Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock

Similar Messages

• How to reset Windows 2008 R2 Domain Controller "Administrator" password?

  Hello Everyone,
  I have lost Administrator password for the following system:
  Windows 2008 R2
  Domain Controller setup on same machine
  Stand alone server - no workstations or other servers invovled
  I still have the "Directory Service Restore Password" but I don't think that helps me for lost Administrator password. I beleive I need to boot from an .iso file to gain access. I already tried "Offline NT Password & Registery Editor" and it has set
  Administrator password to (blank) but that is not allowing me access as it seems that I have to login to domain controller Administrator. So, how can I reset that password?
  Thanks

  It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
  illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
  Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
  http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
  Thanks,

• 2008 R2 Domain Controller PDC Emulator for SP1 upgrade

  So my PDC is 2008 R2 and need to bring it up to SP1. Does anyone think I need to move that role to another server before upgrading it or upgrade it in place?

  Simply install SP1. No need to move anything.
  Of course, it is recommended to take a system state backup of your DC before proceeding.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile
  And what if it did eventually fail? Wouldnt it be easier just to clean out the dc, rebuild it and let the other one take care of the domain?
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.
  Either you restore it from backup or you simply seize its FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows 2008 R2 Domain Controller, Tracking of helpdesk staff invloved in unlock account, password reset

  Dear All,
  We recently gave permissions to group of level 1 staff to unlock OR reset password of users. In case user calls and report his account is locked OR if his password expires.
  I want to track by auditing just in case something goes wrong, I can check in auditing. I have created a new GPO and select success/failure for Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policy "Audi
  Account Management"
  applied it on domain top level and I did not changed settings of 'default Domain Policy' which is also linked on top level of domain.
  But after applying this I am unable to see any event 4724 of password re-set when I attempted to test this GPO. What else is required to be done in order to trace users in group 'level1' if they change any body password.
  Please assist.
  thank you

  Hello,
  Total two DC's in our environment. But now I figured out and it is working now. It was supposed to set in Advanced audit policy > User account management, I enabled it for success and failure and my newly created GPO is applied on domian top in addition
  to default domain policy.
  I am able to see unlock events, password change events in my security log. So, it is working.
  Thank you,
  Wajeeh

• Domain Controller - Time Syncing with CMOS Clock

  Hello!
  We have a DC that is syncing time from "local CMOS clock."  This DC is a VM (hyper V).  Integration services has "time sync" turned off.
  I've attempted syncing the DC to an external time source per http://www.thirdtier.net/2011/02/how-to-set-an-ntp-time-server-in-windows-2008-sbs-2008-and-sbs-2011/ and the issue persists.
  Also of note - I've attempted syncing the VMHOST to an external source as well, and it is only syncing with CMOS clock
  w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /update
  - results>
  I manually restarted Windows Time service, still syncing to CMOS
  w32tm /resync /rediscover
  - results> 
  the computer did not resync because no time data was available
  w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly
  - results>
  Tracking time.windows.com [65.55.56.206:123].
  Collecting 5 samples.
  The current time is 4/14/2014 12:34:41 PM.
  12:34:41, -16.0686354s
  12:34:43, error: 0x800705B4
  12:34:46, -16.0885249s
  12:34:48, -16.0981303s
  12:34:50, -16.0785199s
  w32tm /monitor
  - results>
  EVEREST.COMPANYNAME.local[192.168.45.34:123]:
      ICMP: 0ms delay
      NTP: +17.4000482s offset from COMPANYNAME-DC1.COMPANYNAME.local
          RefID: 'LOCL' [0x4C434F4C]
          Stratum: 1
  COMPANYNAME-DC1.COMPANYNAME.local *** PDC ***[192.168.45.31:123]:
      ICMP: 0ms delay
      NTP: +0.0000000s offset from COMPANYNAME-DC1.COMPANYNAME.local
          RefID: 'LOCL' [0x4C434F4C]
          Stratum: 1
  COMPANYNAME-MGMT.COMPANYNAME.local[192.168.45.33:123]:
      ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
      NTP: error ERROR_TIMEOUT - no response from server in 1000ms
  COMPANYNAME-DS1.COMPANYNAME.local[192.168.45.32:123]:
      ICMP: 0ms delay
      NTP: +14.7149589s offset from COMPANYNAME-DC1.COMPANYNAME.local
          RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
          Stratum: 2
  EVEREST.COMPANYNAME.local = 2k3 box
  COMPANYNAME-MGMT.COMPANYNAME.local = old DC improperly removed from domain (aka was just deleted from Hyper V by another technician...)
  COMPANYNAME-DC1.COMPANYNAME.local = primary "main" DC, 2k8
  COMPANYNAME-DS1.COMPANYNAME.local = backup DC, 2k8
  I can provide whatever other info that may prove useful.  I've looked @ other posts RE: this issue and feel like I might be missing something obvious, but I am at a loss.
  Thank you!

