Password changed after AD DC installation
-
Monday, June 02, 2008 12:17 PMHello,
Has anyone seen this before:
1. I set up a Windows 2008 full enterprize server.
2. I set up the local administrator password and create a new user with administration rights and a password of it's own. All works fine, no login problems.
3. I set the server up as am Active Directory Domain Controller.
4. From now on, any attempt to login to the machine locally is met with "user/password incorrect". The only way to log in to the machine is through a domain login.
This is the first DC in the forest, since this server is installed in a lab for testing only.
Any ideas why this happens, or how to solve it?
Many thanks in advance,
A.B
Answers
-
Monday, June 02, 2008 8:05 PM When you promoted the server to be a DC it change the Local Administrator account to the Domain Administrator account.
Since this is a domain controller there is no more local security context, only the domain security context. The only accounts you can log into on the domain controller will be domain accounts.
The only way to log into the machine outside of the domain context is by starting it up in directory services restore mode and use the password you set during the DCPromo process.
Is there any particular reason you are trying to log in locally to the DC?- Proposed As Answer by Richard AT R3 Portfolio Tuesday, June 03, 2008 7:56 PM
- Marked As Answer by David Shen Wednesday, June 04, 2008 1:25 AM
-
Tuesday, June 03, 2008 10:45 AM Hello A.B,What Richard said is correct. After you promote the server to a domain controller, the system will encrypt the local SAM database and you can only logon the DC with domain accounts in normal mode.You can only logon the DC locally in Directory Services Restore mode when you reboot the DC and press F8 to logon.Please note: the password of Directory Services Restore mode is different from that of the local Administator's password.You can use Ntdsutil.exe to reset the DSRM password on the DC.To Reset the DSRM Administrator Password, please refer to:1. Click, Start , click Run , type ntdsutil , and then click OK2. At the Ntdsutil command prompt, type set dsrm password3. At the DSRM command prompt, type one of the following lines:a. To reset the password on the server on which you are working, type reset password on server null . The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted.Please note: no characters appear while you type the passwordb. To reset the password for another server, type reset password on server servername , where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted.Please note: no characters appear while you type the password.
4. At the DSRM command prompt, type q5. At the Ntdsutil command prompt, type q to exitHope it helps.
Your potential. Our passion.- Marked As Answer by David Shen Wednesday, June 04, 2008 1:25 AM
All Replies
-
Monday, June 02, 2008 8:05 PM When you promoted the server to be a DC it change the Local Administrator account to the Domain Administrator account.
Since this is a domain controller there is no more local security context, only the domain security context. The only accounts you can log into on the domain controller will be domain accounts.
The only way to log into the machine outside of the domain context is by starting it up in directory services restore mode and use the password you set during the DCPromo process.
Is there any particular reason you are trying to log in locally to the DC?- Proposed As Answer by Richard AT R3 Portfolio Tuesday, June 03, 2008 7:56 PM
- Marked As Answer by David Shen Wednesday, June 04, 2008 1:25 AM
-
Tuesday, June 03, 2008 10:45 AM Hello A.B,What Richard said is correct. After you promote the server to a domain controller, the system will encrypt the local SAM database and you can only logon the DC with domain accounts in normal mode.You can only logon the DC locally in Directory Services Restore mode when you reboot the DC and press F8 to logon.Please note: the password of Directory Services Restore mode is different from that of the local Administator's password.You can use Ntdsutil.exe to reset the DSRM password on the DC.To Reset the DSRM Administrator Password, please refer to:1. Click, Start , click Run , type ntdsutil , and then click OK2. At the Ntdsutil command prompt, type set dsrm password3. At the DSRM command prompt, type one of the following lines:a. To reset the password on the server on which you are working, type reset password on server null . The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted.Please note: no characters appear while you type the passwordb. To reset the password for another server, type reset password on server servername , where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted.Please note: no characters appear while you type the password.
4. At the DSRM command prompt, type q5. At the Ntdsutil command prompt, type q to exitHope it helps.
Your potential. Our passion.- Marked As Answer by David Shen Wednesday, June 04, 2008 1:25 AM
.png){kind=spacer}
