Since you promoted the member server to the domain controller (DC), the local accounts database (SAM) became inaccessible, logging in with a local account on the domain controller is practically impossible. There is one exception to this rule. Directory Services Restore Mode is an unique boot mode for domain controllers with directory services difficulties (DSRM).
When the Active Directory database is corrupted and needs to be repaired, AD database maintenance chores (AD database compression, error analysis, and so on), rollback AD from backup/snapshot, restore individual objects, or reset the domain administrator password, this mode is utilised.
To get into this mode, you’ll need the DSRM Administrator account, which is the domain controller’s only local account.
How to Set DSRM Password?
DSRM password is specified in the process of deploying (promoting) a member server to a domain controller.
It is not necessary, however, to remember or write down all DC DSRM passwords. You may quickly reset your password using the ntdsutil application if necessary. To reset the DSRM password, log in to the Domain Controller (as a Domain Administrator, of course) and run the following commands:
set dsrm password
reset password on server NULL
If you need to change the DSRM administrator password on a remote DC, you can specify the server name in this way:
reset password on server DC3-name
Another option to set the password for DSRM-admin on Windows Server 2008 SP2 (or higher) is to copy (synchronise) the password with the domain account. You can sync with any existing user or create a new one.
For instance, we made a new user called DSRMsync.
To sync a password, run the following command on a domain controller:
ntdsutil set dsrm password sync from domain account DSRMsync q q
The same command in a single line:
ntdsutil ″set dsrm password″ ″sync from domain account DSRMsync″ q q
The domain controller can then be accessed locally using the domain account’s password. It’s important to note that the synchronisation technique does not keep track of a user’s password changes in Active Directory. The synchronisation command must be added to the startup scripts or the Task Scheduler for regular synchronisation.
Is it possible to log in to the DC in normal mode as a DSRM administrator?
Previously, the DSRM administrator could only log in to the domain controller by booting in DSRM-mode. The Active Directory Domain Services can be stopped from the services snap-in (services.msc) without rebooting starting with Windows Server 2008. As a result, the DSRM Administrator can now connect to the domain controller in regular (non-DSRM) mode.
To activate this feature, you can use a small registry trick on the domain controller. We are interested in DWORD parameter DsrmAdminLogonBehavior, located in the registry branch HKLM\System\CurrentControlSet\Control\Lsa. DsrmAdminLogonBehavior can have one of the following values:
- 0 – DSRM administrator can login on the DC only in DSRM mode
- 1 – DSRM administrator can login when service ADDS is stopped
- 2 – DSRM administrator can access DC at any time
You can change the DsrmAdminLogonBehavior value by using Registry Editor GUI or from Command prompt:
REG ADD ″HKLM\System\CurrentControlSet\Control\Lsa″ /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F
Or using PowerShell:
New-ItemProperty -Name DsrmAdminLogonBehavior -Path HKLM:\System\CurrentControlSet\Control\Lsa -PropertyType Dword -Value 1 -Force