active directory

Accessing Domain Controller from Local DSRM Account


Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC), the local accounts database (SAM) become inaccessible. However, this rule has one exception. In case of directory services problems on domain controllers, there is a special boot mode – Directory Services Restore Mode (DSRM).

This mode is used to perform Active Directory recovery operation in the following cases: when the Active Directory database is corrupted and needs to be repaired, AD database maintenance tasks (AD database compression, error analysis and so on), the rollback AD from backup/snapshot, restore individual objects or domain administrator password reset.

To access this mode, a special account DSRM Administrator is used, which is the only one local account on the domain controller.

How to set DSRM password

DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.

active directory domain services

However, it is not necessary to remember or write down DSRM passwords for all DCs.  If it’s need, you can easily reset password by using ntdsutil utility. To reset the DSRM password, you must logon to the Domain controller (of course, as a Domain Administrator), and execute the commands:

ntdsutil
 set dsrm password
 reset password on server NULL
 [new_dsrm_super_password]
 [confirm_new_dsrm_password]
 quit
 quit

dsrm administrator password

If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:

reset password on server DC3-name

On Windows Server 2008 SP2 (or higher), there is another way to set up the password for DSRM-admin – by copying (synchronizing) password with the domain account. To sync you can choose any existing user or create the new one.

READ ALSO  FSMO Role: RID Master

For example, we created a new user – DSRMsync.

active directory dsrm

To sync a password, run the following command on a domain controller:

ntdsutil
 set dsrm password
 sync from domain account DSRMsync
 q
 q

The same command in a single line:

ntdsutil ″set dsrm password″ ″sync from domain account DSRMsync″ q q

reset dsrm admin password

Then you can localy access the domain controller by using the password of domain account. It is necessary to clarify that the synchronization procedure does not provide tracking of the user’s password changes in AD. For regular synchronization, you need to add the synchronization command to the startup scripts or to the Task Scheduler.

Can I login to the DC under DSRM administrator in normal mode?

In previous Windows versions the DSRM administrator can login on the domain controller only via booting in DSRM-mode. Starting from Windows Server 2008, the Active Directory Domain Services can be stopped from the services snap-in (services.msc), without need to reboot. Accordingly, the DSRM Administrator now has the ability to connect to the domain controller in normal (not DSRM) mode.

To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values:

  • 0 – DSRM administrator can login on the DC only in DSRM mode
  • 1 – DSRM administrator can login when service ADDS is stopped
  • 2 – DSRM administrator can access DC at any time
READ ALSO  FSMO Role: Infrastructure Master

You can change the DsrmAdminLogonBehavior value by using Registry Editor GUI or from Command prompt:

REG ADD ″HKLM\System\CurrentControlSet\Control\Lsa″ /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F

Or using PowerShell:

New-ItemProperty -Name DsrmAdminLogonBehavior -Path HKLM:\System\CurrentControlSet\Control\Lsa -PropertyType Dword -Value 1 -Force

powershell dsrm

In conclusion, let us remind you that if you allow log on locally to a domain controller, this will decrease domain controller security.


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...