Hello, my name is David. I'm a Principal Engineer at Dell, and today I'm going to demonstrate how to set the Directory Services Restore Mode password on an Active Directory Domain Controller. Directory Services Restore Mode - sometimes known as Directory Services Repair Mode and commonly abbreviated DSRM - is a special mode that only Domain Controllers can run in. It's similar to Safe Mode on a regular Windows machine, but in DSRM Active Directory services such as the ADDS service do not run.
For that reason there's only one user account that can be logged into when you boot into DSRM and that's the Directory Services Restore Mode administrator account. The password for that account is set when a Domain Controller is initially promoted, and that password never expires or updates automatically. Since you only need the password if you have to boot to DSRM, which you don't normally have to do, it's easy to forget.
If that happens you might find yourself in the unpleasant situation of needing to boot a Domain Controller to DSRM and being unable to log in. If you're uncertain of the DSRM password on a Domain Controller in your environment it's a good idea to set it using the procedure that I'm about to show you. Keep in mind changing the password can only be done in normal Windows, you can't actually change this while you're in DSRM. Now to set the password we use the ‘ntdsutil’ tool and once we open that up, we will type ‘set dsrm password’ now this looks like it might be the place where you actually type the password but it's not.
This is just the ‘Reset DSRM Administrator Password’ prompt. To set the password we type ‘reset password on server’ and then the name of the Domain Controller, and then it does actually prompt you for the password. So here you type the password that you want to use, and then type it again to confirm, and that sets the password successfully. Now we just type ‘q’ and hit enter and type ‘q’ again to get out of ntdsutil. Now, instead of setting the password manually you can sync it to the password of an existing domain account.
To do this you will once again go into ntdsutil, and again type ‘reset dsrm password’, but in this case instead of typing ‘reset password on server’ and then the server name we're going to sync the password with an existing domain account. So we type ‘sync from domain account’ and then the name of a domain user account - in this case ‘delladmin’ and that sets the DSRM password to be the same as the password on that account. Now, all this does is perform a one-time sync.
That password will not be kept in sync. If the password of the corresponding domain account is changed you'll have to run this same command in order to resync it if you want to. Remember that each Domain Controller has its own DSRM administrator account. This account and its password are not replicated in Active Directory, so setting the DSRM administrator password on one Domain Controller will not affect the DSRM administrator account on any other Domain Controllers. I hope this video has been useful. My name is David, I'm a Principal Engineer at Dell, and thank you for watching.
