Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
Member Login

Site Notices
Locked out of server (Page 1 of 2)
Arrow Left Previous Page
Page / 2
Posted: 7/21/2021 11:52:15 AM EDT
Any thoughts on this puzzler:

Windows Server 2016.  The domain trust relationship is broken.  Normally, I'd log in as the local admin user and leave/rejoin the domain.
The local admin account had its password changed.  It isn't what it should be, and we don't know it.  For added fun, we found that someone used the local admin account to run some local services.  If we reset the password, the server gets borked.

Anyone know any Mission impossible way to either reset the trust relationship or add a second local admin user without being able to log in?

Link Posted: 7/21/2021 11:56:27 AM EDT
What make server is it?
Link Posted: 7/21/2021 11:59:01 AM EDT
No comrade admiral crunch you can not hack our servers
Link Posted: 7/21/2021 12:02:44 PM EDT
It is no longer [email protected]  ??

Do you have access to PC Unlocker? It is easy to use. Plenty of versions are out floating around.

Do you have access to the Installation Disc? If so , you can get to it through utilman.exe to reset it.

Link Posted: 7/21/2021 12:03:46 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By jmt1991:
What make server is it?
View Quote

It's a Windows 2016 VM.
Link Posted: 7/21/2021 12:04:04 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Yore353:
No comrade admiral crunch you can not hack our servers
View Quote

Damn!  


Link Posted: 7/21/2021 12:04:41 PM EDT
Just a member server?

Do you have any management software on it?

Do you have a backup?
Link Posted: 7/21/2021 12:05:23 PM EDT
If you don't want to reset the password you'd need to extract the password database and crack it.
If you are OK with resetting the password you can just put the new password into the services.

I've got a Microsoft official tool that will reset the password for you.
Link Posted: 7/21/2021 12:07:29 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By UV18:
It is no longer [email protected]  ??

Do you have access to PC Unlocker? It is easy to use. Plenty of versions are out floating around.

Do you have access to the Installation Disc? If so , you can get to it through utilman.exe to reset it.

View Quote

I've used the UtilMan trick on a Windows 7 machine.  Didn't figure it would still work for 2016R2.  I can try it.

I'll also look into PC Unlocker.  
Link Posted: 7/21/2021 12:08:00 PM EDT
[Last Edit: 7/21/2021 12:10:17 PM EDT by NunyaBidness]
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:

Damn!  


View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:
Originally Posted By Yore353:
No comrade admiral crunch you can not hack our servers

Damn!  


This is how I've done it. If you don't have domain admin creds cached on the box or a local admin, you're sorta fucked. You'll have to take it offline and then use a tool like the one I linked. If the system is bitlockered and you don't have the bitlocker creds, then you're super fucked.
Link Posted: 7/21/2021 12:08:50 PM EDT
[Last Edit: 7/21/2021 12:10:29 PM EDT by skydive70]
Originally Posted By Admiral_Crunch:
Any thoughts on this puzzler:

Windows Server 2016.  The domain trust relationship is broken.  Normally, I'd log in as the local admin user and leave/rejoin the domain.
The local admin account had its password changed.  It isn't what it should be, and we don't know it.  For added fun, we found that someone used the local admin account to run some local services.  If we reset the password, the server gets borked.

Anyone know any Mission impossible way to either reset the trust relationship or add a second local admin user without being able to log in?

View Quote

You can use Linux that boots from a Live CD/USB and use the chntpw utility to change the admin password. I'm not an expert, but have done it...if you use those terms in google you'll get a lot of tutorials/videos that show how to do it.

ETA: you'll need access to the physical box though, so that might be an issue if you don't.
Link Posted: 7/21/2021 12:09:29 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Imzadi:
If you don't want to reset the password you'd need to extract the password database and crack it.
If you are OK with resetting the password you can just put the new password into the services.

I've got a Microsoft official tool that will reset the password for you.
View Quote

I'm calling that Plan B at this point.
If we have to reset the admin password, we'll get with the vendor who set up the software that the server is running to get them to stop using them damn local admin account for anything.  Whoever did that needs to be whipped anyway.
Link Posted: 7/21/2021 12:10:23 PM EDT
Is this a physical or machine or a VM?

Link Posted: 7/21/2021 12:12:32 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By _Matt_:
Just a member server?