  Hi,
  Is UDP 123 open on the machine? I suggest you try to disable firewall to see if it works.
  More information for you:
  Can't get NTP time working on SErver 2008 R2 DC
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/e5e26e4f-1988-4ec1-8837-6d1d503130e7/cant-get-ntp-time-working-on-server-2008-r2-dc?forum=windowsserver2008r2general
  Configuring the Windows Time Service for Windows Server
  http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
  Error message when you run the "w32tm /resync" command to synchronize Windows Server 2003 or Windows SBS to an external time source: "The computer did not resync because no time data
  was available"
  http://support.microsoft.com/kb/929276
  Time synchronization is not performed even though the W32Time service is successfully started in Windows Server 2008 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2493006
  Best Regards,
  Amy

• Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server

  im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
  Nitin Gaurav
  [email protected]

  Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
  the new AD functionality available in 2008.
  Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
  AD and upgrade the functionality levels yourself.

• Windows Server 2008 R2 Domain Controller NOT logging EventID 4740

  EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
  i have checked thus far.
  >Windows Server 2008 R2 Domain Controller
  >Verified the following GPO settings are set and correct:
  >Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
  >Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
  >Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
  >No 4740 entries in the netlogon.log debug file
  AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
  Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
  Thanks, Chico

  Hi Chico,
  I suggest you try to enable this group policy below:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
  More information for you:
  Missing 4740 EventID's
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
  If you have multiple Domain Controllers, check this event on other DCs, too.
  Please feel free to let us know if there are any further requirements.
  Best Regards,
  Amy Wang

• W32tm always on "Local CMOS clock" on virtual domain controller - cannot change to NTP server

  The domain controller (Server 2012R2) is hosted on Hyper-V (Server 2012R2). It is a PDC.
  - firewall disabled
  - cleaned up w32tm:
  net stop w32time
  w32tm /unregister
  w32tm /register
  net start w32time
  - applied ifixit from http://support.microsoft.com/kb/816042 to enable external ntp server de.pool.ntp.org
  - disabled
  VMICTimeProvider in registry
  (HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Enabled = 0)
  I can manually query the ntp server de.pool.ntp.org:
  w32tm /stripchart /computer:de.pool.ntp.org /samples:5 /dataonly
  de.pool.ntp.org wird verfolgt [131.188.3.221:123].
  5 Proben werden gesammelt.
  Es ist 24.04.2014 10:07:36.
  10:07:36, +00.0115379s
  10:07:38, -00.0025048s
  10:07:40, -00.0008595s
  10:07:42, -00.0010477s
  10:07:44, -00.0014516s
  But still, w32tm does NOT query the ntp server:
  PS C:\Windows\system32> w32tm /query /source
  Local CMOS clock
  rosch

