How to reset the Directory Service Restore Mode (DSRM) password

The Directory Services Restore Mode (DSRM) password is first set when promoting a new Domain Controller. I have encountered many Active Directory environments where the DSRM password for the Domain Controllers is not known or safely stored for retrieval when needed.

Domain Controllers don’t have a local administrator account that can be used to log on locally at any time, like you have on workstations and servers. When there is an Active Directory failure on the Domain Controller, you may not be able to log onto the server using your domain credentials to repair Active Directory.

Directory Services Restore Mode (DSRM) is a boot option for a Domain Controller, that allows you to log onto the server even when Active Directory has failed. You will use an account which is similar to the local administrator account on a workstation or server. To log onto the Domain Controller after starting in DSRM, enter .\administrator as the username with the DSRM password, as shown in the images below. This logs you on locally without access to any domain resources.

The DSRM password is unique to each Domain Controller thus you have to go through the DSRM password reset process for each Domain Controller in your environment. The DSRM password cannot be reset when the Domain Controller is started in DSRM.

I will now take you through the steps to reset the DSRM password.

NTDSUTIL

The NTDSUTIL command is used to reset the DSRM password. This utility can be used from Command Prompt and also works in Windows PowerShell.

The steps to follow in Command Prompt or Windows PowerShell are as follows:

ntdsutil
set dsrm password

You will now see the “Reset DSRM Administrator Password” prompt.

At this prompt you have a choice between two parameters to complete the DSRM password reset:

Reset password on server %s
Sync from domain account %s

I will go through the steps with each of these parameters to demonstrate the differences between them.

Reset password on server %s

A remote Domain Controller name can be specified which means this can be completed from any device that has the Active Directory Services tools installed. %s is a placeholder for the server name. This can also be completed for the local server when logged onto a Domain Controller. Here are some examples:

Remote server: reset password on server dcs001p01

Local server: reset password on server null

Enter the new DSRM password and repeat to confirm the new password after you have entered reset password on server %s. Enter q twice to exit out of the NTDSUTIL utility.

The steps can also be entered in a single line, except for the password that still needs to be entered at the prompts.

ntdsutil “set dsrm password” “reset password on server dcs001p01” “q” “q”

Sync from domain account %s

An alternative option is to use the sync from domain account %s parameter. %s is a placeholder for a domain user account. Instead of specifying the DSRM password during the process, you synchronize the new DSRM password of the local Domain Controller with the password of the specified domain user account.

This is a one time password synchronization when executing the reset, the password is not kept in sync with the user account. The DSRM password will not change when you reset the user account password. The DSRM password will only change when you complete the DSRM password reset procedure.

I’ve created an account in my domain called svc-dc, set a complex password (which I want to use for my DSRM password) and also disabled the account. The account is not a member of any groups other than the default “Domain Users”. The account will not be used for any tasks other that being used to set the DSRM password on a Domain Controller.

This should be completed locally on the target Domain Controller. This parameter will only reset the DSRM password on the local server, you cannot specify another Domain Controller. You will receive an error when the command is not executed on a Domain Controller, as per example below:

*Synchronizing password failed. Verify that*
*The source account is a user account in the Active Directory domain.*
*The source account is not marked as requiring smartcard for interactive logon.*
*The source account has not expired.*
*The source account password has not expired.*
*WIN32 Error Code: 0x32*
*Error Message: The request is not supported.*

The reset command can also be entered with a single line:

ntdsutil “set dsrm password” “Sync from domain account svc-dc” “q” “q”

Running the command on a Domain Controller completes successfully without any further prompts. The DSRM password is now set to the password configured on the domain user account. Next time I can just change the password of the domain user account and run the password reset process again to update the DSRM password on the Domain Controller.

Logging onto every Domain Controller however, may take time depending on the size of the environment. Windows PowerShell Remoting provides the ability to run commands remotely. I can use Invoke-Command to execute the DSRM password reset on a remote Domain Controller from any device.

Invoke-Command -ComputerName DCS001P01 -ScriptBlock { ntdsutil “set dsrm password” “Sync from domain account svc-dc” “q” “q” }

If you are planning on using the same password for all the Domain Controllers then the PowerShell command can be easily adapted to change the password on all the Domain Controllers in the domain.

Get-ADDomainController -Filter * | ForEach-Object {
    Invoke-Command -ComputerName $_.hostname -ScriptBlock { ntdsutil "set dsrm password" "Sync from domain account svc-dc" "q" "q" }
    write-host $_.hostname
    }

You can also use a separate user account for each Domain Controller, ensuring that the DSRM password is different on each Domain Controller. The remote PowerShell command can then be entered on separate lines for each Domain Controller and user account combination. Save the script for later use. In this example I’ve created an account for each Domain Controller:

Invoke-Command -ComputerName DCS001P01 -ScriptBlock { ntdsutil "set dsrm password" "Sync from domain account svc-DCS001P01" "q" "q" }
Invoke-Command -ComputerName DCS002P01 -ScriptBlock { ntdsutil "set dsrm password" "Sync from domain account svc-DCS002P01" "q" "q" }

I can now perform the reset on all my Domain Controllers by re-using the saved .PS1 file in PowerShell ISE. On my next DSRM password change, all I need to do is change the password of the user accounts and run the script again to update the DSRM password on my Domain Controllers.

Scheduled Task

It is possible to configure scheduled tasks on the Domain Controllers to reset the DSRM password automatically with the sync from domain account %s parameter.

The task can be executed daily to set the DSRM password by synchronizing with a domain user account. The DSRM password would effectively only change when the user account password is changed. On my next DSRM password change schedule, all I need to do is change the passwords of the user accounts and let the scheduled task take care of the rest.

Use this method with caution!

The scheduled task will run on the Domain Controller with the appropriate permissions, unattended. If any unauthorized person can change the password of the reference service account, they are effectively also changing the DSRM password, without requiring any Domain Admin rights.

The service accounts will need to be secured and audited which adds additional administrative overhead which in my opinion outweighs the benefits of using a scheduled task to manage the DRSM password changes.

Scheduled tasks can fail which may result in the DSRM password not being changed as expected. This may result in a situation where you cannot log onto the Domain Controller in DSRM. The scheduled tasks will need to be effectively monitored and may add onto the administrative efforts.