The Directory Services Restore Mode (DSRM) password on a domain controller is one of the most neglected and essential passwords in a Windows network. This is a strong password that unlocks the entire Active Directory structure. In this guide, I will explain how to update this password to make it more secure and ascertain a more robust DSRM environment for your organization. For Windows Server domain controllers, Directory Services Restore Mode (DSRM) is a safe mode boot option. You can also learn about Group Policy Object: How to create a Password Policy via GPO, Volume Shadow Copies: How to configure VSS on Windows Server, Remote Desktop Services: How to Remove and Manage Terminal Server licenses from an RDP client with PowerShell, and How to create Bulk Users in Active Directory using PowerShell.
To repair or recover an Active Directory database, an administrator can use DSRM. When installing Active Directory, the installation wizard prompts the administrator to select a DSRM password. In other words, When a new Domain Controller is promoted, the password for Directory Services Restore Mode (DSRM) is set for the first time. This password gives the administrator access to the database in case something goes wrong later on, but it does not give the administrator access to the domain or any services.
If you forget your DSRM password, you can change it with the command-line tool NTDSUtil. I’ve worked in a number of Active Directory environments where the DSRM password for the Domain Controllers is not known or safely stored for future use. Please see how to create and delete a custom AD DS partition with the NTDSUTIL.EXE Tool on Windows Server.
Why Setting Password to Secure DSRM?
Domain Controllers, unlike workstations and servers, do not have a local administrator account that can be used to log on locally at any time. When an Active Directory failure occurs on the Domain Controller, you may be unable to log on to the server with your domain credentials in order to repair Active Directory.
Directory Services Restore Mode (DSRM) is a Domain Controller boot option that allows you to log in even if Active Directory has failed. You will use an account similar to a workstation or server’s local administrator account. After starting DSRM, enter .\administrator as the username and the DSRM password, as shown in the images below, to log onto the Domain Controller. This allows you to log in locally without having access to any domain.
Attackers could use the DSRM account to stay persistent and gain access to the organization’s Active Directory. Administrators typically set the DSRM password while promoting a Server to a Domain Controller as shown in the screenshot below and do not follow the recommendation to change its passwords on a regular basis.
Knowing this, attackers will attempt to create a permanent backdoor in order to establish a future connection. An attacker can change the password for the DSRM account by running the following command on each DC (or remotely against each DC by replacing "null" with the DC name).
As shown above, when an attacker has obtained the DSRM password, he or she can use this account to log on to the DC as a local administrator over the network. The attacker can change the Windows registry using the local administrator password hash to log into the DC using Directory Services Restore Mode (DSRM) hashes without rebooting the server by confirming the “DsrmAdminLogonBehavior” registry key value under HKLM\System\CurrentControlSet\Control\Lsa and possibly create REG_DWORD values as shown below:
- 0 – the default value – Can use the DSRM administrator account only if the DC starts in DSRM.
- 1 – Use the DSRM administrator account to log on if the local AD DS service is stopped.
- 2 – Always use the DSRM administrator account (This setting is not recommended because password policies do not apply to the DSRM administrator account).
Resetting the DSRM administrator password to Secure it
In order to ensure a more secure and robust Active Directory environment for your Domain Controller, there is need to constantly update the DSRM administrative complex password.
Please keep in mind that DSRM is not the same as Safe Mode. Active Directory will continue to try to start in Safe Mode, and if that fails, you will be unable to log on. Instead use DSRM. As a Security administrator you do not only update the DSRM password regularly but must ensure the passwords are unique for every Domain Controller. Below are the steps to change the DSRM password:
Step 1 – Press Windows + Run to open the Run dialog box, type ntdsutil, and then press the Enter Key.
Step 2 – At the Ntdsutil command prompt, type set dsrm password Still, at the DSRM command prompt, type one of the following lines "reset password on server null"
The null variable assumes that the DSRM password is being reset on the local computer, hence, why you must set a unique password and regularly update it. Type the new password when you’re prompted. Note that no characters appear while you type the password.
Note: To reset the password on another server, type reset password on server <servername>, where servername is the DNS name of the server being reset. When prompted, enter the new password. It's worth noting that no characters appear as you type the password.When done resetting the password for DSRM, type q or quit at the DSRM command prompt and type q or quit also to exit Ntdsutil command prompt as well.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.