Reset local administrator password on a DC

[jjmac...@cox.net]

I need to reset the local password on a DC so I can dcpromo –demote it

This is an old Windows 2003 Domain Controller and no one can remember
the local password. Is it the “DSRM” or the “ntdsutil” that I run at
the command line?

I have tried looking and have seen both. But they mostly talk about
server 2000.

Can anyone point me in the right direction?

[Meinolf Weber [MVP-DS]]

Hello jjmac...@cox.net,

You don't need the local admin password to demote it. This can be done with
the domain administrator account. During demotion you are required to set
a new administrator password when the server becomes member server.

The DSRM is needed when you try to boot into the Active directory restore
mode.
http://support.microsoft.com/kb/322672

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I need to reset the local password on a DC so I can dcpromo -demote it

[Danny Sanders]

If I remember right it will give you the chance to set the admin password
during the dcpromo process, or you can right click on the administrator
account in the users folder and set the password there.

hth
DDS

<jjmac...@cox.net> wrote in message
news:0e7b9a58-648b-4285...@e27g2000yqm.googlegroups.com...

[jjmac...@cox.net]

Thanks for the quick response.
I've never had to demote one and i know that there is a password that
you setup when you do promote it. That is the one that know ones knows

[Florian Frommherz [MVP]]

Howdie!

jjmac...@cox.net schrieb:
> I need to reset the local password on a DC so I can dcpromo �demote it

You need to be domain administrator to demote a DC. However, when
logging on to the DC after DCPROMO teared the DC role down, you need the
local administrator account. It is actually the account that you use for
DSRM logon (DSRM admin). You can change the DSRM admin password with
NTDSUTIL as you already figured.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

[Jorge Silva]

Hi
As Danny and Meinolf said, when you do dcpromo to demote the DC, you'll be
prompted to set the new local admin password at that moment you define the
new password.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

<jjmac...@cox.net> wrote in message
news:0e7b9a58-648b-4285...@e27g2000yqm.googlegroups.com...

I need to reset the local password on a DC so I can dcpromo �demote it

This is an old Windows 2003 Domain Controller and no one can remember

the local password. Is it the �DSRM� or the �ntdsutil� that I run at

[Paul Bergson [MVP-DS]]

Need to be a domain admin to demote a dc.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This

posting is provided "AS IS" with no warranties, and confers no rights.

<jjmac...@cox.net> wrote in message
news:0e7b9a58-648b-4285...@e27g2000yqm.googlegroups.com...

[jjmac...@cox.net]

Ok, if I understand this

After I demote the DC (as a Domain Admin) I will be prompted to set a
new local admin password.
BUT
I will need the DSRM password when I demote the system. The command to
do that is "ntdsutil: set dsrm password"??

Thanks all for helping me. It is not often that I demote a DC
John

[Meinolf Weber [MVP-DS]]

Hello jjmac...@cox.net,

"I will need the DSRM password when I demote the system. The command to do
that is "ntdsutil: set dsrm password"??"

No, not needed.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[Danny Sanders]

Actually just run dcpromo to remove AD and you will be prompted to set the
admin password for the server during the process. You don't need to know it,
you will set it at that time.

hth
DDS

<jjmac...@cox.net> wrote in message
news:d7a559e1-c346-4e71...@d32g2000yqh.googlegroups.com...

[jjmac...@cox.net]

Side question, demoting it does not remove it from the Domain correct?

[Meinolf Weber [MVP-DS]]

Hello jjmac...@cox.net,

Demoting a DC keeps the server as member server in the domain and moves it
into the computers container. Additional you have to remove it manual from
AD sties and services and check if it was DNS server that it is removed on
the name server tab of the zones.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[Danny Sanders]

Nope, you are making it a member server of the same domain.

hth
DDS

<jjmac...@cox.net> wrote in message
news:00d29f3d-8f60-43c0...@i6g2000yqj.googlegroups.com...

[jjmac...@cox.net]

The one thing that i am worried about is it doesn't talk to all the
other DC servers. Only 2 of them. I was wondering if i could change
the name before re-adding it to the domain, now i am not sure if i
should remove/rename or just rename it.

The other DC that is having "issues" has AC installed, is a DNS and
DHCP server, our print server, and it is a LS server. It only talks to
our PDC (GC). Oh, and it is a vm that is being converted from a
vmware1.2 server to a esxi4.0 server. But that is on another day.

Ugh, I have fixing other peoples mess.
Though it is Job security :)

~John~

[Meinolf Weber [MVP-DS]]

Hello jjmac...@cox.net,

Now you came up with replication problems also, which you should take more
care on then on changing a password. Before demoting any DC you should make
sure the domain is healthy and replication works as expected.

Also important is that VMs are should never be used from snapshots, this
is not supported way of backing up a DC.

I really suggest you start with a complete story of what you have, amount
of DCs, sites and subnets, which DCs are physical or virtual. Also what replication
problems you have on which DC. This all reported with diagnostic reports
from the support tools dcdiag /v, netdiag /v and repadmin /showrepl.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[jjmac...@cox.net]

Ok, That is why i started asking about the passwords but...

1st part is that I do not make snapshots. I know that it really dorks
up AD. The other admin at the time no longer works here and he put
the VM back on the domain. The server that I said had all the stuff
installed on it. The vm was about 16 hours old and AD didn't like
that. At that point I got involved and after talking to MS for about 9
hours we were able to get AD working again. But since it was a VM they
didn't want to help that much.

