Have you ever received the following error message when you tried to sign in on a domain controller? We can't sign you in with this credential because your domain isn't available. Scary, huh? With the help of Active Directory's Directory Services Restore Mode (DSRM), you can recover Active Directory by booting up in safe mode to restore a working configuration of your Active Directory. I hope you still know your DSRM password. If not, I show you how to reset the DSRSM password in this article.
Latest posts by Surender Kumar (see all)

What is Directory Services Restore Mode (DSRM)? ^

Remember the following screen, which you see during domain controller promotion? When promoting a Windows member server to a domain controller, you have to set a DSRM administrator password.

Set DSRM password during domain controller promotion

Set DSRM password during domain controller promotion

This password is for the administrator account that you use to log in while in DSRM mode. DSRM is used when something is wrong with your Active Directory, and you can't start your DC in normal mode. For instance, see the following screenshot, which shows the error We can't sign you in with this credential because your domain isn't available.

We cant sign you in with this credential because your domain isnt available

We cant sign you in with this credential because your domain isnt available

If you see this error, you need to start your DC in DSRM mode, click the Other user option in the bottom left corner, type .\administrator in the username field, and type the DSRM password. If you don't remember the DSRM password, read the Reset DSRM password section.

Log in to a domain controller using the DSRM administrator when the domain isnt available

Log in to a domain controller using the DSRM administrator when the domain isnt available

Why is DSRM important? ^

When a domain controller is working in normal mode, the Active Directory database and log files are locked so that you cannot access, copy, or modify them. But when the domain controller is started in DSRM mode, the Active Directory services don't start, which means the database and log files are no longer locked. You can now copy, move, or do anything with these files, making this mode both powerful and risky. The DSRM is particularly designed for situations in which you need to:

  • Perform AD database repairs
  • Compress or move AD database/log files
  • Perform AD restore from backup or snapshot
  • Restore individual objects

DSRM password ^

Now that you understand what DSRM is and why it is important, let's talk about security. The DSRM is protected by a password, known as the DSRM password, which is one of the most overlooked passwords by admins. Organizations take various measures to protect domain accounts and other service accounts, but often forget to safeguard the DSRM password. I have seen various AD environments where the DSRM password is either unknown or forgotten by the person who initially set it. In my opinion, the DSRM password is as important as any other and should be updated regularly and maintained by server admins.

How to boot in DSRM ^

There are multiple ways to boot a domain controller in DSRM. Each way has its own significance. Let's discuss them quickly.

The F8 key

One way to boot a DC in DSRM mode is to use the F8 key. If you can access the keyboard of the DC while it is booting up, press the F8 key repeatedly right after the POST screen. You will see a black screen with multiple options (usually known as advanced boot options), as shown below:

Starting a domain controller in Directory Services Restore Mode using the F8 key

Starting a domain controller in Directory Services Restore Mode using the F8 key

Select the Directory Services Repair (or Restore) Mode option, and press Enter. Your DC will now start in DSRM mode. After login, you will see a Safe Mode watermark on the desktop, and AD services won't start.

System configuration utility

The F8 key only works if you can access the keyboard of the DC locally when it is starting up. If it is not locally accessible, you can use the system configuration utility (msconfig.exe) to boot your DC in DSRM. To do so:

  1. Open the RUN dialog (Windows key + R).
  2. Type msconfig and press Enter. This launches the System Configuration utility.
  3. Under the Boot tab, enable the Safe boot checkbox, and select the Active Directory repair option, as shown in the screenshot.

    Starting a domain controller in DSRM mode using the system configuration msconfig utility

    Starting a domain controller in DSRM mode using the system configuration msconfig utility

  4. Click Apply and then OK. It will prompt you to restart the computer. Click Restart.
    System configuration restart prompt

    System configuration restart prompt

    The DC now automatically starts in DSRM mode. You could remotely restart your DC in DSRM using this method since it no longer requires any intervention during the boot process.

  5. When you're done repairing your AD, don't forget to revert the whole process to boot the DC in normal mode. Just launch msconfig again, and under the General tab, select the Normal startup option and click OK.

