Need AD DSRM Password -- Not So Fast ~ My blog about Active Directory and everything else

Sunday, April 12, 2009

Need AD DSRM Password -- Not So Fast

The situation was that the network team was Re-IPing a subnet and before that was done the IP of the domain controller was not changed. At the time the new subnet could not contact the subnet where the DNS server was located.

There were calls made and eventually I was called on the subject. I was called in order to provide the AD Directory Services Restore Mode (DSRM) password. The plan was apparently to log into the domain controller hit F8 during boot go into DSRM and modify the IP address.

After thinking about it and talking it over with my good friend Eric Jansen[1] we thought that was overkill. The domain controller has a writable copy of AD. In this situation there shouldn't be any problems logging in at the DC, regardless of some peoples' concerns about DNS client side settings.

This of course called for a test and this is very easy to setup in a virtual environment.

In my main domain I have three domain controllers (2 Windows 2003 and 1 Windows 2008). For this test I changed W2K3 DC2 and had it only point to DC1 for DNS. I created a new account and turned off DC1.

As you can see in the screen shot, the DC only has one DNS server configured and that server is off/not responding. This would be a problem if this were a workstation but this test was just for a domain controller. The workstation issue will be explained in a future entry.

The next step was to try and log into the box. As expected the login went fine and I was authenticated and was able to change the IP on the box.

DSRM mode password not needed --- crisis averted.



[1] Out of all the people that I've worked with Eric is the best and my favorite person to work with not only because he is smart but because he really enjoys and has a passion for AD. Watch for Eric's blog on my blog list...when he creates it. Ok sure Eric has a wife and young daughter and in college full time so he may not have as much time as I excuses Eric :)


  1. Hey Mike, You are correct in this situation there was no need to use DSRM, but in future if you do, with Windows Server 2008, we can log on to the DSRM (local SAM) without rebooting the DC. i.e if the DSRMadminlogonbehavior is set to 2 in the registry.

  2. Great point Rick, and for anyone that is coming across these comments if you want more info on DSRMadminlogonbehavior check out this TechNet article

    Thanks for the comment Rick