What Username and Password Do I Need to Use for Directory Services Restore Mode (DSRM) in SBS 2008?

What Username and Password Do I Need to Use for Directory Services Restore Mode (DSRM) in SBS 2008?

  • Comments 6
  • Likes

[Today's post comes to us courtesy of Shawn Sullivan]

The method in which the Directory Services Restore Mode (DSRM) password is set during an install of SBS 2008 is different than that of Windows Server 2008. Like most component installation in SBS 2008 setup, the dcpromo process is hidden from the user and they will not be prompted to enter a DSRM password.

In a clean install of SBS 2008, SBS setup will synchronize the DSRM password with that of the admin account password that you specify during setup.

clip_image002

During a migration, SBS setup will synchronize the DSRM password with that of the admin account you have specified in the SBS Answer file generator tool when creating the SBSAnswerfile.xml.

clip_image004

In either case, once the DSRM password is set by SBS setup, it does not change. So even if you change your domain administrator password a few months down the road, the DSRM password still remains the same. Therefore, it is extremely important for you to document and secure this information. If you have forgotten the DSRM password (and you can still boot into normal mode), you can manually set it by following the steps in http://support.microsoft.com/kb/322672 (you must type activate instance NTDS after launching NTDSUtil.exe). Example:

clip_image006

When logging into DSRM in SBS 2008, you have two choices:

  1. If another DC is available to service login requests, you can login to the server using a domain administrator account (http://technet.microsoft.com/en-us/library/cc732714.aspx). This is very convenient if you have forgotten your DSRM password.
  2. If no other DC is available, you must login locally using “.\administrator” or machinename\administrator” and the DSRM password.

If you have forgotten your DSRM password, there is no other Domain Controller available to service logins, and you cannot boot into Normal Mode, you will not be able to login to the server.

NOTE:  A new feature has recently been released that allows you to synchronize the DSRM password with that of a user account.  Details regarding this can be found here http://support.microsoft.com/kb/961320.  After you install the feature and reboot the server, you can run the following command to initiate the sync:

ntdsutil "set dsrm password" "sync from domain account <AccountName>" q q

Important: This sync only occurs once.  If your user account's password changes, the DSRM password is not automatically updated and you will need to run the command again

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • PingBack from http://www.ditii.com/2009/02/28/sbs-2008-what-username-password-needed-for-dsrm/

  • Great article!

    One thing - please consider moving the most important thing, the NOTE, be put in the most prominent place at the top of the article.

  • 214 Microsoft Team blogs searched, 101 blogs have new articles in the past 7 days. 237 new articles found

  • Somewhere I remember a SBS gotcha post alluding to that the 'Administrator' is by default disabled.  With regards to this topic of DSRM and disaster recovery in general, creating another equivalent admin account prior to migration on the source SBS box and then using it in the above migration file generator would be a best practice.  Then there is no need to sync to a domain account as described.

    Great blog, thanks again for this important information.

  • **clarification**  ...meant to say "Administrator" account in SBS 2008 is by default disabled.

  • DSRM是Directory Service Restore Mode(目录服务恢复模式)的缩写。当域里边的目录服务坏掉的时候,DSRM模式可以提供一个修复域服务器的控制台。不过,要记入DSRM模式需要特定的密码。这个密码在正常的dcpromo(建立域服务器)的过程中,会被要求输入。不过由于SBS