Accessing Domain Controller from Local DSRM Account

Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC), the local accounts database (SAM) become inaccessible. However, this rule has one exception. In case of directory services problems on domain controllers, there is a special boot mode – Directory Services Restore Mode (DSRM).

This mode is used to perform Active Directory recovery operation in the following cases: when the Active Directory database is corrupted and needs to be repaired, AD database maintenance tasks (AD database compression, error analysis and so on), the rollback AD from backup/snapshot, restore individual objects or domain administrator password reset.

To access this mode, a special account DSRM Administrator is used, which is the only one local account on the domain controller.

How to Set DSRM Password?

DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.


active directory domain services

However, it is not necessary to remember or write down DSRM passwords for all DCs.  If it’s need, you can easily reset password by using ntdsutil utility. To reset the DSRM password, you must logon to the Domain controller (of course, as a Domain Administrator), and execute the commands:

 set dsrm password
 reset password on server NULL

dsrm administrator password

If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:

reset password on server DC3-name

On Windows Server 2008 SP2 (or higher), there is another way to set up the password for DSRM-admin – by copying (synchronizing) password with the domain account. To sync you can choose any existing user or create the new one.

For example, we created a new user – DSRMsync.

active directory dsrm

To sync a password, run the following command on a domain controller:

 set dsrm password
 sync from domain account DSRMsync

The same command in a single line:

ntdsutil ″set dsrm password″ ″sync from domain account DSRMsync″ q q

reset dsrm admin password

Then you can localy access the domain controller by using the password of domain account. It is necessary to clarify that the synchronization procedure does not provide tracking of the user’s password changes in AD. For regular synchronization, you need to add the synchronization command to the startup scripts or to the Task Scheduler.


Can I login to the DC under DSRM administrator in normal mode?

In previous Windows versions the DSRM administrator can login on the domain controller only via booting in DSRM-mode. Starting from Windows Server 2008, the Active Directory Domain Services can be stopped from the services snap-in (services.msc), without need to reboot. Accordingly, the DSRM Administrator now has the ability to connect to the domain controller in normal (not DSRM) mode.

To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values:

  • 0 – DSRM administrator can login on the DC only in DSRM mode
  • 1 – DSRM administrator can login when service ADDS is stopped
  • 2 – DSRM administrator can access DC at any time

You can change the DsrmAdminLogonBehavior value by using Registry Editor GUI or from Command prompt:

REG ADD ″HKLM\System\CurrentControlSet\Control\Lsa″ /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F

Or using PowerShell:

New-ItemProperty -Name DsrmAdminLogonBehavior -Path HKLM:\System\CurrentControlSet\Control\Lsa -PropertyType Dword -Value 1 -Force

powershell dsrm

In conclusion, let us remind you that if you allow log on locally to a domain controller, this will decrease domain controller security.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.