Directory Services Restore Mode: DSRM password reset, recover Active Directory

• Author
• Recent Posts

Surender Kumar

Surender Kumar has more than twelve years of experience in server and network administration. His fields of interest are Windows servers, Active directory, PowerShell, web servers, networking, Linux, virtualization, and Kubernetes. He loves writing for his blog.

Latest posts by Surender Kumar (see all)

• Kubernetes DaemonSets - Wed, Sep 6 2023
• Static Pods in Kubernetes - Fri, Sep 1 2023
• Encrypt Kubernetes Secrets at rest - Mon, Aug 28 2023

What is Directory Services Restore Mode (DSRM)?

Remember the following screen, which you see during domain controller promotion? When promoting a Windows member server to a domain controller, you have to set a DSRM administrator password.

Set DSRM password during domain controller promotion

This password is for the administrator account that you use to log in while in DSRM mode. DSRM is used when something is wrong with your Active Directory, and you can't start your DC in normal mode. For instance, see the following screenshot, which shows the error We can't sign you in with this credential because your domain isn't available.

We cant sign you in with this credential because your domain isnt available

If you see this error, you need to start your DC in DSRM mode, click the Other user option in the bottom left corner, type .\administrator in the username field, and type the DSRM password. If you don't remember the DSRM password, read the Reset DSRM password section.

Log in to a domain controller using the DSRM administrator when the domain isnt available

Why is DSRM important?

When a domain controller is working in normal mode, the Active Directory database and log files are locked so that you cannot access, copy, or modify them. But when the domain controller is started in DSRM mode, the Active Directory services don't start, which means the database and log files are no longer locked. You can now copy, move, or do anything with these files, making this mode both powerful and risky. The DSRM is particularly designed for situations in which you need to:

• Perform AD database repairs
• Compress or move AD database/log files
• Perform AD restore from backup or snapshot
• Restore individual objects

DSRM password

Now that you understand what DSRM is and why it is important, let's talk about security. The DSRM is protected by a password, known as the DSRM password, which is one of the most overlooked passwords by admins. Organizations take various measures to protect domain accounts and other service accounts, but often forget to safeguard the DSRM password. I have seen various AD environments where the DSRM password is either unknown or forgotten by the person who initially set it. In my opinion, the DSRM password is as important as any other and should be updated regularly and maintained by server admins.

How to boot in DSRM

There are multiple ways to boot a domain controller in DSRM. Each way has its own significance. Let's discuss them quickly.

The F8 key

One way to boot a DC in DSRM mode is to use the F8 key. If you can access the keyboard of the DC while it is booting up, press the F8 key repeatedly right after the POST screen. You will see a black screen with multiple options (usually known as advanced boot options), as shown below:

Starting a domain controller in Directory Services Restore Mode using the F8 key

Select the Directory Services Repair (or Restore) Mode option, and press Enter. Your DC will now start in DSRM mode. After login, you will see a Safe Mode watermark on the desktop, and AD services won't start.

System configuration utility

The F8 key only works if you can access the keyboard of the DC locally when it is starting up. If it is not locally accessible, you can use the system configuration utility (msconfig.exe) to boot your DC in DSRM. To do so:

1. Open the RUN dialog (Windows key + R).
2. Type msconfig and press Enter. This launches the System Configuration utility.
3. Under the Boot tab, enable the Safe boot checkbox, and select the Active Directory repair option, as shown in the screenshot.
   

   Starting a domain controller in DSRM mode using the system configuration msconfig utility

4. Click Apply and then OK. It will prompt you to restart the computer. Click Restart.
   

   System configuration restart prompt

   The DC now automatically starts in DSRM mode. You could remotely restart your DC in DSRM using this method since it no longer requires any intervention during the boot process.

5. When you're done repairing your AD, don't forget to revert the whole process to boot the DC in normal mode. Just launch msconfig again, and under the General tab, select the Normal startup option and click OK.
   

