Welcome to Sign in | Join | Help
in
Home Blog

The Lazy Admin

Sync DSRM and Domain Admin Passwords

Sponsor

Setting a password for Directory Services Restore Mode is something that is done during the setup of Active Directory.  As a best practice it has always been recommended to change that password on a regular basis, as you would with any other password.  The challenge was the process to do this was complicated and required you to use NTDS in Windows 2003.

This has been addressed in Windows Server 2008 where we can now sync the DSRM password with a Domain Administrator account.  There is a hotfix that needs to be installed which you can download here.  (Note: You do need to request the hotfix and it should be included in SP2)  After it is installed and the server is rebooted, you can run the following command to sync the passwords.

ntdsutil "set dsrm password" "sync from domain account <DomainAdminAccountName>" q q

 
Published Friday, February 27, 2009 9:00 AM by rodney.buike

Comments

 

hypie said:

A i understand this command has to be run on all DC's in the domain as the DSRM account is a local accoun on each individual  DC? Or does this utility sync the DSRM password across all DC's automatically?

June 7, 2009 8:25 AM
 

Twitter Trackbacks for The Lazy Admin : Sync DSRM and Domain Admin Passwords [thelazyadmin.com] on Topsy.com said:

PingBack from http://topsy.com/tb/thelazyadmin.com/blogs/thelazyadmin/archive/2009/02/27/sync-dsrm-and-domain-admin-passwords.aspx

August 31, 2009 3:28 AM
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

  
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2010