Reset the local administrator password on a domain controller that is about to be demoted

Posted on 2011-03-04
Medium Priority
Last Modified: 2012-05-11
Hi All;

We have Win2k3 Server acting as a Domain controller  & SQL 2005 Server, and want to demote the server to be SQL box only. Since nobody knows what was the local admin password prior making it a domain controller we want to know how we can reset it?

So when we demote the server we can login locally using the local password and re-join it to the domain.


Question by:atigris
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +5
LVL 76

Accepted Solution

Alan Hardisty earned 1132 total points
ID: 35039692
When you dcpromo the server you have to set the password.  Before running dcpromo there is no local admin password as the server is a Domain Controller and can't be logged on to locally.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039715
For more info - please read the following link:

LVL 47

Expert Comment

by:Donald Stewart
ID: 35039738
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 11

Expert Comment

ID: 35039756
When you demote the domain controller, it will only be a member server instead of a DC - it will still be part of the domain. However, if you still would like to reset the local admin password then you can do so after demoting the server.
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 35039761
You can try ERD Commander, I know that it works on server 2003. But not sure if it will work on a DC as you don't have local users. But it is worth to try.

Hendrik Wiese
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 35039768
You can download ERD Commander at the following link: http://www.fullandfree.info/software/erd-commander-2005/
LVL 47

Expert Comment

by:Donald Stewart
ID: 35039789
Forcefully demote a Windows Server 2003 domain controller


Scenario 1: If the domain controller can boot into normal mode:
1. Click Start, click Run, and then type the following command:
        dcpromo /forceremoval
2. Click OK. If Certificate Services is not removed, you will get a message to remove it first. If FSMO roles/GC are not seized from the DC, you will get a message to transfer the roles to another DC.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. When it finishes, click Finish and reboot the computer.

LVL 57

Expert Comment

by:Mike Kline
ID: 35039810
You only want to do the forceremoval is  a graceful demotion doesn't work.  After a force you have to cleanup metadata etc.  
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039824
As I have already stated - When demoting a Domain Controller - part of the process involves setting the local admin password.

No 3rd party tools are needed.
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 668 total points
ID: 35039879
I have never seen so many pointless, missleading and incorrect posts in one thread!!

The very first post by alanhardisty is the ONLY post that needed to be in this thread! Then its followed by a pile of duff info from people who guess at the answer it seems.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039916
Thanks Neilsr for posting that before I did.  I can't believe there are so many 'experts' who clearly don't have a clue about what they are doing but are willing to post advice as if they do!!

It's bad enough that people Google and post the first thing that comes up, but people are just posting complete rubbish here and it demonstrates that they have no knowledge of the subject at hand.

Experts - before you post - be sure of your 'facts', at best, you might just make a fool of yourselves, at worst you might be posting dangerous and damaging advice.

If you haven't got a clue - click on Monitor to learn from the question.
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 200 total points
ID: 35040603
Be very careful when demoting a server which has other services on it that require authentication.

SQL may also have reporting services installed which requires IIS.  When you promote or demote a DC with IIS on it makes changes to IIS.

Authentication also changes, as instead of using a local copy of ADDS it now needs to go somewhere else.

Author Closing Comment

ID: 35060965
I was able to set the password during dcpromo wizard. Thanks

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Via a live example, show how to shrink a transaction log file down to a reasonable size.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question