AD restore questions

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

windows 2000 AD questions:

1) is the AD restore mode password a password created and stored completely
seperately from any user account?

2) when you boot into directory servers restore mode AD is not initialized.
Do you then log in with the local sam that existed prior to becoming a
domain controller? the old local administrator account?

2b) if you are logging into to the 'old' local admin account has that
account password been synchronized with the domain administrator account? In
other words if local admin account password was 'originalpwd', then you
promote the machine to a DC, time goes by and several password changes have
occured on the domain administrator account, and now you boot into directory
services restore mode. Do you have to log in as the old admin account with
the original password of 'originalpwd' or would it be whatever the current
password of the domain admin account is?

obviously I have become a little confused on what accounts/passwords are
actually used/needed with regard to restoring active directory. Can anyone
clear this up for me? and if so, my bonus round question is does your answer
still apply to windows 2003 or have things changed?

any input is greatly appreciated. Thanks.
 
The answer is very simple and it is covering all your questions.
At the time you are promoting a server to a domain controller you are asked
to define a password (that will be used to access the Administrator account
when using AD restore mode). This password is defined separately for each
domain controller and it will be stored in a local SAM (not in the AD).
This applies to both w2k and w2k3.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader beta!
http://www.altairtech.ca/eventreader/default2.asp?ref=au
 
Your questions are fairly interrelated, but I'll give them to you separately
to help clear things up for you:

1) The Directory Services Restore Mode password is stored in the local SAM
database on the domain controller in question, not within AD itself. This
is because DS Restore Mode will boot the DC without bringing up AD, so you
need to have -some way- of logging onto the DC without AD being present.
(It's kind of a chicken-and-the-egg thing.)

2) When you boot into DSRM, you're logging on with the password you
specified in #1 above. You can change this password while the DC is up and
running by using setpwd on Windows 2000, or ntdsutil on 2003. (See this
link for instructions:
http://www.petri.co.il/change_recovery_console_password.htm)

2b) When you boot into DSRM, you'll use whatever the most recent password
was that you specified for the DSRM password. This doesn't syncrhonize with
any AD passwords, so even if you've changed the AD "administrator" account's
password several times, the DSRM password will still be whatever you
originally specified. (Unless you've changed it using either of the methods
I mentioned in #2.)

Bonus round: Same in 2K as in 2K3. Only difference is that 2K3 gives you
an ntdsutil menu option to change the DSRM password, whereas in 2K you
needed to use setpwd which was (I -think-, it's been awhile) only in the 2K
Resource Kit.

(Extra special bonus round just for you: if you've got lots of DCs and you
want to change the DSRM password on all of them, my friend and fellow MVP
Dean Wells has written a batch script to automate the process. If you're
interested, go to www.activedir.org and search the mailing list archives for
the words 'dean' and 'setpwd'.)

HTH
 
thank you very much.

Andrei Ungureanu said:
The answer is very simple and it is covering all your questions.
At the time you are promoting a server to a domain controller you are asked
to define a password (that will be used to access the Administrator account
when using AD restore mode). This password is defined separately for each
domain controller and it will be stored in a local SAM (not in the AD).
This applies to both w2k and w2k3.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader beta!
http://www.altairtech.ca/eventreader/default2.asp?ref=au
Click to expand...
 
Back
Top