Forgotten directory service restore mode password


16 Jan 2005



When a Win2K or Win2K3 machine is promoted to DC, its local user database (SAM) is reset: a new Administrator user is created.  In the promotion process, you are required to determine the password of this new user. This account, together with its password, will be used in two rare but extremely usefull cases: In the recovery console and in the Directory service restore mode. In both cases Active Directory (AD) is not working and you must use the local Administrator account.


If you forget the local Administrator password you can not use Recovery console, nor restore AD database. (AD database is a a part of the system state and the system state in DCs can be restored only in AD service restore mode.


In Windows 2003, NTDSUTIL utility has a nice solution to the forgotten local Administrator password: set DSRM password command. This command resets the DSRM (Directory Services Restore Mode) password; that is, local administrator password. But NTDS utility in Windows 2000 has no similar command. As a result, the system state backup in Windows 2000 might be rendered useless if you forget the local Administrator password. 


One solution to this problem in Windows 2000 is to use some utilities to reset this password. One example is the locksmith function in ERD Commander from Sysinternals. This is good but it is not free.


A free and simple solution is this: After you verify that you backud up the system state, demote the DC. In the demotion process the local user database is reset once again and you are asked to determine the password of the new local Administrator password. After the demotion, log on to the machine using the password you determined. And, without going to the Directory service restore mode, restore  the system state backup (standalone servers and member servers do not need to switch to the Directory service restore mode when the system state backup will be restored). That's all.



Hayriye Ceyhan & Murat Yildirimoglu