16.3. Resetting the Directory Service Restore Mode Administrator Password

Problem

You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain.

Solution

Using a graphical user interface

  1. For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information).

  2. Go to Start Run.

  3. Type compmgmt.msc and press Enter.

  4. In the left pane, expand System Tools Local Users and Computers.

  5. Click on the Users folder.

  6. In the right pane, right-click on the Administrator user and select Set Password.

  7. Enter the new password and confirm, then click OK.

Using a command-line interface

With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1.

> ntdsutil "set dsrm password" "reset password on server DC1"
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server DC1
Please type password for DS Restore Mode Administrator Account: **********
Please confirm new password: **********
Password has been set successfully.

Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.