I've managed to get into a loop hole and cannot find a way out.
I have a server using Microsoft Virtual Server 2005 that I recently had to restart, so I shutdown all of the guests Virtual Machines and then restarted the host.
There are about 8 virtual machines in total, one of which is an Active Directory domain controller.
About a week ago, I also went around all of the servers (both physical and virtual) to disable the local accounts, including Administrator, as the domain appeared to be working fine.
However, now that the physical host server has restarted, I cannot logon any longer via remote desktop - as the domain is not contactable (due to the virtual machine being powered down) and the local administrator account is disabled.
I have tried connecting from another physical server (via Computer Management) to try and re-enable the local accounts, but I don't have permission (and/or RPC appears to be blocked - again, via Domain Controller group policy). I've tried connecting to Virtual Server 2005 to switch on the Domain Controller VM - but again, no accounts with access.
How can I get out of this? I need to switch all of the VMs on ASAP!
Boot it up in safe mode and re-enable the local Administrator account.
Do-not-ever disable it again, assign it a crazy password, write it down on a note and lock it away if something like this happends again.
Also, don't virtualize all your basic networking services (like a domain controller). Install windows server on a old PC, configure it as a domain controller, global catalog, DNS and DHCP (if you use DHCP), and place the PC somewhere else in the building.
(I didn't even think of safe mode!)
You could try using EBCD to re-enable the admin account. I've used it in the past when i've lost local admin passwords, works great.
As the other post says - you shouldn't disable the local admin accounts - rename the account to something random and put a very strong password on it if you're concerned. Also, you really should consider maintaining a physical domain controller - perhaps the host machine itself?
Petter Nordahl's Offline NT Password & Registry Editor can re-enable the Administrator account and assign it a new password. The safest method is to disconnect the network and give the account a blank password (by entering an asterisk ... * ), then change to a better password on boot, and then reconnect network.
It takes about ten minutes to download and burn the disk; less if you use the floppy version.
Since you're using virtual systems, you don't even have to burn. Just boot from the .iso file.
When you get back to physically infront of the host machine, unplug the network cable.
Then try to login using the domain administrator account again
Windows should use the cached domain login (assuming you've logged in using administrator atleast once recently to it, and you don't have some GPO preventing login if no DC is online) Much like when a laptop is not on the network, once in get things working again.
Once done, as a thought, does the host machine need to be one the domain?
Could it simply be a workgroup computer & then you have a renamed admin account and a crazy password?
That way you'll always have access to it regardless of what the domain is doing.
Her's a little trick, you boot a livecd (take a look at backtrack) with read/write access to the ntfs volume, then you rename windows/system32/logon.scr to logon.bak and copy cmd.exe to logon.scr.
You reboot the machine and wait a few minutes, instead of launching the logon screensaver , it will launch a shell under system credentials. then:
c:>net user new_account new_password /add
c:>net localgroup administrators new_account /add
now you got a new local admin account on the box.
By the way i think it is a good practice to make a second local admin account and disable the original one