How to Maintain Directory Services Restore Mode (DSRM) password

Starting with Windows Server 2008 R2 (is available a hotfix for Windows 2008) a new feature was introduced to enable you to copy the password of a domain account to the DSRM password on a domain controller using NTDSUTIL. This make the maintenance of DSRM password across an entire domain much easier.

First you need to create a disabled user account in AD (just a simple user without any admins rights). For example dsrmaccount@myad.test
Then you need to run on every DCs this command:

ntdsutil.exe "Set DSRM Password" "Sync From Domain Account dsrmaccount@myad.test" Q Q

If you have multiple domains in your forest, you will need to create and maintain a user account to synchronize the DSRM password with in each domain.

This task can easily scheduled via GPP on every DCs.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s