When it comes to passwords and password security, most
organizations have taken steps to implement complex passwords and solid password
change procedures. However, one of the most overlooked and most important
passwords in your Windows network is the Directory Services Restore Mode (DSRM)
password on your domain controllers.
This password is unique to each DC, and you use it to log on
to a DC that you’ve rebooted into DSRM to take its copy of Active Directory
offline. To reboot into DSRM mode, reboot your DC, and press [F8] during the
startup sequence. You’ll see the following options:
- Safe
Mode - VGA
Mode - Last
Known Good - Directory
Services Restore
Why should you update the DSRM password?
This is a tremendously powerful password, and you should
change it at regular intervals, along with all of your other administrative
account passwords. Anyone with local access to the DC can reboot this machine,
copy or modify the NTDS.DIT file (the Active Directory database), and reboot the
server without leaving any trace of the activity.
If your Windows network runs Windows 2000 Server, when you
used the Configure Your Server Wizard to
promote the first domain controller in your forest, the DSRM password was a
null value (i.e., blank). This is also the password for the Recovery Console. Having
blank passwords for both DSRM and the Recovery Console adds a huge
vulnerability to your Windows 2000 DC.
What if you’re running Windows Server 2003 on your DC? You
would have needed to enter a DSRM password when you ran DCPromo or Windows
Server 2003 Manager Your Server Wizard. So it has a password, but you might not
remember it.
Regardless of which OS you’re running, however, you need to
know how to update this important password. Let’s look at how you can change
it.
Update the DSRM password
You can change the DSRM password from a command prompt, but the
process is different depending on whether you’re running Windows 2000 Server or
Windows Server 2003.
In Windows 2000 Server, you can use the SETPWD command. To do so, follow these steps:
- Log on
to the domain controller using an account with administrative rights. - Go to Start
| Run, type cmd, and press
[Enter]. - At the
command prompt, type cd %SystemRoot%\System32,and hit [Enter]. - Type setpwd [/s:<servername>], and
press [Enter]. Adding the server name is optional; you can use this
parameter to change the DSRM password remotely on a domain controller. - When
prompted with “Please type the password for DS Restore Mode
Administrator Account,” enter the new password.
In Windows Server 2003, you can use the NT Directory Services
utility (Ntdsutil.exe). To do so, follow these steps:
- Log
on to the domain controller using an account with administrative rights. - Go to
Start | Run, type cmd, and press
[Enter]. - At the
command prompt, type cd %SystemRoot%\System32,and press [Enter]. - Type ntdsutil, and press [Enter].
- Type set dsrm password, and press [Enter].
- At
the DSRM command prompt, you can reset the password for either the server
on which you’re working or for another server. For the former, type reset password on server null, and enter
the new password when prompted. (No characters will appear when you type
the password.)
To reset the password for another server, type reset password on server <servername> (where <servername>
is the DNS name for the server in question), and enter the new password
when prompted. (No characters will appear when you type the password.) - At
the DSRM command prompt, type q
to exit. - At
the Ntdsutil command prompt, type q
to exit the utility and return to the command prompt.
Final thoughts
The DSRM password is a powerful password that’s the key to
your entire Active Directory structure. This is not a service account password
that you can set once and forget. Chances are good that you’ll need to use this
password to correct a problem with Active Directory. Therefore, you should know
it—and take steps to keep it secure.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.