How to Change the Recovery Console Administrator Password on a Domain Controller

ID: Q239803

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion.


MORE INFORMATION

The Administrator password you use when you start Recovery Console (or when you press F8 to start Directory Service Restore Mode), is stored in the local computer's registry-based Security Accounts Manager (SAM), which is found in the %SystemRoot%\System32\Config folder. The SAM-based account and password is computer specific, and is not replicated to other domain controllers in the domain.

For ease of administration of domain controllers or for additional security measures, you can change the Administrator password located in the local SAM. To change the local Administrator password used by Recovery Console or Directory Service Restore Mode:

  1. Shut down the domain controller on which you want to change the password.


  2. Restart the computer (when the selection menu screen is displayed during the restart process, press F8 to view advanced startup options).


  3. Click the Directory Service Restore Mode option.


  4. After you successfully log on, change the local Administrator password using either of the following methods:


    • At a command prompt, type the following command:


      • net user administrator *
    • Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.


  5. Shut down and restart the computer.


You can now use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.

If you forget the SAM-based Administrator account password (which prevents you from logging on using Directory Service Restore Mode), use the appropriate method:

Method 1

If Windows 2000 is installed on a FAT or FAT32 file system:
  1. Start the computer using an MS-DOS or a Microsoft Windows 95/98 startup disk.


  2. Copy the original SAM saved during the initial Windows 2000 installation in the %SystemRoot%\Repair folder to the %SystemRoot%\System32\Config folder.


If Windows 2000 is installed on an NTFS file system:
  1. Either move the drive to another Windows 2000-based computer or perform an additional installation of Windows 2000 (parallel install) to gain access to the NTFS partition.


  2. Copy the SAM in the %SystemRoot%\Repair folder to the %SystemRoot%\System32\Config folder.


NOTE: This method is useful only if you remember the original Administrator password you used during the initial installation of Windows 2000.

Method 2

Demote the domain controller to a standalone server, and then re-promote the server using Dcpromo.exe. During the re-promotion, you are prompted to type a new Directory Service Restore Mode Administrator password.

Additional query words:

Keywords :
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.