Reset local domain 'administrator' password to restore system state to migrated vm

DustinB3403

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

JaredBusch

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

momurda

What version of WinServer?

dafyre

@JaredBusch said in Reset local domain 'administrator' password to restore system state to migrated vm:

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

The local admin password becomes the password to get to the system when you boot it into DS Recovery mode.

DustinB3403

@momurda said in Trying to use SS to restore a vDC:

What version of WinServer?

Server 2008 R2

DustinB3403

@JaredBusch There are local accounts, but they're hidden off, its how you'd access the system in the case of a DSRM need.

JaredBusch

@dafyre said in Reset local domain 'administrator' password to restore system state to migrated vm:

@JaredBusch said in Reset local domain 'administrator' password to restore system state to migrated vm:

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

The local admin password becomes the password to get to the system when you boot it into DS Recovery mode.

Then would a password recovery boot disk still work? If it is still a "local account" ?Never had a need for this on a DC.

DustinB3403

@JaredBusch Unfortunately no, and the reason being is (and I'm hazy on it too) is that the DC local accounts aren't stored in the same place as a "local" account.

if that makes any sense.

Our MSP reset the password on a trial system to a generic password, and it worked, but I can't find what they did anywhere online.

DustinB3403

@dafyre said in Trying to use SS to restore a vDC:

@JaredBusch said in Reset local domain 'administrator' password to restore system state to migrated vm:

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

The local admin password becomes the password to get to the system when you boot it into DS Recovery mode.

It only becomes the password used to promote the server to be a DC.

It doesn't stay current with the domain.

momurda

I assume you cant get this thing booted normally and that is why you need this?
Otherwise ntdsutil should be used while logged in as domain admin.
If so,
You might be able to use the nt offline pw reset tool (ive used it many times, just never on a dc).
www.chntpw.com/download
You can load this up and then see if it will alow you to change the local admin pw. It wont make any changes (just reads) til you tell it to.

DustinB3403

@momurda said in Reset local domain 'administrator' password to restore system state to migrated vm:

I assume you cant get this thing booted normally and that is why you need this?
Otherwise ntdsutil should be used while logged in as domain admin.
If so,
You might be able to use the nt offline pw reset tool (ive used it many times, just never on a dc).
www.chntpw.com/download
You can load this up and then see if it will alow you to change the local admin pw. It wont make any changes (just reads) til you tell it to.

The issue is we can't restore this DC, with it booting normally, it has to boot into DSRM to recover the System State of the running Hyper-V VM.

The local user account tools don't work for this particular account type.

momurda

Are you sure? I think the account id is still 500 for administrator(this is the RID on the nt offline pw tool), and it should still use the C:\Windows\System32\config\SAM to store it.
You could try it without risk i think
Also found this
https://adsecurity.org/?p=1714 may not be helpful, but informative at least.

Dashrender

@dafyre said in Reset local domain 'administrator' password to restore system state to migrated vm:

@JaredBusch said in Reset local domain 'administrator' password to restore system state to migrated vm:

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

The local admin password becomes the password to get to the system when you boot it into DS Recovery mode.

I don't think this is entirely accurate. When you promote a DC (at least back in 2008 and older) it asked you for a Recovery Mode password. It didn't just use whatever the local Admin password was as the Recovery user.

Dashrender

http://www.top-password.com/knowledge/reset-directory-services-restore-mode-password.html

Well these reset instructions seem to imply that the DSRM user is Administrator...

DustinB3403

@Dashrender said in Reset local domain 'administrator' password to restore system state to migrated vm:

http://www.top-password.com/knowledge/reset-directory-services-restore-mode-password.html

Well these reset instructions seem to imply that the DSRM user is Administrator...

Thanks I'll try that tomorrow

coliver

@Dashrender said in Reset local domain 'administrator' password to restore system state to migrated vm:

@dafyre said in Reset local domain 'administrator' password to restore system state to migrated vm:

@JaredBusch said in Reset local domain 'administrator' password to restore system state to migrated vm:

@DustinB3403 said in Trying to use SS to restore a vDC:

So I'm trying to reset the local administrator account password used on a DC, because I can't get into DSRM without the password used when this DC was created. (no one here knows what was used).

MS's instructions say to boot into DSRM mode, open an elevated command prompt and reset the password.

Obviously this doesn't work if you can't log in. (like me)

Any help with how I can reset the local administrator password on a DC so I can get into DSRM so I can then restore the SS to this VM?

Thanks in advance

There is no such thing as a local domain administrator password.
You either have a domain password or a local password.

I was under the impression, that when you DCPROMO a box, the local accounts are nuked. But that is only a vague recollection.

The local admin password becomes the password to get to the system when you boot it into DS Recovery mode.

I don't think this is entirely accurate. When you promote a DC (at least back in 2008 and older) it asked you for a Recovery Mode password. It didn't just use whatever the local Admin password was as the Recovery user.

The recovery mode password, I think, is to do database restores.

DustinB3403

@Dashrender said in Reset local domain 'administrator' password to restore system state to migrated vm:

http://www.top-password.com/knowledge/reset-directory-services-restore-mode-password.html

Well these reset instructions seem to imply that the DSRM user is Administrator...

This did it.

Thank you @Dashrender !