Solved: Re: How can I recover DC directory admin password on Subscriber?

tapk5 · ‎09-16-2005

I just installed a subscriber, but I could not access user information from CCM admin, and could not access DC Directory administration, the password for "Directory Manager" is not the default, not the cluster (on publisher). But when I looked at the encrypted 'MGRPW' in registry, which is exactly the same as in publisher.

I tried to reinstall CCM/DC Directory, but the result was still the same. What could go wrong?

Wei

MTS Allstream

kthorngr · ‎09-19-2005

ok, thx for the clarification. I am more concerned as to why the DC Directory is not working since it seems that the installer is able to get the MGRPW from the registry on the pub. The integratedSetup.trc will hopefully show us whether the installation was successful or not.

In my previous post I wanted you to change the authenticaion method to none when logging into DCD Administrator. This will allow you to login without a password but not be able to do anything. You will get a message, just click ok. You should then see cisco.com in the right pane. If you don't see cisco.com then I would suspect an issue with the DCD installation. You won't be able to do anything with cisco.com.

I am trying to make sure the DC Directory is getting installed and if it is that it is a complete installation. Since you have tried this twice I would recommned opening a TAC case, provide the integratedSetup.trc, all of the log files in c:\dcdsrvr\log and remote access to the server. If the problem is simply the password in DCD then a TAC engineer will need access to fix it.

Kevin

View solution in original post

kthorngr · ‎09-19-2005

When you try opening DC Directory Administration from the subscriber - are you not able to log in or are you able to log in but do not see any data?

You can use the CCMPwdChanger tool to reset the Directory Manager password:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a00800942be.shtml

But that might not be the issue. If name resolution is not working then you will have DC Direcotry issues. Make sure you have both the hosts and lmhosts files populated, on all CCM servers in the cluster including the new server, before you install CCM on the subscriber. This will insure proper installation of DCD on the subscriber and that replication will work.

Kevin

tapk5 · ‎09-19-2005

No, I could not even log into DC directory. the CCMPwdChanger could work only if I know the old password, unfortunitely I don't.

By the way, all hosts, lmhosts are correct in CCM cluster.

And 'MGRPW' in registry doesn't match with the true DC admin password, so I could not access user Direcotry from CCM admin.

kthorngr · ‎09-19-2005

The MGRPW in the registry is encrypted. You can use the following command, forom a cmd prompt, to see if the encrypted password matches what you beleive the Directory Manager PW to be:

passwordutils.exe password

More info can be found here regarding this command:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_troubleshooting_guide_chapter09186a00801eaf9d.htmls

Are you able to log into the DC Directory Administration tool on the Publisher?

And, does the MGRPW on the pub match the results of passwordutils.exe?

Kevin

tapk5 · ‎09-19-2005

Yes, I did that, the password in "MGRPW" is the same as the one on publisher, and I can use that password to log on DC on publisher without problem. As I said before, this password doesn't match to the true password of DC Directory Manager of subscriber.

kthorngr · ‎09-19-2005

What version of CCM?

In DC Directory Administrator try setting the Ath Level to none. Do you see cisco.com in the right side pane?

You can also look at the DCD install logs:

C:\Program Files\Common Files\Cisco\Directory\IntegratedSetup.trc

Does you DCD MGR password have any special characters in it?

Kevin

tapk5 · ‎09-19-2005

It is CCM 4.02a.

As I said, I could not access DC Administration.

integratedSetup.trc doesn't show any clues on what is password for DC. The encrypted 'MGRPW' is the same as the one in publisher. MGR password is Alpha-numeric, no special character.

kthorngr · ‎09-19-2005

ok, thx for the clarification. I am more concerned as to why the DC Directory is not working since it seems that the installer is able to get the MGRPW from the registry on the pub. The integratedSetup.trc will hopefully show us whether the installation was successful or not.

In my previous post I wanted you to change the authenticaion method to none when logging into DCD Administrator. This will allow you to login without a password but not be able to do anything. You will get a message, just click ok. You should then see cisco.com in the right pane. If you don't see cisco.com then I would suspect an issue with the DCD installation. You won't be able to do anything with cisco.com.

I am trying to make sure the DC Directory is getting installed and if it is that it is a complete installation. Since you have tried this twice I would recommned opening a TAC case, provide the integratedSetup.trc, all of the log files in c:\dcdsrvr\log and remote access to the server. If the problem is simply the password in DCD then a TAC engineer will need access to fix it.

Kevin

tapk5 · ‎09-19-2005

That works, I accessed without password and saw cisco.com. And changed the directory manager's password, so I could log in "simple' anthentication mode now, but there is no data in there. Is any procedure to sync with publisher DCD?

agopala · ‎09-19-2005

Can you please go thru the following complete procedure and let me know the results.. I know you have done some of this before..

Reset the DCD admin password. Once the DCD admin password is reset, the corresponding encrypted password need to be generated and the registry and ini file(s) need to be updated.

The tool "C:\dcdsrvr\bin\PasswordUtils" can be used to generate the encrypted password. The following registry values, under HKLM\SOFTWARE\Cisco

Systems,Inc.\DirectoryConfiguration, should be updated.

1. DCDMGRPW 2. MGRPW

Also, the value of passwd in C:\dcdsrvr\DirectoryConfiguration.ini need to

be updated.

For CM 4.0 and later, the password need to be updated in

C:\dcdsrvr\Config\UMDirectoryConfiguration.ini also.

For this, run the command "UMEncryptText" from command prompt.

It will generate a file "out.txt" at the folder from which the command was run. Open the "out.txt" and copy the contents after "Text=". This is the

encrypted password.

Now, open the file, C:\dcdsrvr\Config\UMDirectoryConfiguration.ini, using Notepad (do not use any other text editor).

Update the CiscoldapPWd and UserLdapPwd values and save the file.

Finally, restart the IIS Admin service so that the password changes are

reflected when you access the CCM Admin\CCM user pages.

Thanks!

firewall13 · ‎12-11-2013

You can bruteforce your DC Directory Admin password using c:\dcdsrvr\bin\PasswordUtils.cmd on your CCM Pub:

1. Open regedit on CCM Pub HKLM\SOFTWARE\Cisco Systems, Inc.\Directory Configuration\

2. Find key MGRPW - it's your password, but encrypted. For example: 0e01100d26151201

3. Make it look like 0e-01-10-0d-26-15-12-01 for simplier view.

4. Run "PasswordUtils a". You see "Encrypted Password: 0e. So the first letter of the password is"a"

5. Run "PasswordUtils aa". You see 0e02. It doesn't match.

6. Run "PasswordUtils ab". You see 0e01. It DOES match. So the second letter of the password is"b"

7. Run "PasswordUtils aba". You see 0e0112. It doesn't match.

8. Run "PasswordUtils abb". You see 0e0111. It doesn't match.

9. Run "PasswordUtils abc". You see 0e0110. It DOES match. So the third letter of the password is"c"

10. Run "PasswordUtils abca". You see 0e011008. It doesn't match.

Continue to brute until recover all letters or digits.

Tested on CCM 4.1