGo to next message
Danny Sanders  is currently offline Danny Sanders  United States
Messages: 169
Registered: July 2009
Senior Member
If I remember right it will give you the chance to set the admin password
during the dcpromo process, or you can right click on the administrator
account in the users folder and set the password there.

hth
DDS

<jjmacdonald@cox.net> wrote in message
news:0e7b9a58-648b-4285-9282-a61c0f0600a6@e27g2000yqm.googlegroups.com...
I need to reset the local password on a DC so I can dcpromo demote it

This is an old Windows 2003 Domain Controller and no one can remember
the local password. Is it the DSRM or the ntdsutil that I run at
the command line?

I have tried looking and have seen both. But they mostly talk about
server 2000.


Can anyone point me in the right direction?
Re: Reset local administrator password on a DC [message #159234 is a reply to message #159231] Mon, 27 July 2009 11:09 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jjmacdonald@cox.net,

You don't need the local admin password to demote it. This can be done with
the domain administrator account. During demotion you are required to set
a new administrator password when the server becomes member server.

The DSRM is needed when you try to boot into the Active directory restore
mode.
http://support.microsoft.com/kb/322672

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I need to reset the local password on a DC so I can dcpromo -demote it
>
> This is an old Windows 2003 Domain Controller and no one can remember
> the local password. Is it the "DSRM" or the "ntdsutil" that I run at
> the command line?
>
> I have tried looking and have seen both. But they mostly talk about
> server 2000.
>
> Can anyone point me in the right direction?
>
Re: Reset local administrator password on a DC [message #159235 is a reply to message #159233] Mon, 27 July 2009 11:36 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Thanks for the quick response.
I've never had to demote one and i know that there is a password that
you setup when you do promote it. That is the one that know ones knows
Re: Reset local administrator password on a DC [message #159240 is a reply to message #159231] Mon, 27 July 2009 12:28 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

jjmacdonald@cox.net schrieb:
> I need to reset the local password on a DC so I can dcpromo –demote it

You need to be domain administrator to demote a DC. However, when
logging on to the DC after DCPROMO teared the DC role down, you need the
local administrator account. It is actually the account that you use for
DSRM logon (DSRM admin). You can change the DSRM admin password with
NTDSUTIL as you already figured.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Reset local administrator password on a DC [message #159241 is a reply to message #159231] Mon, 27 July 2009 13:39 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
As Danny and Meinolf said, when you do dcpromo to demote the DC, you'll be
prompted to set the new local admin password at that moment you define the
new password.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
<jjmacdonald@cox.net> wrote in message
news:0e7b9a58-648b-4285-9282-a61c0f0600a6@e27g2000yqm.googlegroups.com...
I need to reset the local password on a DC so I can dcpromo –demote it

This is an old Windows 2003 Domain Controller and no one can remember
the local password. Is it the “DSRM” or the “ntdsutil” that I run at
the command line?

I have tried looking and have seen both. But they mostly talk about
server 2000.


Can anyone point me in the right direction?
Re: Reset local administrator password on a DC [message #159289 is a reply to message #159231] Tue, 28 July 2009 06:22 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Need to be a domain admin to demote a dc.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

<jjmacdonald@cox.net> wrote in message
news:0e7b9a58-648b-4285-9282-a61c0f0600a6@e27g2000yqm.googlegroups.com...
I need to reset the local password on a DC so I can dcpromo demote it

This is an old Windows 2003 Domain Controller and no one can remember
the local password. Is it the DSRM or the ntdsutil that I run at
the command line?

I have tried looking and have seen both. But they mostly talk about
server 2000.


Can anyone point me in the right direction?
Re: Reset local administrator password on a DC [message #159295 is a reply to message #159289] Tue, 28 July 2009 07:31 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Ok, if I understand this


After I demote the DC (as a Domain Admin) I will be prompted to set a
new local admin password.
BUT
I will need the DSRM password when I demote the system. The command to
do that is "ntdsutil: set dsrm password"??

Thanks all for helping me. It is not often that I demote a DC
John
Re: Reset local administrator password on a DC [message #159296 is a reply to message #159295] Tue, 28 July 2009 07:34 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jjmacdonald@cox.net,

"I will need the DSRM password when I demote the system. The command to do
that is "ntdsutil: set dsrm password"??"

