Solved

How recover lost administrator password for DC

Posted on 2010-08-13
24
698 Views
Last Modified: 2012-06-27
Hello experts!!

 I'm unable to login in the DC - windows server 2003 enterprise edition... using my admin password
I have tried:
* Restarting the DC in Directory Service Restore Mode but still I'm not able to go further..
* tried login with other possible accounts
* I have already tried the Petri option... http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and nothing...

Would someone help me find out a tool I can run in order to recover the password?


I'll really appreciate your help!

0
Comment
Question by:ARPI
  • 9
  • 5
  • 4
  • +3
24 Comments
 
LVL 24

Expert Comment

by:bryon44035v3
Comment Utility
if you have any other domain administrator account - you could log in as them and just reset the password for 'administrator', any chance on that?
0
 

Author Comment

by:ARPI
Comment Utility
nope, I just have one DC.. :(
0
 
LVL 24

Expert Comment

by:bryon44035v3
Comment Utility
right but do you have another USER that has domain admin rights?  such as joe.tech or some internal username what would have access to this?  if you do, you could just log in as them, then open active directory, reset the administrator password

0
 
LVL 3

Expert Comment

by:ssparks827
Comment Utility
Try this
http://www.prime-expert.com/ebcd/

we have had much success.
0
 

Author Comment

by:ARPI
Comment Utility
bryon44035v3:
I have 2 users and it doesn't let me access :(

ssparks827
what does this software do?.. it just says emergency boot...
0
 
LVL 3

Expert Comment

by:ssparks827
Comment Utility
I'm sorry was thinking this was for logging in local password.  

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

did you do the step by step on the other page?

Do you have another user with domain admin rights?

I hate to have you have to pay for something but this might work for you
http://www.lostpassword.com/windows.htm

if you don't have another user to get in and change the admin password.

I used lostpassword for domain stuff along time ago when it was free and it worked.

there are serveral types of these software out there...download the trial and see if it will list the users...if it does then you will be able to reset the password to blank.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
are you talking about the domain administrator or the local administrator of the server?  If local administrator, try this:

http://www.pogostick.net/~pnh/ntpasswd/bootdisk.html

I've used this multiple times and it works without fail.  Word of advice: Set password to Null.  Don't try to change it.  Doesn't work right.

This utility won't reset the password of an AD account.

0
 
LVL 24

Expert Comment

by:bryon44035v3
Comment Utility
hey do you have any workstations with the cached/remembered administrator password??

even if it's for a network share, email, etc... anything that accessed the server from the network as administrator?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
As you're able to access the DC and reboot it into DSRM, you can try to use the method to set the logon screen's screen save to cmd and reboot back into normal mode. After a delay, it will give you a command prompt with system access and able to start dsa.msc or use dsquery,dsmod command line tools to reset the domain's administrator password.
Remember to restore the registry changes when done to not have a wide open door for anyone visiting the console.

http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
I missed that the method I posted will not work if DC is Win2003.
I should had tested before posting to confirm it, but the method turned out to only give readonly access in Win2003 as the tools is launched as local service account with lack of permissions.

You say you have tested the 2003-method described in the 2003-version of the petri-article. To troubleshoot, what happens if you tail the command launched with "> c:\temp\netuser-output.txt" to get the output of the command launched to a textflie.
AppParameters: /k net user administrator 123456 /domain > c:\temp\netuser-output.txt
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
@ARPI

I'm a little concerned at some of the details here.

Firstly, did you or anyone else change the password causing you to not be able to log on?
have you restored anything from backup recently that could have caused it to revert to an old password?
Have you simply forgotten the password?

Secondly, you advise you have already tried the method in the petri.co.il which normally works fine. Either you didnt follow it correctly or there is an underlying problem with the server.
Did you get any errors or problems while trying the method thhere or did it appear to work ok?

Do you have any accounts on the network that may have acess to the server remotely (even checking the event logs would do)

Can you log onto valid domaain accounts on the network generally or is evveryone locked out?
can you log on with your admin account on a PC instead of the server?

0
 

Author Comment

by:ARPI
Comment Utility
totallytonto:

Nobody changed the password, and I'm not able to use my local admin password either.
we didn't cahnge anything on the servers, what only happened the about 3 days before  the server was shut down...and we had to physically turn on..I'm assuming that it did make few windows updates..but 2 days later (the shut down) this started happening...

I did not get any errors when thse server boots up...I just got only the error of the login.

I have tried another one but also it doesn't let me get it...I'm able to login locally to other servers but not to the DC.

