Domain Controller local admin password

Hey there. Toni here back with some thoughts on domain controllers and their local SAM database. You know, the thing that is disabled as soon as the server is promoted to a domain controller.
This is something that is often forgotten about until it’s too late. This database is actually critical if something bad happens to your active directory. Do you know the local admin password on your domain controller? How long ago since it was installed? The local admin password is set when the domain controller is promoted. Did you promote it? Did a consultant? Do you even know the password?

Missing something?

This local admin account comes into play when the domain controller needs to start in DSRM, or Directory Services Restore Mode. This is done when the house is on fire and no one can do anything. So is this the time when you don’t know the local admin password and need to find someone who does? I would guess no, since you are probably under enough stress at this moment anyway. Here is a quick guide on how to reset the local admin password on a fully functioning domain controller.

Run CMD as Admininstrator, type ntdsutil [Enter]
Next we switch to the Reset DSRM Password context.
Set d p [Enter]
Then we select which server to set the password on.
r p o s servername [Enter]
Enter your password and you’re done.

Now you are ready to restore your AD in case of emergency by starting the server in DSR Mode.