Step 1: Verify that the EC2Config service is running

Before you attempt to reset the administrator password, verify that the EC2Config service is installed and running. You use the EC2Config service to reset the administrator password later in this section.

To verify that the EC2Config service is running

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. In the navigation pane, choose Instances and then choose the instance that needs a password reset. This instance is referred to as the original instance in this procedure.
  3. Choose Actions>>Instance Settings>> Get System Log.
  4. Locate the EC2 Agent entry, for example, EC2 Agent: Ec2Config service v3.18.1118. If you see this entry, the EC2Config service is running.
  5. If the system log output is empty, or if the EC2Config service is not running, troubleshoot the instance using the Instance Console Screenshot service.

Step 2: Detach the root volume from the instance

You can’t use EC2Config to reset an administrator password if the volume on which the password is stored is attached to an instance as the root volume. You must detach the volume from the original instance before you can attach it to a temporary instance as a secondary volume.

To detach the root volume from the instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. In the navigation pane, choose Instances.
  3. Select the instance that needs a password reset and choose Actions>> Instance State,>>Stop. After the instance’s status changes to stopped, continue with the next step.
  4. (Optional) If you have the private key that you specified when you launched this instance, continue with the next step. Otherwise, use the following steps to replace the instance with a new instance that you launch with a new key pair.
    • Create a new key pair using the Amazon EC2 console. To give your new key pair the same name as the one for which you lost the private key, you must first delete the existing key pair.
    • Select the instance to replace. Note the instance type, VPC, subnet, security group, and IAM role of the instance.
    • Choose Actions, Image, Create Image. Type a name and a description for the image and choose Create Image, View pending image. After the image status changes to available, continue to the next step.
    • Select the image and choose Launch.
    • Complete the wizard, selecting the same instance type, VPC, subnet, security group, and IAM role as the instance to replace, and then choose Launch.
    • When prompted, choose the key pair that you created for the new instance, select the acknowledgement check box, and then choose Launch Instances.
    • (Optional) If the original instance has an associated Elastic IP address, transfer it to the new instance. If the original instance has EBS volumes in addition to the root volume, transfer them to the new instance.
    • Terminate the stopped instance, as it is no longer needed. For the remainder of this procedure, all references to the original instance apply to this instance that you just created.
  5. Detach the root volume from the original instance as follows:
    • In the Description pane of the original instance, note the ID of the EBS volume listed as the Root device.
    • In the navigation pane, choose Volumes.
    • In the list of volumes, select the volume noted in the previous step, and choose Actions>> Detach Volume. After the volume status changes to available, continue with the next step.

Step 3: Attach the volume to a temporary instance

Next, launch a temporary instance and attach the volume to it as a secondary volume. This is the instance you use to modify the configuration file.

To launch a temporary instance and attach the volume

  1. Launch the temporary instance as follows:
    • In the navigation pane, choose Instances, choose Launch Instance, and then select an AMI.
    • Note:- To avoid disk signature collisions, you must select an AMI for a different version of Windows. For example, if the original instance runs Windows Server 2012 R2, launch the temporary instance using the base AMI for Windows Server 2008 R2.
    • Leave the default instance type and choose Next: Configure Instance Details.
    • On the Configure Instance Details page, for Subnet, select the same Availability Zone as the original instance and choose Review and Launch.
    • Note:- The temporary instance must be in the same Availability Zone as the original instance. If your temporary instance is in a different Availability Zone, you can’t attach the original instance’s root volume to it.
    • On the Review Instance Launch page, choose Launch.
    • When prompted, create a new key pair, download it to a safe location on your computer, and then choose Launch Instances.
  2. Attach the volume to the temporary instance as a secondary volume as follows.
    • In the navigation pane, choose Volumes, select the volume that you detached from the original instance, and then choose Actions, Attach Volume.
    • In the Attach Volume dialog box, for Instances, start typing the name or ID of your temporary instance and select the instance from the list.
    • For Device, type xvdf (if it isn’t already there), and choose Attach.

Step 4: Modify the configuration file

After you have attached the volume to the temporary instance as a secondary volume, modify the Ec2SetPassword plugin in the configuration file.

To modify the configuration file

  1. From the temporary instance, modify the configuration file on the secondary volume as follows:
    • Launch and connect to the temporary instance.
    • Open the Disk Management utility, and bring the drive online using these instructions:
      • Log in to your Windows instance using Remote Desktop. For more information.
      • Start the Disk Management utility. On the taskbar, open the context (right-click) menu for the Windows logo and choose Disk Management.
      • Note:- On Windows Server 2008, choose Start, Administrative Tools, Computer Management, Disk Management.
      • Bring the volume online. In the lower pane, open the context (right-click) menu for the left panel for the disk for the EBS volume. Choose Online.

              Bring the volume online.

(Conditional) You must initialize the disk before you can use it.