   Disabling the safe boot option on a domain controller using system configuration msconfig utility

Boot configuration editor utility

There are situations when you can neither use the F8 key nor the system configuration utility. Let's say your Windows is corrupted and you can't press F8 to bring up the advanced boot options, and you can't use the msconfig tool either. In this situation, follow these steps to boot the DC in DSRM using the bcdedit command line utility:

1. Boot the server using bootable installation media, such as a DVD or USB.
2. On the Windows Setup screen, press the Shift + F10 keys to invoke a command prompt.
   

   Launch a command prompt using the ShiftF10 keys on the Windows setup screen

3. Once you get the command prompt, type the following command:

   bcdedit /set {default} safeboot dsrepair

   

   Starting a domain controller in DSRM using the bcdedit utility

4. After running this command, your server will boot by default in DSRM mode every time until you manually delete the safeboot value from the BCD store. So don't forget to delete it when you're done troubleshooting.
5. Now, close everything to restart the DC. It automatically starts in DSRM mode.
6. When you're done troubleshooting your DC and ready to restart it in normal mode, type the following command at an elevated command prompt:
   

   Delete the safeboot value from the BCD store to start the domain controller in normal mode

   bcdedit /deletevalue {default} safeboot

7. Now restart the DC to boot up in normal mode.

Reset the DSRM password

If you do not know (or remember) the DSRM password for a domain controller, you can simply reset it. In Windows Server 2000, the setpwd command line utility was used to reset the DSRM password, but starting with Server 2003, this feature is included in the ntdsutil utility. The best thing about ntdsutil is that you can reset the DSRM password for local and remote domain controllers. To reset the DSRM password:

1. Log on to any domain controller using the domain administrator account.
2. Launch an elevated command prompt and run the following commands:

   ntdsutil
   set dsrm password
   reset password on server null
   quit
   quit

   These commands reset the DSRM password for the local domain controller that you're currently logged in to.

3. To reset the DSRM password for a remote domain controller, use the reset password on server SRV101 command instead of reset password on server null. Of course, replace SRV101 with the name of your remote DC.See the following screenshot for reference:
   

   Reset the DSRM password for local and remote domain controllers using ntdsutil

DSRM password sync

The DSRM password is set individually on each domain controller and doesn't replicate to other DCs in the domain, making it highly inconvenient for server admins in organizations with domain controllers. You can understand how cumbersome it is to manually set (or reset) a DSRM password on each DC. However, there is a small workaround. To automatically sync the DSRM password on all DCs:

1. Create a regular domain user and set a good password on it. There is no need to manually add this user to any AD group.
   

   Creating a normal user for DSRM sync in Active Directory

2. Open an elevated command prompt or PowerShell console, and type the following command:

   ntdsutil "set dsrm password” “sync from domain account dsrm_user" q q

   Make sure you replace the dsrmuser with the name of the user you created in Step 1.
   

3. Obviously, you would not want to log in to each DC and run this command manually. To automate the password sync process, you could leverage Group Policy to deploy a scheduled task on all your DCs.
4. To do so, open the Group Policy editor (gpmc.msc), create a GPO, and link it to the OU containing all the DCs.
5. Now, create a scheduled task using Group Policy preferences, as shown in the following screenshot.
   

   Create a scheduled task to automatically sync a DSRM password with an AD user

   See how I typed the complete path of ntdsutil.exe and passed additional commands in the arguments field? You can modify the schedule to run the way you want. I am setting it to run at 11:00 p.m. every day.

6. When all your DCs pull this scheduled task from Group Policy and run it at least once, you can verify whether the DSRM password was automatically synchronized using the scheduled task. To do so, start one of your DCs in DSRM mode, and try to log in using the same password that you set for the domain user (dsrmuser) in step 1.
   

The problem with this approach is that it sets the same DSRM password on all DCs, but the trick is particularly useful if you have a lot of DCs that you can't (or don't) want to manage individually.

I hope you now have a good understanding of Directory Services Restore Mode after reading this post. Let me know in the comment section below if you think I missed something. Did you ever need to boot up in DSRM mode?