No, not needed.


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, if I understand this
>
> After I demote the DC (as a Domain Admin) I will be prompted to set a
> new local admin password.
> BUT
> I will need the DSRM password when I demote the system. The command to
> do that is "ntdsutil: set dsrm password"??
> Thanks all for helping me. It is not often that I demote a DC John
>
Re: Reset local administrator password on a DC [message #159297 is a reply to message #159295] Tue, 28 July 2009 07:33 Go to previous messageGo to next message
Danny Sanders  is currently offline Danny Sanders  United States
Messages: 169
Registered: July 2009
Senior Member
Actually just run dcpromo to remove AD and you will be prompted to set the
admin password for the server during the process. You don't need to know it,
you will set it at that time.

hth
DDS

<jjmacdonald@cox.net> wrote in message
news:d7a559e1-c346-4e71-96c5-a70c7b05fd31@d32g2000yqh.googlegroups.com...
> Ok, if I understand this
>
>
> After I demote the DC (as a Domain Admin) I will be prompted to set a
> new local admin password.
> BUT
> I will need the DSRM password when I demote the system. The command to
> do that is "ntdsutil: set dsrm password"??
>
> Thanks all for helping me. It is not often that I demote a DC
> John
Re: Reset local administrator password on a DC [message #159304 is a reply to message #159297] Tue, 28 July 2009 08:45 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Side question, demoting it does not remove it from the Domain correct?
Re: Reset local administrator password on a DC [message #159305 is a reply to message #159304] Tue, 28 July 2009 08:50 Go to previous messageGo to next message
Danny Sanders  is currently offline Danny Sanders  United States
Messages: 169
Registered: July 2009
Senior Member
Nope, you are making it a member server of the same domain.

hth
DDS

<jjmacdonald@cox.net> wrote in message
news:00d29f3d-8f60-43c0-83c8-c30788c463dd@i6g2000yqj.googlegroups.com...
> Side question, demoting it does not remove it from the Domain correct?
Re: Reset local administrator password on a DC [message #159306 is a reply to message #159304] Tue, 28 July 2009 08:54 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jjmacdonald@cox.net,

Demoting a DC keeps the server as member server in the domain and moves it
into the computers container. Additional you have to remove it manual from
AD sties and services and check if it was DNS server that it is removed on
the name server tab of the zones.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Side question, demoting it does not remove it from the Domain correct?
>
Re: Reset local administrator password on a DC [message #159307 is a reply to message #159305] Tue, 28 July 2009 09:15 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
The one thing that i am worried about is it doesn't talk to all the
other DC servers. Only 2 of them. I was wondering if i could change
the name before re-adding it to the domain, now i am not sure if i
should remove/rename or just rename it.


The other DC that is having "issues" has AC installed, is a DNS and
DHCP server, our print server, and it is a LS server. It only talks to
our PDC (GC). Oh, and it is a vm that is being converted from a
vmware1.2 server to a esxi4.0 server. But that is on another day.


Ugh, I have fixing other peoples mess.
Though it is Job security :)

~John~
Re: Reset local administrator password on a DC [message #159309 is a reply to message #159307] Tue, 28 July 2009 09:26 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jjmacdonald@cox.net,

Now you came up with replication problems also, which you should take more
care on then on changing a password. Before demoting any DC you should make
sure the domain is healthy and replication works as expected.

Also important is that VMs are should never be used from snapshots, this
is not supported way of backing up a DC.

I really suggest you start with a complete story of what you have, amount
of DCs, sites and subnets, which DCs are physical or virtual. Also what replication
problems you have on which DC. This all reported with diagnostic reports
from the support tools dcdiag /v, netdiag /v and repadmin /showrepl.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> The one thing that i am worried about is it doesn't talk to all the
> other DC servers. Only 2 of them. I was wondering if i could change
> the name before re-adding it to the domain, now i am not sure if i
> should remove/rename or just rename it.
>
> The other DC that is having "issues" has AC installed, is a DNS and
> DHCP server, our print server, and it is a LS server. It only talks to
> our PDC (GC). Oh, and it is a vm that is being converted from a
> vmware1.2 server to a esxi4.0 server. But that is on another day.
>
> Ugh, I have fixing other peoples mess.
> Though it is Job security :)
> ~John~
>
Re: Reset local administrator password on a DC [message #159312 is a reply to message #159309] Tue, 28 July 2009 10:34 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Ok, That is why i started asking about the passwords but...

