Recipe 16.3 Resetting the Directory Service Restore Mode Administrator Password

16.3.1 Problem

You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain.

16.3.2 Solution Using a graphical user interface
  1. For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information).

  2. Go to Start Run.

  3. Type compmgmt.msc and press Enter.

  4. In the left pane, expand System Tools Local Users and Computers.

  5. Click on the Users folder.

  6. In the right pane, right-click on the Administrator user and select Set Password.

  7. Enter the new password and confirm, then click OK. Using a command-line interface

With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1.

> ntdsutil "set dsrm password" "reset password on server DC1"
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server DC1
Please type password for DS Restore Mode Administrator Account: **********
Please confirm new password: **********
Password has been set successfully.

Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely.

16.3.3 Discussion

You may be thinking that having a separate DS Restore Mode administrator password can be quite a pain. Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you'll see that it is quite necessary.

Generally, you boot a domain controller into DS Restore Mode when you need to perform some type of maintenance on the Active Directory database. To do this, the database needs to be offline. If the database is offline, then there is no way to authenticate against it. The system has to use another user repository, so it reverts back to the legacy SAM database. The DS Restore Mode administrator account and password are stored in the SAM database just like with standalone Windows clients.

16.3.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, MS KB 239803 (How to Change the Recovery Console Administrator Password on a Domain Controller), and MS KB 322672 (HOW TO: Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List