Do you have any management software on it?

Do you have a backup?
View Quote

We take a daily snapshot of the VMs.  I reverted this server to an earlier backup after I changed the local admin password, and it borked the server.  Restoring the earlier backup is what broke the trust relationship.
Link Posted: 7/21/2021 12:12:50 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Overlord66:
Is this a physical or machine or a VM?

View Quote

VM
Link Posted: 7/21/2021 12:13:37 PM EDT
[Last Edit: 7/21/2021 12:15:49 PM EDT by dmnoid77]
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:

It's a Windows 2016 VM.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:
Originally Posted By jmt1991:
What make server is it?

It's a Windows 2016 VM.


Snapshot time.

ETA: Should have read to the end.

ETA 2: I'm going to go out on a limb a bit and suggest that under the circumstances described you don't really want that server back on the net.
Link Posted: 7/21/2021 12:15:38 PM EDT
Clone to template and use vm customization to rejoin the domain. Then migrate to the new one during maintenance.

Just an idea, never tried it.
Link Posted: 7/21/2021 12:17:31 PM EDT
Blow it away and rebuild it from scratch.  Always add your own person super-secret local Admin account in the future.
Link Posted: 7/21/2021 12:17:38 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:

VM
View Quote


If it's Hyper V change the boot device to a Hiren's ISO from there you can create a new local admin acccount. Or if you have a management tool on the server that  gives you system level access you can create an account in CMD prompt or Powershell.
Link Posted: 7/21/2021 12:18:25 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By xerxes2695:
Clone to template and use vm customization to rejoin the domain. Then migrate to the new one during maintenance.

Just an idea, never tried it.
View Quote

Well that's an interesting idea.  Might have to try that.
Link Posted: 7/21/2021 12:18:29 PM EDT
[Last Edit: 7/21/2021 12:19:16 PM EDT by whollyshite]
What does the server do?  Application, web, database, what?

You may be best served by rebuilding the box and pull in the data from backups.

Something sounds shady here...
Link Posted: 7/21/2021 12:19:45 PM EDT
If stand alone unplug the network cable and log in

If VMware go into vsphere and disconnect the network card and login
Link Posted: 7/21/2021 12:20:08 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By whollyshite:
What does the server do?  Application, web, database, what?

You may be best served by rebuilding the box and pull in the data from backups.

Something sounds shady here...
View Quote


Very shady.  I would leave that thing offline for a bit and look over the DC logs.  Probably find some form of fuckery occurring there.
Link Posted: 7/21/2021 12:20:29 PM EDT
Did you try turning it off and back on?
Link Posted: 7/21/2021 12:21:14 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By California_Kid:
Blow it away and rebuild it from scratch.  Always add your own person super-secret local Admin account in the future.
View Quote

Believe me I'm tempted to tell the vendor, "You fucking failed."  Do it over again, and do it right.  But it's a damn important server.

The local admin account is our IT-use-only failsafe.  Whoever changed it needs punched in the junk.
Link Posted: 7/21/2021 12:21:26 PM EDT
Just a thing to try. Go into Active Directory Users and Computers. Find the computer. Right click. Select Reset Account.

See if that lets you login to the domain from the VM.
Link Posted: 7/21/2021 12:21:55 PM EDT
[Last Edit: 7/21/2021 12:23:45 PM EDT by Admiral_Crunch]
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By eazeaz:
disconnect the nic then login.   the broken trust relationship is keeping you from logging in.   Simple as stopping the server from contacting the domain controller - so it doesn't know it's trust relationship is broken
obviously you would need to login with a domain account that is already "cached" - something that has logged in before
If this is a vm just set the nic to "not connected"
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By eazeaz:
disconnect the nic then login.   the broken trust relationship is keeping you from logging in.   Simple as stopping the server from contacting the domain controller - so it doesn't know it's trust relationship is broken
obviously you would need to login with a domain account that is already "cached" - something that has logged in before
If this is a vm just set the nic to "not connected"

Originally Posted By Justcause:
If stand alone unplug the network cable and log in

If VMware go into vsphere and disconnect the network card and login

Tried that.  It just says there is no domain controller to service the login request.
Link Posted: 7/21/2021 12:22:01 PM EDT
[Last Edit: 7/21/2021 12:23:01 PM EDT by eazeaz]
disconnect the nic then login.   the broken trust relationship is keeping you from logging in.   Simple as stopping the server from contacting the domain controller - so it doesn’t know it’s trust relationship is broken

obviously you would need to login with a domain account that is already “cached” - something that has logged in before

If this is a vm just set the nic to “not connected”
Link Posted: 7/21/2021 12:22:47 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Imzadi:
Just a thing to try. Go into Active Directory Users and Computers. Find the computer. Right click. Select Reset Account.

