Windows Domain Controllers have a special Recovery Console that is accessible with a special local administrator password. A good document for this is on Petri at http://www.petri.co.il/change_recovery_console_password.htm. This password can be reset with the “ntdsutil” tool and steps similar to these:
- set dsrm password
- reset password on server null
- “quit” twice to exit
In addition to the recovery console, a new local administrator password will be set when a Domain Controller is “demoted” using the “dcpromo” tool. During demotion, a prompt appears allowing you to set the local admin password that will be required to login after the DC is no longer part of a domain.
Just some hints for when you’re working on a DC with the recovery console or after demoting.