  1. Warning If you’re mounting a volume that already has data on it (for example, a public data set, or a volume that you created from a snapshot), do not reformat the volume or you will delete the existing data. If the disk is not initialized, initialize it as follows. Open the context (right-click) menu for the left panel for the disk and choose Initialize Disk. In the Initialize Disk dialog box, select a partition style and choose OK. 
              Initialize the volume.
  2. Open the context (right-click) menu for the right panel for the disk and choose New Simple Volume. Complete the wizard. 
              Mount a simple volume.

To make an EBS volume available for use using the DiskPart command line tool

  1. Log in to your Windows instance using Remote Desktop. For more information, see Connecting to your Windows instance.
  2. Create a new script file named diskpart.txt.
  3. Add the following commands to the script file and specify the volume label and drive letter. This script configures the volume to use the master boot record (MBR) partition structure, formats the volume as an NTFS volume, sets the volume label, and assigns it a drive letter.
Commands:
select disk 1 
attributes disk clear readonly 
online disk 
convert mbr 
create partition primary 
format quick fs=ntfs label="volume_label" 
assign letter="drive_letter"

Navigate to the folder in which the script is located and execute the following command:

Command:-
C:\> diskpart /s diskpart.
  1. Navigate to the secondary volume, and open \Program Files\Amazon\Ec2ConfigService\Settings\config.xml using a text editor, such as Notepad.
    • At the top of the file, find the plugin with the name Ec2SetPassword, as shown in the screenshot. Change the state from Disabled to Enabled and save the file. 
									The area of the Config.xml file to change
  2. After you have modified the configuration file, detach the secondary volume from the temporary instance as follows:
    • Using the Disk Management utility, bring the volume offline.
    • Disconnect from the temporary instance and return to the Amazon EC2 console.
    • In the navigation pane, choose Volumes, select the volume, and then choose Actions, Detach Volume. After the volume’s status changes to available, continue with the next step.

Step 5: Restart the original instance

After you have modified the configuration file, reattach the volume to the original instance as the root volume and connect to the instance using its key pair to retrieve the administrator password.

  1. Reattach the volume to the original instance as follows:
    • In the navigation pane, choose Volumes, select the volume that you detached from the temporary instance, and then choose Actions, Attach Volume.
    • In the Attach Volume dialog box, for Instances, start typing the name or ID of your original instance and then select the instance.
    • For Device, type /dev/sda1.
    • Choose Attach. After the volume status changes to in-use, continue to the next step.
  2. In the navigation pane, choose Instances. Select the original instance and choose Actions, Instance State, Start. When prompted for confirmation, choose Yes, Start. After the instance state changes to running, continue to the next step.
  3. Retrieve your new Windows administrator password using the private key for the new key pair and connect to the instance.
    • Note:- The instance gets a new public IP address after you stop and start it. Make sure to connect to the instance using its current public DNS name.
  4. Optional) If you have no further use for the temporary instance, you can terminate it. Select the temporary instance, and choose Actions, Instance State, Terminate.

To connect to your Windows instance using an RDP client

  1. In the Amazon EC2 console, select the instance, and then choose Connect.
  2. In the Connect To Your Instance dialog box, choose Get Password (it will take a few minutes after the instance is launched before the password is available).
  3. Choose Browse and navigate to the private key file you created when you launched the instance. Select the file and choose Open to copy the entire contents of the file into the Contents field.
  4. Choose Decrypt Password. The console displays the default administrator password for the instance in the Connect To Your Instance dialog box, replacing the link to Get Password shown previously with the actual password.
  5. Record the default administrator password, or copy it to the clipboard. You need this password to connect to the instance.
  6. Choose Download Remote Desktop File. Your browser prompts you to either open or save the .rdp file. Either option is fine. When you have finished, you can choose Close to dismiss the Connect To Your Instance dialog box.
    • If you opened the .rdp file, you’ll see the Remote Desktop Connection dialog box.
    • If you saved the .rdp file, navigate to your downloads directory, and open the .rdp file to display the dialog box.
  7. You may get a warning that the publisher of the remote connection is unknown. You can continue to connect to your instance.
  8. When prompted, log in to the instance, using the administrator account for the operating system and the password that you recorded or copied previously. If your Remote Desktop Connection already has an administrator account set up, you might have to choose the Use another account option and type the user name and password manually.
    • Note:- Sometimes copying and pasting content can corrupt data. If you encounter a “Password Failed” error when you log in, try typing in the password manually.
  9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes or Continue to continue if you trust the certificate.
    • If you are using Remote Desktop Connection from a Windows PC, choose View certificate. If you are using Microsoft Remote Desktop on a Mac, choose Show Certificate.
    • Choose the Details tab, and scroll down to the Thumbprint entry on a Windows PC, or the SHA1 Fingerprints entry on a Mac. This is the unique identifier for the remote computer’s security certificate.
    • In the Amazon EC2 console, select the instance, choose Actions, and then choose Get System Log.
    • In the system log output, look for an entry labeled RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.
    • If you are using Remote Desktop Connection from a Windows PC, return to the Certificate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certificate and choose Continue.
    • [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance. [Mac OS] Log in as prompted, using the default administrator account and the default administrator password that you recorded or copied previously. Note that you might need to switch spaces to see the login screen.

Leave a Reply