Your account | Cart Cart
 Search
Home Products FAQs Download Shop Contact
UMove for Active Directory
IntroductionIntroduction
Choice of OperationChoice of Operation
Loading Active DirectoryLoading Active Directory
Advanced TopicsAdvanced Topics
ConceptsConcepts
Directory Services Restore ModeDirectory Services Restore Mode
What is DSRM?What is DSRM?
How to Boot DSRMHow to Boot DSRM
Changing the Domain Admin PasswordChanging the Domain Admin Password
Error MessagesError Messages
Changing the Domain Admin Password

In addition to setting the DSRM password, UMove gives you the option of also assigning the same password to the Domain Administrator account. For example, if you restore Active Directory from an old backup you may have forgotten the old Domain Administrator password. This option allows you to regain access to the domain so that you are not “locked out”.

To change the Domain Administrator password, on the DSRM password panel check the box to also assign this password to the Domain Administrator. On reboot UMove will overwrite the password for the Domain Administrator.

If you previously disabled the Domain Administrator account, UMove will enable it.

UMove will do a “forced” password change. A forced password change overwrites the password without knowledge of the previous password.

Loss of EFS Recovery Agent Keys

If you check the box to do a forced password change, UMove will show a message box to warn you that you will lose your EFS Recover Agent keys.

Warning: When doing a forced password change, you will lose your Encrypted Filesystem (EFS) Recovery Agent private key for the Domain Administrator account. This is because the computer needs to decrypt the credentials using the old password and then re-encrypt them again using the new password. Without the old password the EFS credentials cannot be re-encrypted. This means that you will lose the ability to recover previously encrypted EFS files (Q290260).

During the cleanup step you can create a new EFS Recovery Agent certificate. The new certificate will be assigned to future encrypted EFS files, allowing you to recover files that are encrypted after the password change.

Because of the danger of losing your EFS Recovery Agent private key, you should do a forced password change only if you have completely forgotten the old Domain Administrator password. UMove will display a warning message to caution you.

The PDC Emulator Should Be Used to Change Passwords

In order to change the Domain Administrator password, the domain controller that you are moving should have the Primary Domain Controller (PDC) emulator role. A non-PDC will attempt to forward the change-password request to the PDC. If the PDC is not reachable on the network, the password change request will generate error messages in the Event Log. (If there is a discrepency between passwords on a non-PDC and a PDC, the password on the PDC will take precedence.)

Spurious Error Message

When doing a forced change of the password for the Domain Administrator account, a yellow warning message may appear in the System Event Log for Schannel. The error message is spurious and can be ignored (Event ID 36872).
Algin Technology LLC
   Home -- Products -- FAQs -- Shop -- Download -- Reseller -- Privacy -- Contact
Copyright © 2009, Algin Technology LLC