Resetting the Active Directory DSRM Password

Overview

Active Directory’s Directory Services Recovery Mode (ADRM) password is used when an object, entire domain, or forest needs to be restored from backups. The password is initially set when a server is promoted to a domain controller. It’s important that this password is well documented and stored in a secure location.

The password is individually set on every domain controller in your domain. It’s good practice to maintain the same password across all domain controllers. It’s easier to maintain this way rather than having to document and maintain a different password for every DC.

What happens if you lose the DSRM password? Well, we can reset it using the ntdsutil utility, included on every domain controller. It’s important to note that all prior backups of a domain controller must still use the previous password. If you’ve lost the password, and this is the reason why you are resetting it, you’ve lost the ability to recover those restores. This is why is very important to keep good, well document passwords for your environment.

Resetting the Directory Services Recovery Mode Password

This task requires that the user performing it has domain admin rights.

  1. Log onto the server.
  2. Open a command-prompt with administrative rights.
  3. Run the ntdsutil command to enter its shell.
    ntdsutil
  4. In the ntdsutil shell, enter into the password reset area.
    ntdsutil: Set DSRM Password
  5. Reset the password a domain controller by entering the following command:
    Reset DSRM Administrator Password: Reset Password on server <dc-server-name>
  6. When prompted, enter the new password.
  7. When prompted, enter the password again for verification.
  8. To exit the password set mode, type quit and press enter.
    Reset DSRM Administrator Password: quit
  9. To exit the ntdsutil shell, type quit and press enter.
    ntdsutil: quit

The next step should be creating a new backup of the domain controller as soon as possible. Afterwhich, you may want to reset the passwords on all the other domain controllers for the sake of consistency.