none
Password changed after AD DC installation RRS feed

  • Question

  • Hello,

    Has anyone seen this before:

    1. I set up a Windows 2008 full enterprize server.
    2. I set up the local administrator password and create a new user with administration rights and a password of it's own. All works fine, no login problems.
    3. I set the server up as am Active Directory Domain Controller.
    4. From now on, any attempt to login to the machine locally is met with "user/password incorrect". The only way to log in to the machine is through a domain login.

    This is the first DC in the forest, since this server is installed in a lab for testing only.

    Any ideas why this happens, or how to solve it?

    Many thanks in advance,

    A.B
    Monday, June 2, 2008 12:17 PM

Answers

  • When you promoted the server to be a DC it change the Local Administrator account to the Domain Administrator account.

    Since this is a domain controller there is no more local security context, only the domain security context. The only accounts you can log into on the domain controller will be domain accounts.

    The only way to log into the machine outside of the domain context is by starting it up in directory services restore mode and use the password you set during the DCPromo process.

    Is there any particular reason you are trying to log in locally to the DC?
    Monday, June 2, 2008 8:05 PM
  • Hello A.B,
     
    What Richard said is correct. After you promote the server to a domain controller, the system will encrypt the local SAM database and you can only logon the DC with domain accounts in normal mode.
     
    You can only logon the DC locally in Directory Services Restore mode when you reboot the DC and press F8 to logon.
     
    Please note: the password of Directory Services Restore mode is different from that of the local Administator's password.
     
    You can use Ntdsutil.exe to reset the DSRM password on the DC.
     
    To Reset the DSRM Administrator Password, please refer to:
     
    1.  Click, Start , click Run , type ntdsutil , and then click OK
     
    2.  At the Ntdsutil command prompt, type set dsrm password
     
    3.  At the DSRM command prompt, type one of the following lines:
     
    a. To reset the password on the server on which you are working, type reset password on server null . The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted.
     
    Please note: no characters appear while you type the password
     
    b. To reset the password for another server, type reset password on server servername , where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted.
     
    Please note: no characters appear while you type the password. 
     
    4.  At the DSRM command prompt, type q
     
    5.  At the Ntdsutil command prompt, type q to exit
     
    Hope it helps.

    Your potential. Our passion.
    • Marked as answer by David Shen Wednesday, June 4, 2008 1:25 AM
    Tuesday, June 3, 2008 10:45 AM

All replies

  • When you promoted the server to be a DC it change the Local Administrator account to the Domain Administrator account.

    Since this is a domain controller there is no more local security context, only the domain security context. The only accounts you can log into on the domain controller will be domain accounts.

    The only way to log into the machine outside of the domain context is by starting it up in directory services restore mode and use the password you set during the DCPromo process.

    Is there any particular reason you are trying to log in locally to the DC?
    Monday, June 2, 2008 8:05 PM
  • Hello A.B,
     
    What Richard said is correct. After you promote the server to a domain controller, the system will encrypt the local SAM database and you can only logon the DC with domain accounts in normal mode.
     
    You can only logon the DC locally in Directory Services Restore mode when you reboot the DC and press F8 to logon.
     
    Please note: the password of Directory Services Restore mode is different from that of the local Administator's password.
     
    You can use Ntdsutil.exe to reset the DSRM password on the DC.
     
    To Reset the DSRM Administrator Password, please refer to:
     
    1.  Click, Start , click Run , type ntdsutil , and then click OK
     
    2.  At the Ntdsutil command prompt, type set dsrm password
     
    3.  At the DSRM command prompt, type one of the following lines:
     
    a. To reset the password on the server on which you are working, type reset password on server null . The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted.
     
    Please note: no characters appear while you type the password
     
    b. To reset the password for another server, type reset password on server servername , where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted.
     
    Please note: no characters appear while you type the password. 
     
    4.  At the DSRM command prompt, type q
     
    5.  At the Ntdsutil command prompt, type q to exit
     
    Hope it helps.

    Your potential. Our passion.
    • Marked as answer by David Shen Wednesday, June 4, 2008 1:25 AM
    Tuesday, June 3, 2008 10:45 AM
  • I ran into a similar issue using Directory Services Restore Mode (DRSM) on a Domain Controller running Windows Server 2008 R2 recently.  Like a dummy, I setup the Domain Controller to restart in DRSM mode without knowing the DRSM or local admin password for the Domain Controller.  Therefore, my domain admin password no longer worked and no one else could logon to the domain either. 

    However, after banging my head against the wall a few times, I rebooted the Domain Controller and chose "Safe Mode with Networking" while it was booting up.  In this mode, I was then able to login to the Domain Controller locally using my domain admin username and password.  Or maybe I'm wrong about being logged-in locally, but it sure looked like it.  I then changed the System Configuration to start-up the OS normally and the Domain Controller came back up normally after this with Active Directory and all domain policies fully running.   


    James Hutchinson


    • Edited by jhutch03 Tuesday, February 5, 2013 8:34 PM
    Tuesday, February 5, 2013 8:33 PM
  • Dear Richard,

    I too have same issue. We converted DC to virtual DC and when we try to import the system state of Physical DC to virtual DC, i normally boot with Active Directory repair mode. So after it was restarted i cannot able to log in to domain/local. it says no logon server available for your request. Actually we don't know the password that we set during dc promo process or local administrator password on physical DC.

    Can you please tell us how to reset local Administrator or password while we set during dc promo process?

    Thanks.

        

    Thursday, July 25, 2013 8:28 AM
  • I should see this earlier.

    I forget to set SQL server to mix mode and remember the password before promote the server to DC.

    My quick reaction was trying to "demote" the DC, and i found it can be done with run dcpromo wizard again.

    However, turn out after demote, the local administrator is not the same one as before and i still cannot login SQL server.

    my question is, do i still have access to this Directory Service Restore Mode after the DC already been demoted? Is the old local machine administrator account still store some where and can be recovered?

    update: i created a new thread in sql forum:https://social.msdn.microsoft.com/Forums/en-US/fbd295cf-7697-46c5-b1b7-f097054006de/windows-account-lost-anyway-to-enable-mix-mode-authentication-and-login-sql-server?forum=sqlsecurity
    • Edited by GuYuming Sunday, March 31, 2019 1:03 AM
    Friday, March 29, 2019 2:20 PM