Lost Domain Admin Password

I have Server 2003 R2 sp2 and lost the domain administrator password.
I would like to clear the old domain name and start this server fresh under
a new domain name. I was able to clear the local user admin password with a
boot disk, then restart to Active Directory Recovery safe mode but unclear as
how to continue.
System Properties reports a computer name that I would like to change and
Domain as "*Unknown*" and "The Certification Authority Service" is installed.
Any help is greatly appreciated.

This server was removed from a defunked company and domain. We are
attempting to create a new domain without reloading the machine.
The F8 boot menu offers "Directory Services Restore Mode" (a safe mode).
Booting here allows me to use the new password (Local User on this
machine)but not access to the domain.
It may be that this server was in a domain but not the DC.
I don't have access to active directory and have no knowledge of the
previous history of this server.

Is the domain administrator the only member of the domain administrators
group? If not, use one of the other domain admin accounts to set the
password for the administrator account. If it is the only member, think
about that for next time...

This local user admin - what was it local to?
Can't help you there, as I've never had to do that.
What computer - is this your domain controller?

I fear you may be pooched if you do not have admin access to your active
directory infrastructure - especially if you have used certificates to
encrypt information with an account whose password has been changed.

At this point I would tend to suggest starting with a completely new
install, and then taking steps to ensure you don't lock yourself out again.

You cannot have a domain without at least one domain controller. You will
need to either make this one a DC, or create a domain by building another DC
and joining this one to the domain.

That would suggest to me that it was in a domain previously, and likely a
domain controller, however, that is a bit of a guess on my part...

If it was previously a DC in a domain, then the local user (local
administrator account?) might have previously been a domain administrator
account. But when you say you have no access "to the domain", what is it you
are trying to do and failing at?

Your guess is likely as good as mine here...

It seems foolhardy to me to try to build a new domain around a computer with
such a questionable heritage as-is. You don't know, for example, whether or
not it has been compromised somehow. You don't even know if it was properly
licensed. I would strongly suggest that you protect your assets
(information) and liabilities (licensing) by wiping the current installation
and doing a completely new install.

if this is just a member server, once you have local admin credentials, you
can simply remove it from the domain (Computer Name tab of the System
Properties dialog box). If this is a domain controller, you'd have to try
something more creative. One possibility is scheduling a batch file that
uses a combination of the net user command to create a new account and net
localgroup command to add it to local domain Administrators group.
In either case, I'm not sure the easiest (and the preferred) approach would
be to simply reinstall the server - considering that you want to configure
it as a domain controller in a new domain..

Because Certificate Services is installed, you cannot change the domain
membership or computer name while the service is installed.
Like you have stated, a reinstall is your best course of action.

might as well just add an exiting user to the domain admins group with a
simple dsmod command like;

dsmod group "CN=Domain Admins,CN=Users,DC=microsoft,DC=com" -addmbr
"CN=John Smith,CN=Users,DC=microsoft,DC=com"

or just change the administrators password using the same approach.

[ivan1282ka]

where i can get more information on such script and such scheduling?

i tried to reset domain admin password by using instsrv and srvany
but this was not successful. perhaps I did something wrong ?
I used Active Directory Recovery to set up srvany

do you think such batch will be good if started from secondary domain controller (2003 server sp2)

net user user-user Password /add /domain
net group domainadmins user-user /add /domain

how to schedule it such a way that it will create account user-user and add this user to domain administrators group?

i am not sure if there is connection to primary domain controller ...
the domain seems to be dead (75% of domain controllers did not replicate for months) , but my part is still working...
unfortunately there is need for maintenance... the authority that used to maintain the domain is gone , its successor told me "reinstal or do what you want ... we have no passwords"
but i don't want to reinstal...

can you give me some advice what to do in this situation?
i had idea to migrate to stand alone domain
but it seems i had no enough knowledge how to do it ...
especially without admin password

[Eileen Cohen]

Check out this step-by-step guide to change the forgotten domain administrator password -