Skip to main content

Changing the password of directory service restore mode

Just sitting playing around with ntdsutil and the possibility to change the directory service restore mode password. This is a feature that most companies forget, or are not aware of. If you dont know the password for the domain controllers you cant restore the Active Directory database, remember that domain controllers don't have local user database?. So the password you typed in during domain controller setup "dcpromo" are important, but easy to forget. Lots of times it's not documented and different on all dc's

You had to use a tool called "Ntdsutil", an important tool for Directory Services administration, to change password after the first setup of "Dcpromo". Luckily you could run the command from just one of the domain controllers and change it on each any every domain controller by using a line of parameters
Scripting have been the way of doing it automaticly, you had the choices of making an advanced script to collect dc server names or just use a script with manually typed name, but then it was important to update the script to reflex the changes in your active directory envimoment.

In Windows Server 2008 you could download a fix KB961320 that gave a new feature in ntdsutil to sync the password with an ordinary domain users account. This feature are buildt into the Windows Server 2008 R2. To read more about it check out the Technet page here

Still it's giving us a challenge, the new feature cannot change it on any other server then the one executing it, so is it worse then the old?
The answer are "no", because combining it with "Group Policy Preferences" you can create a scheduled task and run it regulary

And how to do it are in this great article from the people at the Microsoft Directory Service team

Popular posts from this blog

Changing Windows product key (license) for a MDT OS deployment task

Creating a new OS deployment task in MDT you will be asked to specify product key

That’s easy enough, but what if you type in the wrong key or just want to change it (add it) later? You might even have gotten a new MAK.

That is not as easy, you cannot do it from the graphical interface, you have to do it from one of the configuration files. Well you might to it from graphical interface by typing it in every time deploying a computer gets deployed but that is not a great solution.

MDT - The task sequence has been suspended. LiteTouch is trying to install applications

Every now and then I get this error message when fuelling a computer with MDT:
"The task sequence has been suspended. LiteTouch is trying to install applications. This cannot be performed in Windows PE."

How to get and use the Windows key from UEFI/BIOS

I found myself in the situation that I needed to get the Windows key out from the ACPI in the UEFI bios and preferable get to use it in a task sequence in MDT.

There are different ways of doing this, but I wanted to do this with little code and easy to understand.
There is a nice tool created to get the key on github, created by Christian Korneck, called get_win81key. This tool gives you the key in plane text. You can get it

If I were supposed to do this manually, I now would just take that key and type it in with slmgr command or in the GUI. But I want to do this within a task in MDT.
Testing a couple of solutions without using the get_win8key with my great scripting guru colleague HÃ¥vard ( and figuring out that it cannot be done with default powershell stuff, it needs more code. Therefore, we quickly figured out that some use of the “get_win8key” files is the easiest way, but we need a way of setting the output fro…