It’s a good practice to have a unique Directory Services Restore Mode(DSRM) password for each Domain Controller(DC) in your environment and to reset it at least every six months. This password is first set when a member server is promoted to a Domain Controller.
The DSRM password act as the local admin password on Domain Controllers. Domain Controllers don’t have a local administrator like member servers and workstations. In case Active Directory(AD) fails and you are not able to log in with your domain credentials, this password is used to log onto the Domain Controller locally using .\administrator as the username.
DSRM should be unique for each Domain Controller and the following procedure will need to be done for all DCs in your domain:
- Open elevated PowerShell, type
ntdsutil
and hit Enter - Type
set dsrm password
- Next type
reset password on server null
(this will reset the password on the server you are working on)-
- If you want to reset the password for a remote Domain Controller use this command instead
reset password on server server_name
. Noteserver_name
is the DNS name for the remote server
- If you want to reset the password for a remote Domain Controller use this command instead
-
- Type the new DSRM password when prompted and then once more to confirm
- At the “Reset DSRM Administrator Password” prompt type
q
and hit Enter - At the “ntdsutil.exe” prompt type
q
and hit “Enter” to exit the utility