We all know how important passwords are especially those for domain administrators accounts, because those accounts have rights to log in to domain controllers. If the password of one of those accounts is compromised, access to your domain controllers is granted. You know what could happen next. That’s why it is a good practice to periodically change the password for your domain administrator accounts. This should be done so that the password does not find its way to more people than it should, or that you don’t have former administrators trying to perform tasks they shouldn’t if they are no longer in that AD group. Yes, the domain administrator accounts are important, but should not be the only ones you are concerned about. The Directory Services Restore Mode (DSRM) administrator account is just as important, and can be used to do very damaging things, such as directly modifying the contents of the Active Directory database. For this reason, you should also periodically change the DSRM administrator password.
Changing the password is not science, on the contrary, it’s a piece-of-cake and involves typing just a few lines in a terminal. Here I’ve changed the DSRM administrator password for the domain controller that I’m logged in using the ntdsutil command:
[notice]You need to be logged on to the domain controller in normal mode. You cannot use ntdsutil to set the DSRM administrator password if the target machine is currently in DS Restore Mode[/notice].
ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server Server-DC Please type password for DS Restore Mode Administrator Account: ********** Please confirm new password: ********** Password has been set successfully. Reset DSRM Administrator Password: quit
If you want to change the DSRM administrator password on a different domain controller, all you have to do is change the server name in the command. Here I’m logged in on Server-DC and I’m changing the DSRM administrator password on Server-DC2.
ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server Server-DC2 Please type password for DS Restore Mode Administrator Account: ********** Please confirm new password: ********** Password has been set successfully. Reset DSRM Administrator Password: quit
Off course, if you have hundreds of domain controllers you can create a script that does this, since doing it by hand is pure torture. Even better, you can create a Schedule Task GPO an link it to the domain controllers OU.
After the policy replication you should see the task created on every domain controller.
To test this, I rebooted one of my domain controllers in the Directory Services Repair/Restore Mode
and logged in with the new DSRM administrator password. And it worked.
Now this is nice, and it works, but starting with Windows Server 2008 R2 a new feature was introduced that enables you to copy the password of a domain account to the DSRM password on a domain controller using ntdsutil. This makes you job and maintenance of the DSRM password across an entire domain much easier. You can create a schedule task like we did before that will replicate on every domain controller and copies the password of the domain account on a regular basis.
[important]This feature was also made available as a hotfix for Windows Server 2008 domain controllers. You can download the hotfix from the Microsoft Knowledge Base article 961320.[/important]
To do this, first you need to create a disabled user account in AD (just a simple user, does not have to be part of any administrators group) in which you will maintain the DSRM password,
then run the following ntdsutil commands by substituting the username of the account with yours:
ntdsutil: set dsrm password Reset DSRM Administrator Password: sync from domain account dsrmaccount Password has been synchronized successfully. Reset DSRM Administrator Password: quit
If you have multiple domains in your forest, you will need to create and maintain a user account to synchronize the DSRM password with in each domain.
As you can see changing the DSRM administrator account password is not a hard job to do, but it’s a must if you want to maintain a good security in your Active Directory environment.
Want content like this delivered right to your