Digital Locksmith: Resetting the Directory Services Restore Mode password on Windows Server 2003


Do you have a friend that you call when you have some totally off the wall question about IT related stuff? Well I am that friend for most of the people that I know for some odd reason, and some of the questions I get are doozies.

For instance I get this call yesterday afternoon:

Friend in need: “Hey man how’s it going?”

Me: “Not bad, working on getting our new accounting software set up, Go Live is next Monday, so I just want to make sure everything is right, you know.”

Friend in need: “Cool, hey do you know how to reset the Directory Services Restore Mode password on a WS2003 box?”

Me: Wait, what?

Not your everyday run of the mill question. This is an interesting type of problem, where you need thing A to get thing B, but cannot get thing A without already having thing B, or what I like to call “The Bill and Ted Conundrum” (excerpt from Bill and Ted’s Excellent Adventure):

Bill: Ted, while I agree that, in time, our band will be most triumphant, the truth is, Wyld Stallyns will never be a super band until we have Eddie Van Halen on guitar.
Ted: Yes, Bill, but, I do not believe we will get Eddie Van Halen until we have a triumphant video.
Bill: Ted, it’s pointless to have a triumphant video before we even have decent instruments.
Ted: Well, how can we have decent instruments when we don’t really even know how to play?
Bill: That is why we NEED Eddie Van Halen!
Ted: And THAT is why we need a triumphant video.

The Directory Services Restore Mode (DSRM) password is somewhat of a last ditch safe guard put in place by Microsoft to protect Active Directory. Without the DSRM password, you cannot restore Active Directory. This prevents attackers from creating a new Active Directory and then restoring it over your Active Directory, thereby completely pwning your network.

But what if you need to restore Active Directory, and do not have the DSRM password? Like if the SysAdmin who built AD originally did not document it and then left the company? Now we are in The Bill and Ted Conundrum: you need the DSRM password to restore AD, but you don’t have the DSRM password.

Luckily for us, Microsoft has their own version of Rufus with his time travelling Phone Booth for WS2003; the NT Directory Services Utility (Ntdsutil.exe).

To reset the DSRM password in Windows Server 2003 using Ntdsutil.exe:

  1. Log on to the domain controller using an account with administrative rights.
  2. Go to Start>Run and type: cmd {ENTER}.
  3. At the command prompt, type: cd %SystemRoot%\System32 {ENTER}.
  4. Type: ntdsutil.exe {ENTER}
  5. Type: set dsrm password {ENTER}
  6. Type: reset password on server null {ENTER}
  7. Enter the new password when prompted.
  8. Confirm the new password when prompted.
  9. At the DSRM command prompt, type: q (to exit) {ENTER}
  10. At the Ntdsutil command prompt, type: q (to exit the utility and return to the command prompt) {ENTER}

Now that the DSRM password is changed to something you know, write it down this time. In the immortal words of The Great Ones: Bill, Ted: EXCELLENT! (cue air guitar)



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: