How recover lost administrator password for DC

Hello experts!!

 I'm unable to login in the DC - windows server 2003 enterprise edition... using my admin password
I have tried:
* Restarting the DC in Directory Service Restore Mode but still I'm not able to go further..
* tried login with other possible accounts
* I have already tried the Petri option... http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and nothing...

Would someone help me find out a tool I can run in order to recover the password?


I'll really appreciate your help!

ARPIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
if you have any other domain administrator account - you could log in as them and just reset the password for 'administrator', any chance on that?
0
ARPIAuthor Commented:
nope, I just have one DC.. :(
0
B HCommented:
right but do you have another USER that has domain admin rights?  such as joe.tech or some internal username what would have access to this?  if you do, you could just log in as them, then open active directory, reset the administrator password

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ssparks827Commented:
Try this
http://www.prime-expert.com/ebcd/

we have had much success.
0
ARPIAuthor Commented:
bryon44035v3:
I have 2 users and it doesn't let me access :(

ssparks827
what does this software do?.. it just says emergency boot...
0
ssparks827Commented:
I'm sorry was thinking this was for logging in local password.  

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

did you do the step by step on the other page?

Do you have another user with domain admin rights?

I hate to have you have to pay for something but this might work for you
http://www.lostpassword.com/windows.htm

if you don't have another user to get in and change the admin password.

I used lostpassword for domain stuff along time ago when it was free and it worked.

there are serveral types of these software out there...download the trial and see if it will list the users...if it does then you will be able to reset the password to blank.
0
digitapCommented:
are you talking about the domain administrator or the local administrator of the server?  If local administrator, try this:

http://www.pogostick.net/~pnh/ntpasswd/bootdisk.html

I've used this multiple times and it works without fail.  Word of advice: Set password to Null.  Don't try to change it.  Doesn't work right.

This utility won't reset the password of an AD account.

0
B HCommented:
hey do you have any workstations with the cached/remembered administrator password??

even if it's for a network share, email, etc... anything that accessed the server from the network as administrator?
0
Henrik JohanssonSystems engineerCommented:
As you're able to access the DC and reboot it into DSRM, you can try to use the method to set the logon screen's screen save to cmd and reboot back into normal mode. After a delay, it will give you a command prompt with system access and able to start dsa.msc or use dsquery,dsmod command line tools to reset the domain's administrator password.
Remember to restore the registry changes when done to not have a wide open door for anyone visiting the console.

http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
0
Henrik JohanssonSystems engineerCommented:
I missed that the method I posted will not work if DC is Win2003.
I should had tested before posting to confirm it, but the method turned out to only give readonly access in Win2003 as the tools is launched as local service account with lack of permissions.

You say you have tested the 2003-method described in the 2003-version of the petri-article. To troubleshoot, what happens if you tail the command launched with "> c:\temp\netuser-output.txt" to get the output of the command launched to a textflie.
AppParameters: /k net user administrator 123456 /domain > c:\temp\netuser-output.txt
0
SteveCommented:
@ARPI

I'm a little concerned at some of the details here.

Firstly, did you or anyone else change the password causing you to not be able to log on?
have you restored anything from backup recently that could have caused it to revert to an old password?
Have you simply forgotten the password?

Secondly, you advise you have already tried the method in the petri.co.il which normally works fine. Either you didnt follow it correctly or there is an underlying problem with the server.
Did you get any errors or problems while trying the method thhere or did it appear to work ok?

Do you have any accounts on the network that may have acess to the server remotely (even checking the event logs would do)

Can you log onto valid domaain accounts on the network generally or is evveryone locked out?
can you log on with your admin account on a PC instead of the server?

0
ARPIAuthor Commented:
totallytonto:

Nobody changed the password, and I'm not able to use my local admin password either.
we didn't cahnge anything on the servers, what only happened the about 3 days before  the server was shut down...and we had to physically turn on..I'm assuming that it did make few windows updates..but 2 days later (the shut down) this started happening...

I did not get any errors when thse server boots up...I just got only the error of the login.

I have tried another one but also it doesn't let me get it...I'm able to login locally to other servers but not to the DC.

I'm able to access the PC with the admin password (network) but it doesn't give me access to any of the network...
0
Henrik JohanssonSystems engineerCommented:
>> I did not get any errors when thse server boots up...I just got only the error of the login.

What error do you get when trying to logon to DC's console? Incorrect password or something else?

>> I'm able to access the PC with the admin password (network) but it doesn't give me access to any of the network...

So, you can logon with the domain admin's user/password on another machine?

As you had tried to use srvany in original question, did you try to get the output from srvany into a textfile by changing AppParameters as suggested in http:#33436428?
0
ARPIAuthor Commented:
henjoh09,

I'm not able to view the link you sent... http:#33436428?
0
SteveCommented:
@ARPI,

Thanks, I think we're getting to the details on this now. It doesn't matter how many utils you use to reset the password as it doesn't appear the password is 'wrong' as such. I suspect the server itself is having a problem.

Could you log onto a PC with the admin password again and check the event logs on the PC for any errors/warnings. i suspect there may be some issues contacting the DC.
Also, if you can use the petri guide to get logged onto the server in AD restore mode, you should be able to get access to the event viewer on the server to check that too.

0
ARPIAuthor Commented:
totallytonto,

I'm not able to access AD in restore mode...still asks for my admin local or domain password...
0
SteveCommented:
"* I have already tried the Petri option... http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
and nothing..."

so, by 'nothing' you meant you didnt know that password either?
did you check the event logs of the PC?
0
B HCommented:
there are ways and ways to reset the director services restore mode password, but only if you can log into the server, OR have another domain controller.

you meet the above conditions, so your only other option at this point is if you can find a workstation with the cached administrator password (remembered) where you can see it masked out by stars (*********) - i can show you how to see behind those stars...  

if you don't have that - your only option is to do a system-state restore, but you can usually only do that if you can log into the server.  unless you have an entire image backup that you can do a bare metal restore.

failing those above, your next options are to do a repair install of the server, which will destroy active directory...  or a format/reinstall of the entire server which obviously will do the same.  in either of those two cases, you're looking at rejoining all the workstations to the domain after making new users, reconfiguring exchange/sql or anything else running from the server

unfortunately there's no bootable cd that can reset the AD administrator password.  password recovery disks are a really good idea, but usually nobody takes the time to create them.  even a sticky note taped to the server with the password is at least something, but - this is all hindsight at this point

i think you're out of options here, unless you can find a machine that has the remembered password, for a file share or email or something.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ARPIAuthor Commented:
totallytonto,

I do have the local and domain passwords but none works when I login in DC...

I have checked in one of the workstations and I got the errors:

Under SECURITY----->

event ID: 680
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  xxxx
 Source Workstation: 210L_001
 Error Code: 0xC0000064

Other error I get also:

event ID:12
Audit Policy Change:
 New Policy:
       Success      Failure
           -          -      Logon/Logoff
           -          -      Object Access
           -          -      Privilege Use
           -          -      Account Management
           -          -      Policy Change
           -          -      System
           -          -      Detailed Tracking
           -          -      Directory Service Access
           -          -      Account Logon

 Changed By:
         User Name:      MY_WORKSTATION_NAME$
         Domain Name:      WORKGROUP
         Logon ID:      (0x0,0x3E7)

For more information, see Help and Support Center at ....

under Applications Event --->

Event ID:1030
Windows cannot bind to MYDOMAINNAME  (Invalid Credentials). Group Policy processing aborted.

AND
Event ID:15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

0
SteveCommented:
it is possible to change the AD recovery password using the normal XP password reset tools found on a lot of bootdisks (Winternals ERD for example) but it doesnt always work. Its worth a try as if you can get in to restore mode you can probably fix it.

I'm not convinved the password is the issue though. These errors suggest the passwords/login cannot even be processed.

Can the PC ping the server or browse to it?
Try opening the servers event viewer from the PC. It may not work as you arent logged in as admin but its worth a try.

Id consider disconnecting ALL the network cables from the server and trying to log in again as no NIC often causes the server to authenticate in s slightly different way.
0
ARPIAuthor Commented:
totallytonto:


Yes the PC is able to ping the DC IP address...and I'm able to pull the remote but when I try to authenticate got the error authentication message..


server-ping.png
server2.JPG
0
SteveCommented:
any luck without the network cables?
0
ARPIAuthor Commented:
totallytonto,

No luck...doesn't let me get in...
0
ARPIAuthor Commented:
Thanks to all!! will have to redo the DC...

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.