Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC), the local accounts database (SAM) become inaccessible. However, this rule has one exception. In case of directory services problems on domain controllers, there is a special boot mode – Directory Services Restore Mode (DSRM).
This mode is used to perform Active Directory recovery operation in the following cases: when the Active Directory database is corrupted and needs to be repaired, AD database maintenance tasks (AD database compression, error analysis and so on), the rollback AD from backup/snapshot, restore individual objects or domain administrator password reset.
To access this mode, a special account DSRM Administrator is used, which is the only one local account on the domain controller.
How to set DSRM password
DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.
However, it is not necessary to remember or write down DSRM passwords for all DCs. If it’s need, you can easily reset password by using ntdsutil utility. To reset the DSRM password, you must logon to the Domain controller (of course, as a Domain Administrator), and execute the commands:
ntdsutil set dsrm password reset password on server NULL [new_dsrm_super_password] [confirm_new_dsrm_password] quit quit
If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:
reset password on server DC3-name
On Windows Server 2008 SP2 (or higher), there is another way to set up the password for DSRM-admin – by copying (synchronizing) password with the domain account. To sync you can choose any existing user or create the new one.
For example, we created a new user – DSRMsync.
To sync a password, run the following command on a domain controller:
ntdsutil set dsrm password sync from domain account DSRMsync q q
The same command in a single line:
ntdsutil ″set dsrm password″ ″sync from domain account DSRMsync″ q q
Then you can localy access the domain controller by using the password of domain account. It is necessary to clarify that the synchronization procedure does not provide tracking of the user’s password changes in AD. For regular synchronization, you need to add the synchronization command to the startup scripts or to the Task Scheduler.
Can I login to the DC under DSRM administrator in normal mode?
In previous Windows versions the DSRM administrator can login on the domain controller only via booting in DSRM-mode. Starting from Windows Server 2008, the Active Directory Domain Services can be stopped from the services snap-in (services.msc), without need to reboot. Accordingly, the DSRM Administrator now has the ability to connect to the domain controller in normal (not DSRM) mode.
To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values:
- 0 – DSRM administrator can login on the DC only in DSRM mode
- 1 – DSRM administrator can login when service ADDS is stopped
- 2 – DSRM administrator can access DC at any time
You can change the DsrmAdminLogonBehavior value by using Registry Editor GUI or from Command prompt:
REG ADD ″HKLM\System\CurrentControlSet\Control\Lsa″ /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F
Or using PowerShell:
New-ItemProperty -Name DsrmAdminLogonBehavior -Path HKLM:\System\CurrentControlSet\Control\Lsa -PropertyType Dword -Value 1 -Force
In conclusion, let us remind you that if you allow log on locally to a domain controller, this will decrease domain controller security.