  Hi rosch,
  Based on your description, please check if disable the "Time synchronization" Integration service. Please refer
  to the following operation.
  In Hyper-V Manager, right click the DC and select “Settings…”.
  In the left panel of Settings, navigate to Integration Services and click it.
  Then in the right panel, please uncheck Time synchronization.
  By the way, please check if can connect to the time server and UDP port was opened for NTP.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

  I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
  Default Domain Controllers Policy
  Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
  What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
  System audit policy
  Category/Subcategory                      Setting
  System
    Security System Extension               No Auditing
    System Integrity                        No Auditing
    IPsec Driver                            No Auditing
    Other System Events                     No Auditing
    Security State Change                   No Auditing
  Logon/Logoff
    Logon                                   No Auditing
    Logoff                                  No Auditing
    Account Lockout                         No Auditing
    IPsec Main Mode                         No Auditing
    IPsec Quick Mode                        No Auditing
    IPsec Extended Mode                     No Auditing
    Special Logon                           No Auditing
    Other Logon/Logoff Events               No Auditing
    Network Policy Server                   No Auditing
  Object Access
    File System                             No Auditing
    Registry                                No Auditing
    Kernel Object                           No Auditing
    SAM                                     No Auditing
    Certification Services                  No Auditing
    Application Generated                   No Auditing
    Handle Manipulation                     No Auditing
    File Share                              No Auditing
    Filtering Platform Packet Drop          No Auditing
    Filtering Platform Connection           No Auditing
    Other Object Access Events              No Auditing
    Detailed File Share                     No Auditing
  Privilege Use
    Sensitive Privilege Use                 No Auditing
    Non Sensitive Privilege Use             No Auditing
    Other Privilege Use Events              No Auditing
  Detailed Tracking
    Process Termination                     No Auditing
    DPAPI Activity                          No Auditing
    RPC Events                              No Auditing
    Process Creation                        No Auditing
  Policy Change
    Audit Policy Change                     No Auditing
    Authentication Policy Change            No Auditing
    Authorization Policy Change             No Auditing
    MPSSVC Rule-Level Policy Change         No Auditing
    Filtering Platform Policy Change        No Auditing
    Other Policy Change Events              No Auditing
  Account Management
    User Account Management                 No Auditing
    Computer Account Management             No Auditing
    Security Group Management               No Auditing
    Distribution Group Management           No Auditing
    Application Group Management            No Auditing
    Other Account Management Events         No Auditing
  DS Access
    Directory Service Changes               No Auditing
    Directory Service Replication           No Auditing
    Detailed Directory Service Replication  No Auditing
    Directory Service Access                No Auditing
  Account Logon
    Kerberos Service Ticket Operations      No Auditing
    Other Account Logon Events              No Auditing
    Kerberos Authentication Service         No Auditing
    Credential Validation                   Success

  Hi Lawrence,
  After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
  setting was applied successfully.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Question about adding Windows 2012 R2 Domain Controller, into a native Windows 2008 R2 single forest domain

  I current have a two server domain, both Windows 2008 R2 and fully updated.   The two servers are on subnet 10.0.1.0 /24
  - Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
  - Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
  AD Domain: COMPANY.LOCAL
  I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
  /24 subnet.
  - Windows 2012 R2 Server C: 192.168.1.1
  What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server?   Are they anything like the following:
  1. Install Windows 2012 R2 server (Server C)
  2. Point Windows 2012 R2 server DNS servers at Server's A and B
  3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
  4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
  * Question:  Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)?  Or will I need to add the 10.0.1.0 /24 zone to the DNS
  server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?

  Hi,
  Regarding the issue here, please take a look into below articles:
  System Requirements and Installation Information for Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn303418.aspx
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
  http://technet.microsoft.com/en-us/library/jj574134.aspx
  Here is an example for promoting Windows Server 2012 to a DC, see:
  Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
  http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
  As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain,  bascially there is no special need to add zones,  for more information, please see:
  Understanding Active Directory Domain Services Integration
  http://technet.microsoft.com/en-us/library/cc726034.aspx
  Hope this may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• What is the proper way to demote a Win 2003 Domain Controller running SQL Server 2008 WorkGroup Edition?

