When a Domain Controller gets corrupted, options are limited when it comes to repair. A client ran into this situation last week when their 2012 R2 virtual machine ran out of space, and then someone yanked the power cord out of the back, all but ensuring data corruption.
On boot the machine would present Microsoft’s lovely 0x00002e2 error, which largely translates to “rebuild your AD infrastructure from scratch,” and some very ineffectual troubleshooting tools. Hoping I could puzzle a way around the error, I got to tinkering.
The VM would only successfully boot into DSRM mode, but without the local administrator account password, there was no getting into the box. I had various password reset tools at my disposal, but unfortunately Hyper-V didn’t like booting any of them with the v2 VM, an issue I found others in similar situations lamenting.
The Bypass
Luckily I also had a CD image for Server 2012 R2 handy, which booted just fine. I was able to get into the recovery console where the real magic happened. On every Windows log in screen there’s the “Ease of Access” or accessibility options button, which provides features for users who are colorblind or otherwise need additional help using their computer. The EoA executable is located at Windows\System32\utilman.exe. By overwriting utilman.exe with cmd.exe (after making a backup copy of course), I was ready to enter the system.
Once the system booted (into DSRM mode, the only functional boot I had available), I clicked the Ease of Access button and, lo and behold, a command prompt opened, with full system privileges. I ran the following two commands to reset and unlock the local Administrator account (the only account available in DSRM mode), and I was in:
net user Administrator [new password]
net user Administrator /active:yes
And with that, I was able to log into the machine using my new password. A few helpful commands later (some of which are shown here to the right) and the DC was back up and running successfully, all without having to rebuild the entire Active Directory structure.
The lesson here? Make sure you don’t run out of room on your DC and don’t just yank out power cables. If this client had us monitoring the server before this problem, I wouldn’t have had to implement this workaround, or bill them for nearly as many hours.