Changing Admin password on Server 2008 DC

Hey guys

I have been tossing some softballs lately but now I have a hard one to figure out.  Customer has had the same Administrator password for the past 6 years and they are working just fine, but a new IT guy wants to change the Administrator password.  Sounds simple enough except that when he does it, the onsite website stops working and people start having trouble surfing the Internet.  Sounded like a DNS issue but I cannot figure out why that would happen. Do I need to restart the Domain Controller when I change the Administrator password or should I log out and log back in as Admin?  When we change it back to the original password everything starts to work again.  We never have tried restarting the DC when this happens.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Specfiically for this there seems to be a service account or a scheduled task that is using the domain administrator account/password. You will need to go onto the servers that are having issues and make sure that services are not using the domain administrator account. If you require a service account then create a new account called svc_servicename and provide the proper permissions.

I suspect that on your domain controllers you are using a Service account to control the DNS service which is not required.

Neil RussellTechnical Development LeadCommented:
Far more likely is that in the past services and shares and who knows what else have been set up to run using the domain administrators account.  This is not an uncommon mistake of Amatuer admins who don't fully understand network security.
If you change the password during a period of least disruption and monitor the security event logs on your DC's then you will like see authentication failures and by investigating these you will hopefully locate what's breaking
Also just examine Seevices on each server and look for anything that has a Run As User of Administratir.
Lee W, MVPTechnology and Business Process AdvisorCommented:
While a reboot is never required to change a user's password (ANY user), in this case, it should generate errors in the event logs that tell you what services are using the account.  You could more simply review the services administrative tool and sort by "Log On As" to see what services are using the account.

Keep in mind that systems ALL OVER your domain could be using that account for services and scheduled tasks.  You may have a LOT of work to do - or google around for a powershell script to retrieve that information all at once.

(Also possible NAS devices and other third part equipment that can integrate with AD was setup using the administrator account - LOTS for you to check).
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

jonmenefeeAuthor Commented:
Thanks guys

Ok, we have one domain controller, a Server 2008 with DNS and DHCP installed on it and from what I can tell the DNS services are running as a local account

I have attached a couple of screenshots that shows the DNS settings and the Services Log on As area.

Thanks and looking forward to your replies!!
Lee W, MVPTechnology and Business Process AdvisorCommented:
As I said, services on OTHER SYSTEMS could be controlled by the domain admin account - do you have other services? Web Server?  Proxy Server?  You need to check all your credentials.  You need provide specific information as to WHAT problems people experience.  Check their event logs for clues.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
basic powershell script to get services from various computers that are not using built in accounts
$servers = get-content c:\test\servers.txt
foreach ($server in $servers)
    $services = Get-WMIObject Win32_Service -ComputerName $server
    foreach ($service in $services) {
    if ( `
         ($service.StartName -ne 'LocalSystem') `
    -and ($service.StartName -ne "NT Authority\LocalService")`
    -and ($service.StartName -ne "NT Authority\NetworkService")`
        ) {
        $output = $service.Name +" " + $service.StartName
        Write-Output $output

Open in new window

jonmenefeeAuthor Commented:
Before the password is changed, I can ping the website (that is currently on the DC) from within the network and it gives me the internal IP address of the server.  When I change the password and wait about 30 minutes, when I try and ping the server it times out and instead of the Internal IP address it gives me the external IP address.

The DC is running a website that is being moved off very soon (the project I am on) that is accessible from the Internet using an uncommon port number.  Simply typing in the address wont work, it does require using a unique port.  Even with that little small bit of security I told them to take the website off the DC.  So we are doing just that and we are also changing the Admin password.  When the password was attempted to be changed yesterday, nearly all the people on the network lost connection to the internal website and they had trouble getting to the Internet.

There is no NAS and no Proxy server running.  Everyone's only DNS setting is the DC's IP address.  that's what is making me think its the DNS that is causing the issue.  Should I log off the Administrator when the password is changed and see if that makes a difference?

Also, in the script above, the c:\test\servers.txt, is that a txt that I put the servers names in? or is that where the output goes?
David Johnson, CD, MVPOwnerCommented:
that is where you put the server names in. the 30 minute wait is probably the TTL (time to live) for your DNS.  Since the main item is the website I'd be checking the apppool s that is probably where the problem is.
jonmenefeeAuthor Commented:
We are still looking at the services but that is where I believe the problem is.  Thanks for all the help guys! :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.