Today I needed to reset a DSRM password, not because we forgot it, but more due to wanting to have different passwords for our domain controllers.
Although, you could have the same password for each Domain Controller – this is not always secure. If your server gets compromised and they hack the DSRM password, they will try that exact password on a different server in order to gain access to it.
What is DSRM?
DSRM is a special boot mode (or option) for Windows Server Domain Controllers (ONLY). Think of it as a kind of “SafeMode” for directory services. With DSRM, the administrator is able to repair, recover or restore Active Directory services. DSRM is configured during the promotion of Active Directory Services. This Administrator account that you configure is completely unrelated and separate to the DOMAIN\Administrator account.
If you have forgotten the DSRM password, you can restore it by performing the following. NB: You need to have a minimum AD group membership of Domain Admins.
- Log on to the domain controller with an administrative account that is a member of the Domain Admins group.
- Launch and Elevated Command Prompt
Right click start -> Command Prompt (Admin)
Accept the UAC alert if any - Once the command prompt has launched, enter ntdsutil and press enter.
- Once the command prompt has launched, enter ntdsutil and press enter.
- At Reset DSRM Administrator Password type in: reset password on server null (the null is the equivalent to a “localhost”). Alternatively in order to do this process remotely, you can also type in: reset password on server servername where servername is the FQDN of the server you want to perform a DSRM password reset.
- At the Please type password for DS Restore Mode Administrator Account, type your new password (remember to record it somewhere safe)
- When prompted, confirm your DSRM password. Press enter.
- Once it says that the password set has successfully, type quit and then quit.
- The server does not require a reboot, but it doesn’t hurt.