Common Windows issues: Why resetting a password fails on a domain controller

Problem

After you request a password reset for a Windows® Server® that acts as a Domain Controller (DC),
the password does not reset. The Rackspace Cloud Server Agent service attempts to alter the local
Security Accounts Manager (SAM) account for the administrator and reports a failure, but the password
reset appears to complete successfully.

Explanation

A DC does not have any local accounts. When you promote a server to a DC, the system removes all local
accounts, and the Active Directory (AD) database handles all authentication, access permissions, group
memberships, and so on. Because there are no local accounts, the password reset command applied to the
local administrator account fails. When you attempt to clone a DC, the operation fails on multiple
levels. Even if the cloned DC allows you to reset the administrator's password, it doesn't work
because it detects a duplicate DC within the forest. This scenario is impossible when you install server
(rather than cloning it) because of how AD handles computer names by ensuring that all names are unique.

When you change the name of the cloned DC, another failure occurs because DNS (and hence AD because they
are tied together) cannot locate the name of the Start of Authority (SOA) for the AD domain zone file.
The computer object in the DC's container in AD does not match, so the cloned DC abides by all the rules
when it boots. However, after it starts, it isolates from the network and shuts down all directory services
attributes. The cloned DC gets to the login prompt, but you have to boot into Directory Services Restore Mode
to clean all the metadata.

Conclusion

Do not clone a Rackspace Cloud Server configured as a DC. Demote the current DC before you save the server
image to create new servers.

Use the Feedback tab to make any comments or ask questions. You can also click Let's Talk to
start the conversation.