Locked out of Server 2008 R2 - 2nd revision

Server 2008 R2 was a member server in Server 2003 Standard domain. I created a new domain when adding Active Directory but it didn't prompt me for users on the new domain other than Directory Services Restore Mode Admin.

Consequently I can't logon to new domain. F8 sends me to a Bitlocker Recovery Key screen rather than DSR Admin.

How can I get into server? Can I establish trust on the Server 2003 side?

I closed this prematurely on the other thread,
LVL 30
Randy DownsOWNERAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
Here's a link to the NT password offline editor:


I'm pretty sure this can be used on the domain controller to enable and reset to blank, the admin password.,  I've had luck on just 2008, but not 2008 R2.


Also, I saw this solution:


It’s possible to reset your Windows Sever 2008 / R2 Domain Controller administrator password using your installation CD.


1. Restart your Windows server 2008 DC with the installation CD

2. Choose your language and click next

3. Select your partition and installation version and click Next

4. Click on Comm and Line Prompt


5. Change directory to the access the system 32 directory. Then your original C:drive is changed to D: or E: depending on the number of drive and partitions you have on that system.


6. Rename the file Utilman.exe to Utilman.exe.bak using the comm and Copy Utilman.exe Utilman.exe.bak.


7. Using Command Move Cmd.exe Utilman.exe to move CMD.exe file into Utilman.exe. Press O or Y to accept after that restart your Computer normaly


8. At the user logon screen, press a combination of Windows KEY+U, then the CMD.exe will appear. Type net user “Username””new password”;


Then your system Admin Password is reset. Please don’t forget to rename back Utilman. Exe ->Cmd.exe and Utilman.exe.bak-> Utilman.exe after getting back access
Randy DownsOWNERAuthor Commented:
Will this work on an encrypted drive? I get prompted for a Bitlocker key. I hope someone has the key but the computer disks & such are in storage & the company that originally setup the server is off until Monday.

In retrospect I should have done recovery disks, full backups and waited on all the other work I put into this server.
Chris HInfrastructure ManagerCommented:

Please note that the Offline NT Password & Registry Editor (‘Offline’) home page states: “If password is reset on users that have EFS encrypted files, and the system is XP or newer, all encrypted files for that user will be UNREADABLE and cannot be recovered unless you remember the old password again“.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Chris HInfrastructure ManagerCommented:

How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker)


For the program to work, the hard disk or partition where Windows is installed must be unencrypted - no BitLocker, TrueCrypt or other encryption is supported here. In case of TrueCrypt, you should use Rescue Disk for decrypting system drive first.

Seems the answer is no.  If you can get me the NTLM hash for an administrator account, I can crack it for you.  


I believe the binary code link is in the comments section.  Found this interesting:

Quarkspwdump does not dump anything in memory like hash or plaintext credentials. It only uses the windows registry to retrieve stored hash or the ntds file when dealing with domain credentials or bitlocker. Actually it's a choice but yes there are many techniques to retrieve plaintext passwords; however MS made a lot effort to kill them with win 8/8.1.
Randy DownsOWNERAuthor Commented:
I don't know if it's the entire drive or just user files. The user files are of no consequences since it was the old domain users just logging on. F8 sends me to the Bit Locker screen if that's an indicator.

This server was a member of a 2003 domain and probably should have been removed prior to adding Active Directory.
Chris HInfrastructure ManagerCommented:
You could clone it, reset one admin password on the clone, do a pwdump of the NTLM hashes, and then we could crack the NTLM hash and you could use the password on the live machine without effecting it.
Chris HInfrastructure ManagerCommented:
That's assuming there's a second admin account...
Randy DownsOWNERAuthor Commented:
I can't login to the server so no idea how I would get the NTLM hash.
Randy DownsOWNERAuthor Commented:
The thing is that Active Directory installation didn't ask for any users to be created. I assumed that the domain administrator account would use the credentials of Directory Services Restore Mode Admin since that's the only account it created a password for.

If I try to login as admin as I would in Directory Services Restore Mode Admin mode it acts like it's logging in but comes back & tells me I have the wrong credentials. I guess it knows the credentials are good but it's in the wrong mode.
Randy DownsOWNERAuthor Commented:
I downloaded Quarkspwdump

I guess the idea is to break into the server then try to crack Bitlocker code, right? Is it possible to encrypt the O/S drive?
Chris HInfrastructure ManagerCommented:
Don't do anything without a backup.  And yes, the idea would be to hack into the backup or clone.  But this would only work if you had a second admin account on the server.

You would disregard the damage done by nuking the efs and reset the local admin password.  Then, once in, do an NTLM hash dump.  Find a second admin and then crack that password.
Randy DownsOWNERAuthor Commented:
Unfortunately I don't have a backup & no other admin accounts were created for this new domain but there are a number of admin accounts on the domain that it was a member of.

Here's the scenario. Server 2008 R2 was a member of 2003 Standard domain. We didn't have the DVD for adprep so decided to create a new domain by adding Active Directory. That went fine & it asked for a Directory Services Restore Mode Admin password. All went fine & it said it needed a reboot. Since then we have been unable to login.

Server 2008 R2 knows about the previous domain but doesn't have a trust relationship so won't let me logon with the old domain credentials either.
Randy DownsOWNERAuthor Commented:
OK so Offline NT Password & Registry Editor won't work to unlock server & the DVD won't fair any better on encrypted files, right?

This is not a virtual so no idea how I would clone. The only backups we did are Log me IN data and they don't even respond with the server down.
Chris HInfrastructure ManagerCommented:
I believe the domain controller's local administrator account and it's password assigned at installation should be the admin account.  Did you guys rename the local admin account maybe?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Randy DownsOWNERAuthor Commented:
I didn't set the server up initially. I was logging onto it with the 2003 domain accounts of which it was a member server.

I added Active Directory & rebooted expecting to be able to login as Administrator on the newly created domain.

I don't know if the local admin account of the server was renamed. I didn't even try logging on  without the domain. Is that even possible on a domain controller?

I guess I could try logging on like this:

Currently it defaults to the old domain which it doesn't trust and logon as a new user wants to logon to the new domain.
Randy DownsOWNERAuthor Commented:
There is no local admin account on domain controllers.  The only option is to login with F8 which is encrypted in my case.

The administrator account on the 2003 domain was not changed but it's not trusted. Perhaps I could trust it from the 2003 end. Would that help or is it possible?

Never got to logon since the creation of the new domain so no accounts created or renamed.
Randy DownsOWNERAuthor Commented:
Trusting from the 2003 domain is apparently a dead-end. I can't add the domain or browse to it.

Maybe I am trying to logon to the domain incorrectly.

I named the domain like this

I assumed I could logon as

I also tried
Randy DownsOWNERAuthor Commented:
Thanks for all the timely information.

Fortunately the company that installed the server had working credentials. Strangely enough they only worked on a remote connection. They also had the Bitlocker Recovery Key.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.