I'm able to access the PC with the admin password (network) but it doesn't give me access to any of the network...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
>> I did not get any errors when thse server boots up...I just got only the error of the login.

What error do you get when trying to logon to DC's console? Incorrect password or something else?

>> I'm able to access the PC with the admin password (network) but it doesn't give me access to any of the network...

So, you can logon with the domain admin's user/password on another machine?

As you had tried to use srvany in original question, did you try to get the output from srvany into a textfile by changing AppParameters as suggested in http:#33436428?
0
 

Author Comment

by:ARPI
Comment Utility
henjoh09,

I'm not able to view the link you sent... http:#33436428?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
@ARPI,

Thanks, I think we're getting to the details on this now. It doesn't matter how many utils you use to reset the password as it doesn't appear the password is 'wrong' as such. I suspect the server itself is having a problem.

Could you log onto a PC with the admin password again and check the event logs on the PC for any errors/warnings. i suspect there may be some issues contacting the DC.
Also, if you can use the petri guide to get logged onto the server in AD restore mode, you should be able to get access to the event viewer on the server to check that too.

0
 

Author Comment

by:ARPI
Comment Utility
totallytonto,

I'm not able to access AD in restore mode...still asks for my admin local or domain password...
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
"* I have already tried the Petri option... http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and nothing..."

so, by 'nothing' you meant you didnt know that password either?
did you check the event logs of the PC?
0
 
LVL 24

Accepted Solution

by:
bryon44035v3 earned 500 total points
Comment Utility
there are ways and ways to reset the director services restore mode password, but only if you can log into the server, OR have another domain controller.

you meet the above conditions, so your only other option at this point is if you can find a workstation with the cached administrator password (remembered) where you can see it masked out by stars (*********) - i can show you how to see behind those stars...  

if you don't have that - your only option is to do a system-state restore, but you can usually only do that if you can log into the server.  unless you have an entire image backup that you can do a bare metal restore.

failing those above, your next options are to do a repair install of the server, which will destroy active directory...  or a format/reinstall of the entire server which obviously will do the same.  in either of those two cases, you're looking at rejoining all the workstations to the domain after making new users, reconfiguring exchange/sql or anything else running from the server

unfortunately there's no bootable cd that can reset the AD administrator password.  password recovery disks are a really good idea, but usually nobody takes the time to create them.  even a sticky note taped to the server with the password is at least something, but - this is all hindsight at this point

i think you're out of options here, unless you can find a machine that has the remembered password, for a file share or email or something.
0
 

Author Comment

by:ARPI
Comment Utility
totallytonto,

I do have the local and domain passwords but none works when I login in DC...

I have checked in one of the workstations and I got the errors:

Under SECURITY----->

event ID: 680
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  xxxx
 Source Workstation: 210L_001
 Error Code: 0xC0000064

Other error I get also:

event ID:12
Audit Policy Change:
 New Policy:
       Success      Failure
           -          -      Logon/Logoff
           -          -      Object Access
           -          -      Privilege Use
           -          -      Account Management
           -          -      Policy Change
           -          -      System
           -          -      Detailed Tracking
           -          -      Directory Service Access
           -          -      Account Logon

 Changed By:
         User Name:      MY_WORKSTATION_NAME$
         Domain Name:      WORKGROUP
         Logon ID:      (0x0,0x3E7)

For more information, see Help and Support Center at ....

under Applications Event --->

Event ID:1030
Windows cannot bind to MYDOMAINNAME  (Invalid Credentials). Group Policy processing aborted.

AND
Event ID:15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
it is possible to change the AD recovery password using the normal XP password reset tools found on a lot of bootdisks (Winternals ERD for example) but it doesnt always work. Its worth a try as if you can get in to restore mode you can probably fix it.

I'm not convinved the password is the issue though. These errors suggest the passwords/login cannot even be processed.

Can the PC ping the server or browse to it?
Try opening the servers event viewer from the PC. It may not work as you arent logged in as admin but its worth a try.

Id consider disconnecting ALL the network cables from the server and trying to log in again as no NIC often causes the server to authenticate in s slightly different way.
0
 

Author Comment

by:ARPI
Comment Utility
totallytonto:


Yes the PC is able to ping the DC IP address...and I'm able to pull the remote but when I try to authenticate got the error authentication message..


server-ping.png
server2.JPG
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
any luck without the network cables?
0
 

Author Comment

by:ARPI
Comment Utility
totallytonto,

No luck...doesn't let me get in...
0
 

Author Closing Comment

by:ARPI
Comment Utility
Thanks to all!! will have to redo the DC...

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now