    Disabling the safe boot option on a domain controller using system configuration msconfig utility

    Disabling the safe boot option on a domain controller using system configuration msconfig utility

Boot configuration editor utility

There are situations when you can neither use the F8 key nor the system configuration utility. Let's say your Windows is corrupted and you can't press F8 to bring up the advanced boot options, and you can't use the msconfig tool either. In this situation, follow these steps to boot the DC in DSRM using the bcdedit command line utility:

  1. Boot the server using bootable installation media, such as a DVD or USB.
  2. On the Windows Setup screen, press the Shift + F10 keys to invoke a command prompt.

    Launch a command prompt using the ShiftF10 keys on the Windows setup screen

    Launch a command prompt using the ShiftF10 keys on the Windows setup screen

  3. Once you get the command prompt, type the following command:
    bcdedit /set {default} safeboot dsrepair

    Starting a domain controller in DSRM using the bcdedit utility

    Starting a domain controller in DSRM using the bcdedit utility

  4. After running this command, your server will boot by default in DSRM mode every time until you manually delete the safeboot value from the BCD store. So don't forget to delete it when you're done troubleshooting.
  5. Now, close everything to restart the DC. It automatically starts in DSRM mode.
  6. When you're done troubleshooting your DC and ready to restart it in normal mode, type the following command at an elevated command prompt:
    Delete the safeboot value from the BCD store to start the domain controller in normal mode

    Delete the safeboot value from the BCD store to start the domain controller in normal mode

    bcdedit /deletevalue {default} safeboot
  7. Now restart the DC to boot up in normal mode.

Reset the DSRM password ^

If you do not know (or remember) the DSRM password for a domain controller, you can simply reset it. In Windows Server 2000, the setpwd command line utility was used to reset the DSRM password, but starting with Server 2003, this feature is included in the ntdsutil utility. The best thing about ntdsutil is that you can reset the DSRM password for local and remote domain controllers. To reset the DSRM password:

  1. Log on to any domain controller using the domain administrator account.
  2. Launch an elevated command prompt and run the following commands:
    ntdsutil
    set dsrm password
    reset password on server null
    quit
    quit

    These commands reset the DSRM password for the local domain controller that you're currently logged in to.

  3. To reset the DSRM password for a remote domain controller, use the reset password on server SRV101 command instead of reset password on server null. Of course, replace SRV101 with the name of your remote DC.See the following screenshot for reference:

    Reset the DSRM password for local and remote domain controllers using ntdsutil

    Reset the DSRM password for local and remote domain controllers using ntdsutil

DSRM password sync ^

The DSRM password is set individually on each domain controller and doesn't replicate to other DCs in the domain, making it highly inconvenient for server admins in organizations with domain controllers. You can understand how cumbersome it is to manually set (or reset) a DSRM password on each DC. However, there is a small workaround. To automatically sync the DSRM password on all DCs:

  1. Create a regular domain user and set a good password on it. There is no need to manually add this user to any AD group.

    Creating a normal user for DSRM sync in Active Directory

    Creating a normal user for DSRM sync in Active Directory

  2. Open an elevated command prompt or PowerShell console, and type the following command:
    ntdsutil "set dsrm password” “sync from domain account dsrm_user" q q

    Make sure you replace the dsrmuser with the name of the user you created in Step 1.

  3. Obviously, you would not want to log in to each DC and run this command manually. To automate the password sync process, you could leverage Group Policy to deploy a scheduled task on all your DCs.
  4. To do so, open the Group Policy editor (gpmc.msc), create a GPO, and link it to the OU containing all the DCs.
  5. Now, create a scheduled task using Group Policy preferences, as shown in the following screenshot.
    Create a scheduled task to automatically sync a DSRM password with an AD user

    Create a scheduled task to automatically sync a DSRM password with an AD user

    See how I typed the complete path of ntdsutil.exe and passed additional commands in the arguments field? You can modify the schedule to run the way you want. I am setting it to run at 11:00 p.m. every day.

  6. When all your DCs pull this scheduled task from Group Policy and run it at least once, you can verify whether the DSRM password was automatically synchronized using the scheduled task. To do so, start one of your DCs in DSRM mode, and try to log in using the same password that you set for the domain user (dsrmuser) in step 1.

The problem with this approach is that it sets the same DSRM password on all DCs, but the trick is particularly useful if you have a lot of DCs that you can't (or don't) want to manage individually.

Subscribe to 4sysops newsletter!

I hope you now have a good understanding of Directory Services Restore Mode after reading this post. Let me know in the comment section below if you think I missed something. Did you ever need to boot up in DSRM mode?

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account