Q: Is there a way to set and maintain a single Directory Services Restore Mode (DSRM) administrator password that applies to all my DCs?

Q: I'm looking for an easy mechanism to maintain the local administrator passwords that we need for accessing Directory Services Restore Mode (DSRM) on our domain controllers (DCs). Often, no one remembers or can retrieve the DSRM password that was set during a DC promotion years ago. I know I can reset the DSRM passwords using the ntdsutil command line tool (see this Microsoft site for details). But is there any way that I can set and maintain a single DSRM administrator password that applies to all my DCs? Does Microsoft provide some Active Directory (AD)-based synchronization mechanism for the DSRM passwords on DCs?

A: Microsoft has released a new feature for Windows Server 2008 that allows you to synchronize the DSRM password on a DC with the password of a domain user account.

This feature is part of hotfix KB961320 for Windows Server 2008 and is included in Windows Server 2008 SP2 and Windows Server 2008 R2. You can't use this feature on Windows 2000 or Windows Server 2003 DCs.

Once the hotfix has been installed and you've rebooted your DC, you can use the following ntdsutil command to synchronize the DSRM password with the password of a domain user account.

ntdsutil "set dsrm password" "sync from domain account <domain_account_name>" q q 

Replace <domain_account_name> with the name of the domain user account that you want the DSRM password to be synchronized with.

The feature provides a one-time synchronization—you must initiate synchronization every time the password is changed. To ensure that the DSRM passwords are automatically synchronized on a regular basis, you can create a scheduled task for the above ntdsutil command and force it to run on your DCs using Group Policy Preferences (GPPs). How to set this up in GPPs is explained in great detail in this TechNet blog article.

This new feature doesn't take away the need to secure DSRM accounts and their passwords properly. When you use this feature, you're using the same DSRM password for all your DCs, so it becomes even more important to worry about the strength of this password. You must also consider the frequency of the DSRM password change and the quality of the process used to change the DSRM password.

Related Reading:
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.