Reset the local administrator password on a domain controller that is about to be demoted

Posted on 2011-03-04
Last Modified: 2012-05-11
Hi All;

We have Win2k3 Server acting as a Domain controller  & SQL 2005 Server, and want to demote the server to be SQL box only. Since nobody knows what was the local admin password prior making it a domain controller we want to know how we can reset it?

So when we demote the server we can login locally using the local password and re-join it to the domain.


Question by:atigris
  • 4
  • 2
  • 2
  • +5
LVL 76

Accepted Solution

Alan Hardisty earned 283 total points
ID: 35039692
When you dcpromo the server you have to set the password.  Before running dcpromo there is no local admin password as the server is a Domain Controller and can't be logged on to locally.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039715
For more info - please read the following link:
LVL 47

Expert Comment

ID: 35039738
LVL 11

Expert Comment

ID: 35039756
When you demote the domain controller, it will only be a member server instead of a DC - it will still be part of the domain. However, if you still would like to reset the local admin password then you can do so after demoting the server.
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 35039761
You can try ERD Commander, I know that it works on server 2003. But not sure if it will work on a DC as you don't have local users. But it is worth to try.

Hendrik Wiese
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 35039768
You can download ERD Commander at the following link:
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

LVL 47

Expert Comment

ID: 35039789
Forcefully demote a Windows Server 2003 domain controller

Scenario 1: If the domain controller can boot into normal mode:
1. Click Start, click Run, and then type the following command:
        dcpromo /forceremoval
2. Click OK. If Certificate Services is not removed, you will get a message to remove it first. If FSMO roles/GC are not seized from the DC, you will get a message to transfer the roles to another DC.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. When it finishes, click Finish and reboot the computer.

LVL 57

Expert Comment

by:Mike Kline
ID: 35039810
You only want to do the forceremoval is  a graceful demotion doesn't work.  After a force you have to cleanup metadata etc.  
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039824
As I have already stated - When demoting a Domain Controller - part of the process involves setting the local admin password.

No 3rd party tools are needed.
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 167 total points
ID: 35039879
I have never seen so many pointless, missleading and incorrect posts in one thread!!

The very first post by alanhardisty is the ONLY post that needed to be in this thread! Then its followed by a pile of duff info from people who guess at the answer it seems.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35039916
Thanks Neilsr for posting that before I did.  I can't believe there are so many 'experts' who clearly don't have a clue about what they are doing but are willing to post advice as if they do!!

It's bad enough that people Google and post the first thing that comes up, but people are just posting complete rubbish here and it demonstrates that they have no knowledge of the subject at hand.

Experts - before you post - be sure of your 'facts', at best, you might just make a fool of yourselves, at worst you might be posting dangerous and damaging advice.

If you haven't got a clue - click on Monitor to learn from the question.
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 50 total points
ID: 35040603
Be very careful when demoting a server which has other services on it that require authentication.

SQL may also have reporting services installed which requires IIS.  When you promote or demote a DC with IIS on it makes changes to IIS.

Authentication also changes, as instead of using a local copy of ADDS it now needs to go somewhere else.

Author Closing Comment

ID: 35060965
I was able to set the password during dcpromo wizard. Thanks

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Office 365 Azure AD Connect 4 20
Complex SQL 10 33
Recurring Excel Timelime for Veeam 2 31
BULK INSERT most recent CSV 19 17
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now