1st part is that I do not make snapshots. I know that it really dorks
up AD. The other admin at the time no longer works here and he put
the VM back on the domain. The server that I said had all the stuff
installed on it. The vm was about 16 hours old and AD didn't like
that. At that point I got involved and after talking to MS for about 9
hours we were able to get AD working again. But since it was a VM they
didn't want to help that much.

By this point we had to seized control of operations and then update/
remove entries in scheme. That and a few other things that I don’t
remember. MS said that they can't help anymore unless I put them on
hardware. I was up and running at this point.

I have a total of 5 DC. 2 are hardware and 3 are vm's (1 remote). I
am trying to remove the vm's from the domain. The remote location is
being closed so I will need to remove that one before they turn the
power off. This is on the 2nd subnet. The 2 others are not needed
anymore. I personally only like to keep hardware DC's.


When running dcdiag and netdiag I do not see anything that is failed.
When i run the repadmin it only see 2 of the DC's. The GC and another
DC. MS said that i should remove these at some point since they do
not see the others and this could cause problems with replication.
This issue also shows up under "sites and services". When you try to
manually start a replication to the other DC it fails with "could not
contact other controller". This error stumped the techs at MS (i was
working with 3 of them at this point).

So what i am trying to do is clean up the AD and i will have to deal
with the fallout.

~John~

*Yes the other tech was let go after running defrag the Exchange
server.
Re: Reset local administrator password on a DC [message #159330 is a reply to message #159312] Tue, 28 July 2009 16:47 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Well, the server demoted well (well, it seems to have). The AD took
about 45 min to full replicate to all the DC's. All the DC's see the
changes now. The Sites & Services still sees the server (under the
"Default-First-Site-Name") But there is no NTDS settings for it. I am
not sure if I should delete those so I am going to leave then for a
while.

Thanks for the help
~John~
Re: Reset local administrator password on a DC [message #159332 is a reply to message #159330] Tue, 28 July 2009 16:59 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello jjmacdonald@cox.net,

Nice to hear that you get it. I just wanted mention all that before, because
you started only wiht th passowrd change, what all is needed to check before
removing as a small step. Now reading your posting i saw that you already
on the right track.

You have to remove the demoted DC manual form AD sites and services. This
is not done during demotion. ALso check the DNS zones name server tab, if
the demoted one was also DNS server and is not longer.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Well, the server demoted well (well, it seems to have). The AD took
> about 45 min to full replicate to all the DC's. All the DC's see the
> changes now. The Sites & Services still sees the server (under the
> "Default-First-Site-Name") But there is no NTDS settings for it. I am
> not sure if I should delete those so I am going to leave then for a
> while.
>
> Thanks for the help
> ~John~
Re: Reset local administrator password on a DC [message #159391 is a reply to message #159332] Wed, 29 July 2009 09:47 Go to previous messageGo to next message
jjmacdonald  is currently offline jjmacdonald  United States
Messages: 8
Registered: July 2009
Junior Member
Thanks.
I'll manualy remove them then. I wanted to leave things alone untill
the fallout cleared up.
The next server is a DNS/DHCP server. I would like to keep these
services on this server though.


Thanks for all the help from everyone
~John~
Re: Reset local administrator password on a DC [message #159613 is a reply to message #159231] Sun, 02 August 2009 03:21 Go to previous messageGo to next message
Hank Arnold  is currently offline Hank Arnold  United States
Messages: 141
Registered: August 2009
Senior Member
jjmacdonald@cox.net wrote:
> I need to reset the local password on a DC so I can dcpromo –demote it
>
> This is an old Windows 2003 Domain Controller and no one can remember
> the local password. Is it the “DSRM” or the “ntdsutil” that I run at
> the command line?
>
> I have tried looking and have seen both. But they mostly talk about
> server 2000.
>
>
> Can anyone point me in the right direction?

If this is a DC, there is no local logon/password....

