active directory

Accessing Domain Controller from Local DSRM Account

Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC), the local accounts database (SAM) become inaccessible. However, this rule has one exception. In case of directory services problems on domain controllers, there is a special boot mode – Directory Services Restore Mode (DSRM).

This mode is used to perform Active Directory recovery operation in the following cases: when the Active Directory database is corrupted and needs to be repaired, AD database maintenance tasks (AD database compression, error analysis and so on), the rollback AD from backup/snapshot, restore individual objects or domain administrator password reset.

To access this mode, a special account DSRM Administrator is used, which is the only one local account on the domain controller.

How to Set DSRM Password?

DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.

active directory domain services

However, it is not necessary to remember or write down DSRM passwords for all DCs.  If it’s need, you can easily reset password by using ntdsutil utility. To reset the DSRM password, you must logon to the Domain controller (of course, as a Domain Administrator), and execute the commands:

 set dsrm password
 reset password on server NULL

dsrm administrator password

If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:

reset password on server DC3-name

On Windows Server 2008 SP2 (or higher), there is another way to set up the password for DSRM-admin – by copying (synchronizing) password with the domain account. To sync you can choose any existing user or create the new one.

For example, we created a new user – DSRMsync.

active directory dsrm

To sync a password, run the following command on a domain controller:

 set dsrm password
 sync from domain account DSRMsync

The same command in a single line:

ntdsutil ″set dsrm password″ ″sync from domain account DSRMsync″ q q

reset dsrm admin password

Then you can localy access the domain controller by using the password of domain account. It is necessary to clarify that the synchronization procedure does not provide tracking of the user’s password changes in AD. For regular synchronization, you need to add the synchronization command to the startup scripts or to the Task Scheduler.

Can I login to the DC under DSRM administrator in normal mode?

In previous Windows versions the DSRM administrator can login on the domain controller only via booting in DSRM-mode. Starting from Windows Server 2008, the Active Directory Domain Services can be stopped from the services snap-in (services.msc), without need to reboot. Accordingly, the DSRM Administrator now has the ability to connect to the domain controller in normal (not DSRM) mode.

To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values:

  • 0 – DSRM administrator can login on the DC only in DSRM mode
  • 1 – DSRM administrator can login when service ADDS is stopped
  • 2 – DSRM administrator can access DC at any time

You can change the DsrmAdminLogonBehavior value by using Registry Editor GUI or from Command prompt:

REG ADD ″HKLM\System\CurrentControlSet\Control\Lsa″ /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F

Or using PowerShell:

New-ItemProperty -Name DsrmAdminLogonBehavior -Path HKLM:\System\CurrentControlSet\Control\Lsa -PropertyType Dword -Value 1 -Force

powershell dsrm

In conclusion, let us remind you that if you allow log on locally to a domain controller, this will decrease domain controller security.

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Removing Old and Unused Drivers from Driver Store ... Each time you install or update your device driver, Windows OS (since Vista) continues to store the old version of the driver in the system Driver Sto...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...

Add Your Comment