By this point we had to seized control of operations and then update/
remove entries in scheme. That and a few other things that I don’t
remember. MS said that they can't help anymore unless I put them on
hardware. I was up and running at this point.

I have a total of 5 DC. 2 are hardware and 3 are vm's (1 remote). I
am trying to remove the vm's from the domain. The remote location is
being closed so I will need to remove that one before they turn the
power off. This is on the 2nd subnet. The 2 others are not needed
anymore. I personally only like to keep hardware DC's.

When running dcdiag and netdiag I do not see anything that is failed.
When i run the repadmin it only see 2 of the DC's. The GC and another
DC. MS said that i should remove these at some point since they do
not see the others and this could cause problems with replication.
This issue also shows up under "sites and services". When you try to
manually start a replication to the other DC it fails with "could not
contact other controller". This error stumped the techs at MS (i was
working with 3 of them at this point).

So what i am trying to do is clean up the AD and i will have to deal
with the fallout.

~John~

*Yes the other tech was let go after running defrag the Exchange
server.

[jjmac...@cox.net]

Well, the server demoted well (well, it seems to have). The AD took
about 45 min to full replicate to all the DC's. All the DC's see the
changes now. The Sites & Services still sees the server (under the
"Default-First-Site-Name") But there is no NTDS settings for it. I am
not sure if I should delete those so I am going to leave then for a
while.

Thanks for the help
~John~

[Meinolf Weber [MVP-DS]]

Hello jjmac...@cox.net,

Nice to hear that you get it. I just wanted mention all that before, because
you started only wiht th passowrd change, what all is needed to check before
removing as a small step. Now reading your posting i saw that you already
on the right track.

You have to remove the demoted DC manual form AD sites and services. This
is not done during demotion. ALso check the DNS zones name server tab, if
the demoted one was also DNS server and is not longer.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[jjmac...@cox.net]

Thanks.
I'll manualy remove them then. I wanted to leave things alone untill
the fallout cleared up.
The next server is a DNS/DHCP server. I would like to keep these
services on this server though.

Thanks for all the help from everyone
~John~

[Hank Arnold]

jjmac...@cox.net wrote:
> I need to reset the local password on a DC so I can dcpromo �demote it

>
> This is an old Windows 2003 Domain Controller and no one can remember

> the local password. Is it the �DSRM� or the �ntdsutil� that I run at

> the command line?
>
> I have tried looking and have seen both. But they mostly talk about
> server 2000.
>
>
> Can anyone point me in the right direction?

If this is a DC, there is no local logon/password....

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/

[Paul Yhonquea]

Hank is right about the nonexistence of a "local account" for a DC. From
what I can remember from past experience, if this DC is not a Global
Catalog, and there are network connectivity issues, an admin cannot log into
the server with any domain account. DRSM (Directory Services Restore Mode)
is sort of like "Safe Mode" for an Active Directory Domain Controller. This
password is separate from the original administrator for the server (whose
password does still exist). The DRSM password was set (and hopefully
recorded elsewhere) during the promotion phase of the server to domain
controller status (DCPromo).

Does this DC hold any Flexible Single Master Operations (FSMO) roles? If
this was the first DC in the domain, then the original password of the
default Administrator account in the domain will allow you to log in to the
server.

Are there network connectivity issues with this DC?

Hope this helps.

Paul Yhonquea

"Hank Arnold" <ras...@aol.com> wrote in message
news:OETgZK1E...@TK2MSFTNGP03.phx.gbl...
> jjmac...@cox.net wrote:
>> I need to reset the local password on a DC so I can dcpromo �demote it

>>
>> This is an old Windows 2003 Domain Controller and no one can remember

>> the local password. Is it the �DSRM� or the �ntdsutil� that I run at

[Paul Bergson [MVP-DS]]

The DSRM password can be modified via ntdsutil (Or setpwd), so it is not an
absolute that the original recovery password is the current password. Also
the domain admin can always logon to a dc no matter if a GC is available or
not.

http://www.petri.co.il/change_recovery_console_password.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This

posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Yhonquea" <phybr...@hotmail.com> wrote in message
news:O7RE6gSG...@TK2MSFTNGP02.phx.gbl...

> Hank is right about the nonexistence of a "local account" for a DC. From
> what I can remember from past experience, if this DC is not a Global
> Catalog, and there are network connectivity issues, an admin cannot log
> into the server with any domain account. DRSM (Directory Services Restore
> Mode) is sort of like "Safe Mode" for an Active Directory Domain
> Controller. This password is separate from the original administrator for
> the server (whose password does still exist). The DRSM password was set
> (and hopefully recorded elsewhere) during the promotion phase of the
> server to domain controller status (DCPromo).
>
> Does this DC hold any Flexible Single Master Operations (FSMO) roles? If
> this was the first DC in the domain, then the original password of the
> default Administrator account in the domain will allow you to log in to
> the server.
>
> Are there network connectivity issues with this DC?
>
>
> Hope this helps.
>
>
>
> Paul Yhonquea
>
>
>
> "Hank Arnold" <ras...@aol.com> wrote in message
> news:OETgZK1E...@TK2MSFTNGP03.phx.gbl...
>> jjmac...@cox.net wrote:

>>> I need to reset the local password on a DC so I can dcpromo -demote it