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/
Re: Reset local administrator password on a DC [message #159802 is a reply to message #159613] Sun, 09 August 2009 13:33 Go to previous messageGo to next message
Paul Yhonquea  is currently offline Paul Yhonquea  United States
Messages: 13
Registered: August 2009
Junior Member
Hank is right about the nonexistence of a "local account" for a DC. From
what I can remember from past experience, if this DC is not a Global
Catalog, and there are network connectivity issues, an admin cannot log into
the server with any domain account. DRSM (Directory Services Restore Mode)
is sort of like "Safe Mode" for an Active Directory Domain Controller. This
password is separate from the original administrator for the server (whose
password does still exist). The DRSM password was set (and hopefully
recorded elsewhere) during the promotion phase of the server to domain
controller status (DCPromo).

Does this DC hold any Flexible Single Master Operations (FSMO) roles? If
this was the first DC in the domain, then the original password of the
default Administrator account in the domain will allow you to log in to the
server.

Are there network connectivity issues with this DC?


Hope this helps.



Paul Yhonquea



"Hank Arnold" <rasilon@aol.com> wrote in message
news:OETgZK1EKHA.5956@TK2MSFTNGP03.phx.gbl...
> jjmacdonald@cox.net wrote:
>> I need to reset the local password on a DC so I can dcpromo demote it
>>
>> This is an old Windows 2003 Domain Controller and no one can remember
>> the local password. Is it the DSRM or the ntdsutil that I run at
>> the command line?
>>
>> I have tried looking and have seen both. But they mostly talk about
>> server 2000.
>>
>>
>> Can anyone point me in the right direction?
>
> If this is a DC, there is no local logon/password....
>
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
> http://mypcassistant.blogspot.com/
Re: Reset local administrator password on a DC [message #159838 is a reply to message #159802] Mon, 10 August 2009 06:36 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
The DSRM password can be modified via ntdsutil (Or setpwd), so it is not an
absolute that the original recovery password is the current password. Also
the domain admin can always logon to a dc no matter if a GC is available or
not.

http://www.petri.co.il/change_recovery_console_password.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Yhonquea" <phybroptyx@hotmail.com> wrote in message
news:O7RE6gSGKHA.4608@TK2MSFTNGP02.phx.gbl...
> Hank is right about the nonexistence of a "local account" for a DC. From
> what I can remember from past experience, if this DC is not a Global
> Catalog, and there are network connectivity issues, an admin cannot log
> into the server with any domain account. DRSM (Directory Services Restore
> Mode) is sort of like "Safe Mode" for an Active Directory Domain
> Controller. This password is separate from the original administrator for
> the server (whose password does still exist). The DRSM password was set
> (and hopefully recorded elsewhere) during the promotion phase of the
> server to domain controller status (DCPromo).
>
> Does this DC hold any Flexible Single Master Operations (FSMO) roles? If
> this was the first DC in the domain, then the original password of the
> default Administrator account in the domain will allow you to log in to
> the server.
>
> Are there network connectivity issues with this DC?
>
>
> Hope this helps.
>
>
>
> Paul Yhonquea
>
>
>
> "Hank Arnold" <rasilon@aol.com> wrote in message
> news:OETgZK1EKHA.5956@TK2MSFTNGP03.phx.gbl...
>> jjmacdonald@cox.net wrote:
>>> I need to reset the local password on a DC so I can dcpromo -demote it
>>>
>>> This is an old Windows 2003 Domain Controller and no one can remember
>>> the local password. Is it the "DSRM" or the "ntdsutil" that I run at
>>> the command line?
>>>
>>> I have tried looking and have seen both. But they mostly talk about
>>> server 2000.
>>>
>>>
>>> Can anyone point me in the right direction?
>>
>> If this is a DC, there is no local logon/password....
>>
>> --
>>
>> Regards,
>> Hank Arnold
>> Microsoft MVP
>> Windows Server - Directory Services
>> http://mypcassistant.blogspot.com/
>
>
Previous Topic:Do logon scripts get stored on the PC?
Next Topic:profile migration tool
Goto Forum:
  


Current Time: Tue Jan 23 16:32:45 MST 2018

Total time taken to generate the page: 0.51238 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software