Windows Server 2008 cannot log in locally to an RODC

Posted on 2009-02-10
Last Modified: 2013-12-04
We recently purchased two Windows Server 2008 systems. I joined them to the domain and promoted both of them to RODCs with DNS and Global Catalog. They ran with no issues for a few days

I cannot log into either of them as SERVERNAME\Administrator. This is a problem because one of them was re-configured with an IP address for the network it's being shipped to. A non-techie is going to plug it in and we need to be able to let him get in so we can finish the setup. But I need to get in and test a few more things before we ship it out.

   So since it has an IP address which is not currently valid, I cannot log in as anyone else either, because the domain is unavailble (remember, an RODC doesn't hold passwords unless you manually cache them in advance.) The delegates for local administrator access I used was my Domain Admins group, which are barred from caching their passwords locally anyway. Nobody else was delegated.

   How can I get in to this machine? And how can I set this up so our guy on site can just plug in and go?
Question by:og_sh0x
    LVL 30

    Accepted Solution

    Boot into DSRM, Safe Mode or Safe Mode with Networking and log in with the DSRM password to correct the issue.

    Use repadmin to pre-cache the local technician(s)' password(s) to prevent the issue from recurring, as follows:
    LVL 3

    Assisted Solution

    In all Domain controllers the local SAM is disabled in Normal mode so U cannot use SERVERNAME\Administrator for login.Reboot the machine in DSRM mode and ucan use local admin passwordsince in this mode SAM is active and AD is disabled :)
    LVL 30

    Expert Comment

    ChrisHudson - Read-Only Domain Controllers allow local logins while booted normally; it is a new feature in Windows Server 2008.
    LVL 3

    Author Closing Comment

    Thanks for the speedy replies!

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now