Once AD is installed on a 2k server, by design you can no longer change the local administrators password through local users in the computer management snap-in. Now that is fine and dandy, as you will typically login to a DC with a domain account. But what happens if it hits the fan, and you take the server into AD restore mode, without knowing the local admin password?

Alternate scenario: lets say you have a few DC's, and you want to synchronize the local admin passwords. If you know the password, you can use this method: <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q239803" target="_blank">How to Change the Recovery Console Administrator Password on a Domain Controller (Q239803)</a> , but if you don’t know it, you are in trouble. The only option I can see is to demote the DC by removing AD; during the process you are prompted for a new local password as part of a successful demotion. You could then run DCpromo to add AD. But that can't be feasible for every situation. Additionally, in order to have a successful demotion a lot of things can stand in your way; for instance:

<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255504" target="_blank">Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller (Q255504)</a>

<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q216498" target="_blank">How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion (Q216498)</a>

I had to do both of these when I took my DC, (a Global catalog, but not the first) out of a friend’s tree, and decided to demote it. I didn’t forget the password, I just wanted to change the domain name and practice demoting and promoting; in the process I began to ponder the “what ifs”, hence my posting.

Anyone with some ideas, please feel free...