When you don't know the Directory Services Restore Password to get onto a server, you still have a few options.
I understand that the Recovery Console password is not the same as the domain logon password, but is, instead, the Directory Services Restore Mode password. But what happens if I can’t get the system to boot up and don’t know the password? Am I screwed?
Joe: First off, thanks for sugar-coating your question. I’m sure my editors at MCPmag.com appreciate that! Many administrators have felt your pain and uttered much worse. This newsletter is rated PG, so I won’t repeat any of those phrases. Now on to your answer.
You’re right in assuming that you’re in a jam when a domain controller won’t boot and you don’t know the DS Restore Mode password. Since the Active Directory database is offline when a domain controller is either booted to the Recovery Console or in DS Restore Mode, only knowledge of the DS Restore Mode password will enable you to login to the system. With the AD database offline, you’ll find this password stored in the SAM database, which is located in the %systemroot%\system32\config folder. The default location for this on a Windows 2003 system is C:\Windows\System32\Config. Now if you don’t know the password, the easiest approach is to reset it using a third-party tool.
Winternals ERD Commander 2005 www.winternals.com includes a simple little tool called Locksmith which can be used to reset local system passwords. ERD Commander 2005 can be downloaded as a stand-alone suite of tools or can be purchased as part of the Winternals Administrator’s Pak. Since the Administrator’s Pak is chock full of excellent troubleshooting and recovery tools (in addition to Locksmith), I highly recommend it.
Now, if you’re on a budget, several free tools can be downloaded from the Internet that can reset any Windows local administrator password. My personal favorite is the Offline NT Password & Registry Editor, Bootdisk / CD, which can be downloaded at http://home.eunet.no/%7Epnordahl/ntpasswd/bootdisk.html. This site provides full instructions and downloads for either a password recovery boot floppy or CD-ROM. Once you create the boot floppy or CD, just insert it into the failed system and start it up. A Linux OS will load from the boot media, then you’ll have to answer a few questions and navigate a couple of menus to reset the password. Make sure you read the instructions the first time you use it. Many administrators that use the tool for the first time go through the procedure to change the password and then select the default value of "N" (instead of "Y") to save the changes.
Be aware that any tool that overwrites an administrator password with a new password will cause that account to lose access to any files that were encrypted by the account using EFS. Since most of us that use EFS only encrypt files using our user account, this shouldn’t be a big deal.
If you find yourself logging on as Administrator and are encrypting everything under the sun, then take a look at Login Recovery www.loginrecovery.com. This site will let you download a boot disk that will read the existing encrypted password, but not alter it. Once the encrypted password is saved to the boot disk, you can then go to another system and upload the encrypted password to the loginrecovery.com site. If you can wait up to two days, the loginrecovery.com servers will unencrypt your password and e-mail it to you. If you can’t wait, the password can be unencrypted immediately for $18.32. If your IT staff is already over budget, take your worst dressed IT staff member and put him outside with a coffee can. He’ll probably be able to collect this much by the end of the day. Once you know the original password, you can then login normally. Without the password being modified, encrypted files will still be accessible. Don’t confuse this EFS issue with an online normal reset of a password using the Computer Management MMC, as this won't cause any harm to encrypted files.
For those of you that find yourself suddenly worried that you have no idea what your DS Restore Mode password is set to, take a look at Microsoft Knowledgebase Article 322672, "How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003"; for Windows 2000 domain controllers, go to KB 239803.
The next time you attempt to login to the recovery console, or anywhere as a local administrator and a server tells you to "talk to the hand," with knowledge of how to reset the local administrator password you’ll be able to snap back.