See if that lets you login to the domain from the VM.
View Quote

Tried that already.  No dice.
Link Posted: 7/21/2021 12:23:12 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By dmnoid77:


Very shady.  I would leave that thing offline for a bit and look over the DC logs.  Probably find some form of fuckery occurring there.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By dmnoid77:
Originally Posted By whollyshite:
What does the server do?  Application, web, database, what?

You may be best served by rebuilding the box and pull in the data from backups.

Something sounds shady here...


Very shady.  I would leave that thing offline for a bit and look over the DC logs.  Probably find some form of fuckery occurring there.



No fuckery going on at all.
Same thing happens to a computer if you restore to previous time.
It will drop off the domain
Link Posted: 7/21/2021 12:25:39 PM EDT
I'd be very careful what you do with that. It smells bad.

If you dont have cached creds on that VM itll probably be difficult. Backup or rebuild time. What's this VM do?
Link Posted: 7/21/2021 12:28:04 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Justcause:



No fuckery going on at all.
Same thing happens to a computer if you restore to previous time.
It will drop off the domain
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Justcause:
Originally Posted By dmnoid77:
Originally Posted By whollyshite:
What does the server do?  Application, web, database, what?

You may be best served by rebuilding the box and pull in the data from backups.

Something sounds shady here...


Very shady.  I would leave that thing offline for a bit and look over the DC logs.  Probably find some form of fuckery occurring there.



No fuckery going on at all.
Same thing happens to a computer if you restore to previous time.
It will drop off the domain


Altered local login credentials + modified services + broken domain trust = possibly compromised server.  Until that is satisfactorily resolved it shouldn't be touching anything important.
Link Posted: 7/21/2021 12:28:45 PM EDT
Use PCUNLOCKER or similar.  I have one that will even do domain creds but it's $$.  Use the ISO, attach it to your VM, boot from it, profit.

Reset or remove local administrator password, enable user if needed.

Boot server, log in as that local user, go through the motions of adding back to the domain.  You don't have to actually remove it before adding again.  This will fix the trust issue.


If this is a DC and you have another, just boot locally as above, do a force remove, seize the FSMOs to another server if they were on this one, run metadata cleanup, clean up DNS, add this one back as a member server, and DCPROMO it back up.

If it was doing DHCP also and DHCP isn't working because it doesn't think it is authorized, once you're logged in locally, run NETSH DHCP SERVER DUMP > somefile.txt  to get a human readable copy of your DHCP setup.  Set up another DHCP server, do a find/replace on the server names in the file, and do NETSH EXEC somefile.txt  to set up the new DHCP exactly like the old one.
Link Posted: 7/21/2021 12:29:50 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By dmnoid77:


Very shady.  I would leave that thing offline for a bit and look over the DC logs.  Probably find some form of fuckery occurring there.
View Quote

It's Active Directory.  I manage nearly 400 servers and almost 100 domains.  It's par for the course.
Link Posted: 7/21/2021 12:29:56 PM EDT
Hirens if you are allowed.
Link Posted: 7/21/2021 12:30:59 PM EDT
Netdom
Link Posted: 7/21/2021 12:32:47 PM EDT
Mount 2016 ISO to VM.

Use Utilman.

