Secure the DSRM password
Takeaway: One of the most overlooked and most important passwords in a Windows network is the Directory Services Restore Mode (DSRM) password on a domain controller. This is a powerful password that's the key to the entire Active Directory structure. In this edition of Security Solutions, Mike Mullins tells you how to update this password to make it more secure.
When it comes to passwords and password security, most organizations have taken steps to implement complex passwords and solid password change procedures. However, one of the most overlooked and most important passwords in your Windows network is the Directory Services Restore Mode (DSRM) password on your domain controllers.
This password is unique to each DC, and you use it to log on to a DC that you've rebooted into DSRM to take its copy of Active Directory offline. To reboot into DSRM mode, reboot your DC, and press [F8] during the startup sequence. You'll see the following options:
- Safe Mode
- VGA Mode
- Last Known Good
- Directory Services Restore
Why should you update the DSRM password?
This is a tremendously powerful password, and you should change it at regular intervals, along with all of your other administrative account passwords. Anyone with local access to the DC can reboot this machine, copy or modify the NTDS.DIT file (the Active Directory database), and reboot the server without leaving any trace of the activity.
If your Windows network runs Windows 2000 Server, when you used the Configure Your Server Wizard to promote the first domain controller in your forest, the DSRM password was a null value (i.e., blank). This is also the password for the Recovery Console. Having blank passwords for both DSRM and the Recovery Console adds a huge vulnerability to your Windows 2000 DC.
What if you're running Windows Server 2003 on your DC? You would have needed to enter a DSRM password when you ran DCPromo or Windows Server 2003 Manager Your Server Wizard. So it has a password, but you might not remember it.
Regardless of which OS you're running, however, you need to know how to update this important password. Let's look at how you can change it.
Update the DSRM password
You can change the DSRM password from a command prompt, but the process is different depending on whether you're running Windows 2000 Server or Windows Server 2003.
In Windows 2000 Server, you can use the SETPWD command. To do so, follow these steps:
- Log on to the domain controller using an account with administrative rights.
- Go to Start | Run, type cmd, and press [Enter].
- At the command prompt, type cd %SystemRoot%\System32,and hit [Enter].
- Type setpwd [/s:<servername>], and press [Enter]. Adding the server name is optional; you can use this parameter to change the DSRM password remotely on a domain controller.
- When prompted with "Please type the password for DS Restore Mode Administrator Account," enter the new password.
In Windows Server 2003, you can use the NT Directory Services utility (Ntdsutil.exe). To do so, follow these steps:
- Log on to the domain controller using an account with administrative rights.
- Go to Start | Run, type cmd, and press [Enter].
- At the command prompt, type cd %SystemRoot%\System32,and press [Enter].
- Type ntdsutil, and press [Enter].
- Type set dsrm password, and press [Enter].
- At
the DSRM command prompt, you can reset the password for either the server
on which you're working or for another server. For the former, type reset password on server null, and enter
the new password when prompted. (No characters will appear when you type
the password.)
To reset the password for another server, type reset password on server <servername> (where <servername> is the DNS name for the server in question), and enter the new password when prompted. (No characters will appear when you type the password.) - At the DSRM command prompt, type q to exit.
- At the Ntdsutil command prompt, type q to exit the utility and return to the command prompt.
Final thoughts
The DSRM password is a powerful password that's the key to your entire Active Directory structure. This is not a service account password that you can set once and forget. Chances are good that you'll need to use this password to correct a problem with Active Directory. Therefore, you should know it—and take steps to keep it secure.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Print/View all Posts Comments on this article
 Good Tip, Thanks!drobert | 05/14/06 |
  Very Good Tip, Thanks!!wcarroll | 05/18/06 |
| Life Saver Tiparunsolomon@... | 05/14/06 |
SponsoredWhite Papers, Webcasts, and Downloads
- Nextel Direct Connect Fact Sheet Sprint
- TechRepublic SolutionBase: Expanding storage options with Windows Storage Server TechRepublic
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- IBM Balanced Warehouse - The Flexible Foundation for Real Time Business Intelligence IBM
- SprintSecure Message Protection Fact Sheet Sprint
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
