Using the Directory Services Restore Mode Password

When a Windows Server 2008 R2 system is promoted to a domain controller, the Directory Services Restore mode (DSRM) password is created. This password is used only when booting into Directory Services Restore mode. Restore mode is used when the Active Directory database is in need of maintenance or needs to be restored from backup. Many administrators have found themselves without the ability to log on to Restore mode when necessary and have been forced to rebuild systems from scratch to restore the System State data. Many hours can be saved if this password is stored in a safe place, where it can be accessed by the correct administrators. Now with Windows Server 2008 R2, if a full authoritative restore of the entire Active Directory database and sysvol folder is required, this can be performed using the Windows Server Backup GUI. To perform the restore, the domain controller will need to be booted into Directory Services Restore mode. If a single object or a container with objects within is accidentally deleted, it can be granularly restored by booting a domain controller in DSRM, restoring the System State, and performing an authoritative restore of the desired object(s). The issue with this is that the domain controller is offline to client requests during the entire time it is running in Directory Services Restore mode. To avoid this, Windows Server 2008 R2 has a new feature called the AD Recycle Bin, which allows for object recovery while the domain controller is online. This is detailed in the next section.

There can still be cases where restores will require booting domain controllers into DSRM and the DSRM password will be required. To make sure this password is known, the password can be updated regularly on all domain controllers. The Restore mode password is server specific and created on each domain controller. If the password is forgotten, and the domain controller is still functional, it can be changed using the command-line tool ntdsutil.exe from the command prompt. To update the DSRM password on a domain controller named dc1.companyabc.com, perform the following steps:

1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.

2. Click Start, click All Programs, click Accessories, and select Command Prompt.

3. Type cd \ and press Enter.

4. Type NTDSutil.exe and press Enter.

5. Type Set DSRM Password and press Enter.

6. Type Reset Password on Server dc1.companyabc.com and press Enter.

7. Type the new DSRM password, and press Enter.

8. Type the new DSRM password again for confirmation, and press Enter.

9. Repeat the previous three steps for any additional domain controllers that will have the DSRM password updated. To close out from NTDSutil.exe, type quit, press Enter, type quit again, and press Enter.

10. Back at the command prompt, type logoff to log off of the domain controller.

Source of Information : Sams - Windows Server 2008 R2 Unleashed