What do I do when I've locked my self out of a newly created Active Directory server?
I've just setup a Windows 2003 server as the DNS/AD for a replace of an old server. However, it appears that I don't know the password for the Administrator account. I entered the Restore Mode password and I setup the role through the wizard. However when I cannot logon to the newly created domain. It prompts for the administrator password, which I have not expressly set yet, and therefore cannot logon. I can logon to the machine through booting into Direct Recovery Services Repair and logging in to the local admin account. What can I do to regain access to my server?
Solution 1:
There isn't really a "supported" method of recovering passwords in Windows Server 2003. If there's no critical data on the machine or in the newly-created domain it would be easiest just to level the box and start over.
Edit:
I don't mean to sound trite, but if you just setup the machine leveling it and starting over isn't going to be too hard. Why go through all the hassle of these other procedures when you can just start over fresh and know you've got a machine that isn't starting its life with a checkered past.
Edit 2:
Just for kicks I spun up a W2K3 SP2 VM, promoted it to being a lone DC in a new AD forest, and started trying to "crack" the Administrator using the procedures described in the article that @zevlag linked to.
The "screensaver method" the article describes won't work in Windows Server 2003 or newer versions because the Winlogon screensaver runs as LOCAL_SERVICE, which has restricted permissions. Unlike the author of that article, I think this change is a good idea and I'm glad Microsoft did it. A buggy screen saver on logon won't expose the machine to a NT_AUTHORITY\SYSTEM-level vulnerability.
To be fair, that article states that the "screensaver method" described therein won't work on Windows Server 2003. The article sends you elsewhere for additional instructions on that platform.
This W2K3-specific article uses a method with the srvany
Resource Kit tool to create a service running as NT_AUTHORITY\System. The fact that the author of this W2K3-specific article doesn't know that the built-in "SC" command can install a service (instead using instsrv
to accomplish the installation) but, later, uses "SC" to delete a service doesn't inspire confidence. Nonetheless, I pressed on.
To my surprise, the cmd.exe
instance service running as NT_AUTHORITY\SYSTEM was able to reset the domain Administrator account's password! I'll sheepishly admit that I didn't know that NT_AUTHORITY\SYSTEM on DCs had any rights in AD. Zow.
If I were going to do a password reset in this manner I would do it thusly:
- Boot in DS Restore Mode and logon as "Adminsitrator"
- Execute the command
sc create resetpw binPath= "net user administrator p@ssw0rd" start= auto
- Reboot into normal mode. You will receive the "At least one service or driver failed during system startup." pop-up on top of the logon dialog.
At this point the domain Administrator password would be reset to p@ssw0rd
(as per the net user
command above). You could then logon and execute the sc delete resetpw
command to delete the "service" that you installed to reset the password. The use of instsvr
and srvany
aren't necessary to make this work (srvany
alleviates the service failure error pop-up but that message has no effect on the results of the net user
command).
Although I don't like the idea of machines starting their operational lives with a "checkered past" I would concede that this procedure isn't tremendously invasive (since it doesn't install any third party software, make any "hacks" to the registry, leave filesystem permissions in an inconsistent state, etc). It's probably a safe thing to do and could be faster than leveling and rebuilding the machine.
Solution 2:
It sounds like this box is also a Domain Controller, correct? And not just a member server?
This utility will allow you reset the local administrator account, which it sounds like you already know, so this tool alone won't help you. http://pogostick.net/~pnh/ntpasswd/
The directions here: http://www.jms1.net/nt-unlock.shtml walk you through the process of recovering the Active Directory Administrator password. But remember:
If you are trying to fix a server, please READ THE ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.
Solution 3:
As this is a newly created Active Directory and no users/information is necessary to recover you can delete the active directory following Microsoft's own steps:
Boot into Directory Service Recovery Mode and logon using the server's local admin account (ntpassword can be used to recover/reset password if it's not known)
Open regedit and navigate to this entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
Change value to ServerNTRestart the Computer
Boot normally and log back on to the Server using the same credentials while entering Directory Service Recovery Mode
Open regedit and navigate to this entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
delete "Src Root Domain Srv" if presentTo finally completely remove all files associated, you will have to re-install Active Directory service and the immediately un-install.
This will remove Active Directory role from the server, and allow you to start back over.
This will get you to a point where you can start back over.