Sync DSRM and Domain Admin Passwords

Setting a password for Directory Services Restore Mode is something that is done during the setup of Active Directory.  As a best practice it has always been recommended to change that password on a regular basis, as you would with any other password.  The challenge was the process to do this was complicated and required you to use NTDS in Windows 2003.

This has been addressed in Windows Server 2008 where we can now sync the DSRM password with a Domain Administrator account.  There is a hotfix that needs to be installed which you can download here.  (Note: You do need to request the hotfix and it should be included in SP2)  After it is installed and the server is rebooted, you can run the following command to sync the passwords.

ntdsutil "set dsrm password" "sync from domain account <DomainAdminAccountName>" q q

Popularity: 1%

Written by rodney.buike. Read more great feeds at is source WEBSITE
no comments.
Read more articles on Directory Services and rodney.buike and otherSoftware.

• [+] Digg: Feature this article
• [+] Del.icio.us: Bookmark this article
• [+] Furl: Bookmark this article

Related articles

• Recovering Deleted AD Objects in Server 2008 R2 (February 24th, 2009)
• What’s New in 2008 R2 – Active Directory Recycle Bin (February 23rd, 2009)
• What’s New in 2008 R2 – Offline Domain Join (February 9th, 2009)
• Removing a Windows Server 2008 DC (November 22nd, 2008)
• Server 2008 Domain and Forest Functional Levels (October 5th, 2008)