When it comes to passwords and password security, most
organizations have taken steps to implement complex passwords and solid password
change procedures. However, one of the most overlooked and most important
passwords in your Windows network is the Directory Services Restore Mode (DSRM)
password on your domain controllers.

This password is unique to each DC, and you use it to log on
to a DC that you’ve rebooted into DSRM to take its copy of Active Directory
offline. To reboot into DSRM mode, reboot your DC, and press [F8] during the
startup sequence. You’ll see the following options:

  • Safe
    Mode
  • VGA
    Mode
  • Last
    Known Good
  • Directory
    Services Restore

Why should you update the DSRM password?

This is a tremendously powerful password, and you should
change it at regular intervals, along with all of your other administrative
account passwords. Anyone with local access to the DC can reboot this machine,
copy or modify the NTDS.DIT file (the Active Directory database), and reboot the
server without leaving any trace of the activity.

If your Windows network runs Windows 2000 Server, when you
used the Configure Your Server Wizard to
promote the first domain controller in your forest, the DSRM password was a
null value (i.e., blank). This is also the password for the Recovery Console. Having
blank passwords for both DSRM and the Recovery Console adds a huge
vulnerability to your Windows 2000 DC.

What if you’re running Windows Server 2003 on your DC? You
would have needed to enter a DSRM password when you ran DCPromo or Windows
Server 2003 Manager Your Server Wizard. So it has a password, but you might not
remember it.

Regardless of which OS you’re running, however, you need to
know how to update this important password. Let’s look at how you can change
it.

Update the DSRM password

You can change the DSRM password from a command prompt, but the
process is different depending on whether you’re running Windows 2000 Server or
Windows Server 2003.

In Windows 2000 Server, you can use the SETPWD command. To do so, follow these steps:

  1. Log on
    to the domain controller using an account with administrative rights.
  2. Go to Start
    | Run, type cmd, and press
    [Enter].
  3. At the
    command prompt, type cd %SystemRoot%\System32,and hit [Enter].
  4. Type setpwd [/s:<servername>], and
    press [Enter]. Adding the server name is optional; you can use this
    parameter to change the DSRM password remotely on a domain controller.
  5. When
    prompted with “Please type the password for DS Restore Mode
    Administrator Account,” enter the new password.

In Windows Server 2003, you can use the NT Directory Services
utility (Ntdsutil.exe). To do so, follow these steps:

  1. Log
    on to the domain controller using an account with administrative rights.
  2. Go to
    Start | Run, type cmd, and press
    [Enter].
  3. At the
    command prompt, type cd %SystemRoot%\System32,and press [Enter].
  4. Type ntdsutil, and press [Enter].
  5. Type set dsrm password, and press [Enter].
  6. At
    the DSRM command prompt, you can reset the password for either the server
    on which you’re working or for another server. For the former, type reset password on server null, and enter
    the new password when prompted. (No characters will appear when you type
    the password.)
    To reset the password for another server, type reset password on server <servername> (where <servername>
    is the DNS name for the server in question), and enter the new password
    when prompted. (No characters will appear when you type the password.)
  7. At
    the DSRM command prompt, type q
    to exit.
  8. At
    the Ntdsutil command prompt, type q
    to exit the utility and return to the command prompt.

Final thoughts

The DSRM password is a powerful password that’s the key to
your entire Active Directory structure. This is not a service account password
that you can set once and forget. Chances are good that you’ll need to use this
password to correct a problem with Active Directory. Therefore, you should know
it—and take steps to keep it secure.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays