Microsoft

Secure the DSRM password

One of the most overlooked and most important passwords in a Windows network is the Directory Services Restore Mode (DSRM) password on a domain controller. This is a powerful password that's the key to the entire Active Directory structure. In this edition of Security Solutions, Mike Mullins tells you how to update this password to make it more secure.

When it comes to passwords and password security, most organizations have taken steps to implement complex passwords and solid password change procedures. However, one of the most overlooked and most important passwords in your Windows network is the Directory Services Restore Mode (DSRM) password on your domain controllers.

This password is unique to each DC, and you use it to log on to a DC that you've rebooted into DSRM to take its copy of Active Directory offline. To reboot into DSRM mode, reboot your DC, and press [F8] during the startup sequence. You'll see the following options:

  • Safe Mode
  • VGA Mode
  • Last Known Good
  • Directory Services Restore

Why should you update the DSRM password?

This is a tremendously powerful password, and you should change it at regular intervals, along with all of your other administrative account passwords. Anyone with local access to the DC can reboot this machine, copy or modify the NTDS.DIT file (the Active Directory database), and reboot the server without leaving any trace of the activity.

If your Windows network runs Windows 2000 Server, when you used the Configure Your Server Wizard to promote the first domain controller in your forest, the DSRM password was a null value (i.e., blank). This is also the password for the Recovery Console. Having blank passwords for both DSRM and the Recovery Console adds a huge vulnerability to your Windows 2000 DC.

What if you're running Windows Server 2003 on your DC? You would have needed to enter a DSRM password when you ran DCPromo or Windows Server 2003 Manager Your Server Wizard. So it has a password, but you might not remember it.

Regardless of which OS you're running, however, you need to know how to update this important password. Let's look at how you can change it.

Update the DSRM password

You can change the DSRM password from a command prompt, but the process is different depending on whether you're running Windows 2000 Server or Windows Server 2003.

In Windows 2000 Server, you can use the SETPWD command. To do so, follow these steps:

  1. Log on to the domain controller using an account with administrative rights.
  2. Go to Start | Run, type cmd, and press [Enter].
  3. At the command prompt, type cd %SystemRoot%\System32,and hit [Enter].
  4. Type setpwd [/s:<servername>], and press [Enter]. Adding the server name is optional; you can use this parameter to change the DSRM password remotely on a domain controller.
  5. When prompted with "Please type the password for DS Restore Mode Administrator Account," enter the new password.

In Windows Server 2003, you can use the NT Directory Services utility (Ntdsutil.exe). To do so, follow these steps:

  1. Log on to the domain controller using an account with administrative rights.
  2. Go to Start | Run, type cmd, and press [Enter].
  3. At the command prompt, type cd %SystemRoot%\System32,and press [Enter].
  4. Type ntdsutil, and press [Enter].
  5. Type set dsrm password, and press [Enter].
  6. At the DSRM command prompt, you can reset the password for either the server on which you're working or for another server. For the former, type reset password on server null, and enter the new password when prompted. (No characters will appear when you type the password.)
    To reset the password for another server, type reset password on server <servername> (where <servername> is the DNS name for the server in question), and enter the new password when prompted. (No characters will appear when you type the password.)
  7. At the DSRM command prompt, type q to exit.
  8. At the Ntdsutil command prompt, type q to exit the utility and return to the command prompt.

Final thoughts

The DSRM password is a powerful password that's the key to your entire Active Directory structure. This is not a service account password that you can set once and forget. Chances are good that you'll need to use this password to correct a problem with Active Directory. Therefore, you should know it—and take steps to keep it secure.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox