Tuesday, February 24, 2009

How to Synchronize the DSRM password with a Domain User

[This post courtesy of Paul Fitzgerald]

If you have a disaster and you need to recover, are you going to be able to log into your system?  When using the Directory Service restore Mode (DSRM) Administrator password, you may not be able to remember it!  This could lead to a whole whack of problems, as great as not having access to log into your machine to recover data!

In Windows Small Business Server 2003, the product itself kept the DSRM Administrator password in sync with the Administrator account on the system.  So whenever that password was changed, so was the DSRM password.  Making things super easy for you.

With Windows Small Business Server 2008, the built in administrator account is disabled, so this functionality was never implemented.   However, a new feature is available for download for you to choose which account the DSRM password is sync’d with.  KB Article 961320 talks about what’s needed to download.  You can download the patch by clicking on the:


icon (it will probably be included in Server SP2), and then the command line that you need to run to choose which domain account to sync it too.

That’s all there is to it!


Anonymous said...

Sorry it took so long


stryqx said...

Or you can do the following:

Run ntdsutil
set dsrm password
reset password on server null
- enter a password twice

Now write down the DSRM password and store it securely with your CALs, SBS media and other sensitive system documentation.

Sean Daniel said...

Thanks Chris, super helpful!

Anonymous said...

but if the domain admin account is not Administrator then you are in trouble. and in 2008 you have to pick a new one during setup. with this new drop of ntdsutil you can specify the account. Soon we will automate sync'ing using a sched tasks but not sure about the release vehicle yet. But you can manually create a schtask.


Anonymous said...

I'm confused. Does that HotFix sync the passwords rather than running ntdsutil?


Sean Daniel said...

When you install SBS 2008, the DSRM password is linked to whatever account you set up as the adminstrator account on the system. See the Official SBS Blog post on the Username and Password for DSRM.

That is a one-time sync to the password, so in 80 days, when you change that password, the DSRM password won't change.

This hotfix will actually keep those two accounts in sync, as you change the password, so will the DSRM password.

Unknown said...

Actually in SBS2003 the feature that kept the DSRM password in sync broke when SP1 came out. It's never been fixed AFAIK. If you see dsrestor event 1005 on startup then your password is not in sync. See:
section "How to fix DSRestore error 1005".

Mark Berry said...

Tried to install 921320 under SBS 2008 SP2 and it says the patch does not apply to my system.

Ran ntdsutil 'set dsrm password" "sync from domain account " q q' at command line and it seems to work so I guess it is in included in SP2.

On 2/25/09 paulfi says to keep it in sync requires a scheduled task which will be automated "soon."

On 2/27/09, Sean says the syncing is automatic whenever the password of the domain account changes.

The text in KB 921320 says, "This command synchronizes the DSRM Administrator password one time. If you want to perform another synchronization, you must run this command again."

So do we need a scheduled task or not? And if so, has it been created in SP2? I don't see it.

Mark Berry said...

Double typo in my previous comment: 921320 should be 961320.

Sean Daniel said...

you'll need to use the server 2008 x64 version

"Download the Update for Windows Server 2008 x64 Edition (KB961320) package now."