Your welcome.
Link Posted: 7/21/2021 12:37:26 PM EDT
Nothing shady.  Just a couple of poor decisions by a vendor.
Link Posted: 7/21/2021 12:39:25 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By NunyaBidness:
This is how I've done it. If you don't have domain admin creds cached on the box or a local admin, you're sorta fucked. You'll have to take it offline and then use a tool like the one I linked. If the system is bitlockered and you don't have the bitlocker creds, then you're super fucked.
View Quote
This... But I use UBCD. http://www.ultimatebootcd.com/
Link Posted: 7/21/2021 12:41:04 PM EDT
Reset admin using https://www.hirensbootcd.org/


Go into services and find what is running as admin and update accordingly. Slap the Pee Pee of who ever did that BS.

borked domain trust blows.
Link Posted: 7/21/2021 12:41:45 PM EDT
[Last Edit: 7/21/2021 12:43:05 PM EDT by RevDeadCorpse]
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Admiral_Crunch:

VM
View Quote
Were they doing a full backup on the host? If so, you could try to do a full restore of the VM from backup on a date prior to losing the Domain connection. Would lose any recent data, but you'd have the server back.

ETA: depending on the backup solution, you might be able to stand the VM up on the backup server. Down the problem child first. Axcient and Datto both allow this.
Link Posted: 7/21/2021 12:49:55 PM EDT
Thanks for all the suggestions.  I'm going to try a few and will report back.
Link Posted: 7/21/2021 12:50:10 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Imzadi:
If you don't want to reset the password you'd need to extract the password database and crack it.
If you are OK with resetting the password you can just put the new password into the services.

I've got a Microsoft official tool that will reset the password for you.
View Quote

Yeah, that is certainly the easiest solution IMHO.
Link Posted: 7/21/2021 12:52:54 PM EDT
[Last Edit: 7/21/2021 5:32:01 PM EDT by inzane123]
The Sticky Keys hack will get you in if your org hasnt blocked it.

https://fossbytes.com/sticky-key-feature-and-reset-windows-password-using-cmd/
Link Posted: 7/21/2021 1:08:52 PM EDT
E-Z mode:

Take screenshot of VM

Get Windows Server 2016 install disk/image
Boot to Windows Server 2016 image
Open CMD prompt once loaded (should be Shift+F10)
Navigate in CMD to the C drive of the main OS
Rename Ease of Access to CMD
Reboot into OS and from the lock screen open up Ease of Access (CMD)
Either force rejoin to domain or reset password from CMD

Easy peasy, but will require some downtime.
Link Posted: 7/21/2021 2:58:27 PM EDT
Hirens boot cd or try unplugging the network cable as you login, I used to do this when our AD servers started crapping out.
Link Posted: 7/21/2021 3:07:13 PM EDT
Take a 10 second outage and disconnect the nic as others have stated. Log with cached domain creds..
.
Use Netdom to fix the domain trust without a reboot
Link Posted: 7/21/2021 3:11:56 PM EDT
[Last Edit: 7/21/2021 3:37:07 PM EDT by zander712]
You can blank out the admin password and/or enable it with Trinity rescue disk. Take Trinity and enable the local administrator password for the server and blank out the password. Login to the local admin account with administrator and a blank password. Open Powershell as admistrator and type the command below substituting your domain name and a domain admin user name.


Reset-ComputerMachinePassword -Server contoso.com -Credential contoso\(domain admin username)
Link Posted: 7/21/2021 3:12:52 PM EDT
Do you use LAPS in your domain?  If you do you can see if it has the last cached admin password before the issue started.
Link Posted: 7/21/2021 3:13:28 PM EDT
[Last Edit: 7/21/2021 3:20:52 PM EDT by LVMIKE]
Do you know if bitlocker is enabled? There is a common exploit using utilman.exe to compromise local login, but it wont work with BDE enabled unless you have the drive recovery key. Des2b covered the basics of what I'm talking about, the actual exe is c:\windows\system32\utilman.exe. once its renamed to something to back it up, create a copy of cmd.exe named utilman.exe. restart and click the ease of access icon at the login screen. This will give a command prompt running as a system context. then use the net command to change the admin pass (net user administrator oldcorrectadminpass)
Link Posted: 7/21/2021 3:14:26 PM EDT
[Last Edit: 7/21/2021 3:16:51 PM EDT by zander712]
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By opnblstr:

It's Active Directory.  I manage nearly 400 servers and almost 100 domains.  It's par for the course.
View Quote


it happens all the time - I posted the solution I use above since I have it on a thumb drive on my desk
Arrow Left Previous Page
Page / 2
Locked out of server (Page 1 of 2)
An error occurred on the server when processing the URL. Please contact the system administrator.

If you are the system administrator please click here to find out more about this error.