  Hi, 
  What is the proper way to demote a Windows 2003 Domain Controller running SQL Server 2008 WorkGroup Edition? 
  I will be migrating AD from Win 2003 to 2012....
  Thanks in advanced. 

  Running SQL on a domain controller is highly not recommended for performance reasons and for complexities it introduces in the management of both systems (You are already facing this situation now).
  I would recommend proceeding like the following before demoting your domain controller:
  Install a new SQL server on a member server
  Migrate your databases to the new SQL server
  Once done, you can safely demote your DC.
  More if you ask them here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=sqlserver
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• What is the best practice and Microsoft best recommended procedure of placing "FSMO Roles on Primary Domain Controller (PDC) and Additional Domain Controller (ADC)"??

  Hi,
  I have Windows Server 2008 Enterprise  and have
  2 Domain Controllers in my Company:
  Primary Domain Controller (PDC)
  Additional Domain Controller (ADC)
  My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
  (5) FSMO Roles from (PDC) to (ADC).
  Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).
  Finally I want it to move back the (FSMO Roles) from
  (ADC) to (PDC) to get UP and operational my (PDC) as Primary. 
  (Before Disaster my PDC had 5 FSMO Roles).
  Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  Example like (FSMO Roles Distribution between both Servers) should be……. ???
  Primary Domain Controller (PDC) Should contains:????
  Schema Master
  Domain Naming Master
  Additional Domain Controller (ADC) Should contains:????
  RID
  PDC Emulator
  Infrastructure Master
  Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
  I will be waiting for your valuable comments.
  Regards,
  Muhammad Daud

  Here I want to know the best practice
  and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
  For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
  In case if
  Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
  There is two approaches that can be followed when an FSMO roles holder is down:
  If the DC can be recovered quickly then I would recommend taking no action
  If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
  Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

  Hi
  Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
  Thanks

  When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
  So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• RAC on windows 2000 with domain controller

  Guys,
  I need advise on the following implementation.
  We have 2 IBM Xseries 365 Servers , 1 FastT600 Storage Windows 2000 Advanced Server, Oracle 9i, Oracle RAC
  We have plan of integrating 2 servers in Windows 2000 Cluster, one server would act as Domain Controller and second will act as Additional Domain Controller in the MS Cluster. We would be installing Oracle 9i Enterprise s/w on each one of these server's internal disks and datafiles on shared storage ( FastT600 ).. We would need to install Oracle RAC as well. As per Oracle recommandation, the cluster nodes shouldn't act as Domain controller. We didn't find any logical and techinical answer for this recommandation. Can anyone guide me as why is it so? and any issue may arise if we don't have separate doamin controller?
  Is it really required to have separate Domain controller ?
  Early replies would be appretiated..
  Thanks & Regards,
  Sam

  Hello hanspjacobsen,
  1. According to the subjects System Requrements - Windows 2008 R2 Domain Controllers do support
  Windows 8.1/2012 R2 admx deployment with some limitations regarding down-level server version of course. So yes - you can download and use it. Doubtfully the GPO presence in AD could
  harm Exchange in any way.
  2. With the course of updates for Exchange 2010 and Windows Server - I'm pretty sure we can expect Exchange 2010 supporting W2012 R2 DCs with close upcoming updates. So the full interoperability for those two is just a matter of little time.
  ▲ Vote if Helpful / Mark if Answer
  MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
  MaximumExchange.ru

• How to Reset Windows 2008/R2 Domain Administrator Password

  How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
  It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
  An accessible PC.
  A USB/CD/DVD flash drive.
  The Windows password reset tool Daossoft Windows Password Rescuer.
  Then it requires 4 steps as below:
  Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
  Step 2: Burn it to the flash drive.
  Step 3: Boot your Windows Server computer from the flash drive.
  Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
  More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.

  It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
  illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
  Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
  http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
  Thanks,