Synchronize the DSRM Password with the Windows SBS 2008 Network Administrator Password

Updated: November 28, 2009

Applies To: Windows SBS 2008

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored. If your network administrator password and the DSRM password are different, DSRM will not boot.

During a clean, first-time install of Windows SBS 2008, the installation program sets the DSRM password to the network administrator account password that you specify during setup or in the Migration answer file. When you change your network administrator password, as recommended typically every 60 days for increased server security, the password change is NOT pushed to DSRM—creating a password mismatch. Solutions given in this article outline the steps you will need to follow to either manually or automatically synchronize your Network Administrator’s password with the DSRM password.

Prerequisites

To perform the steps below, first install KB961320 or Windows Server 2008 SP2. Restart the computer after installation to ensure that ntdsutil.exe has been updated.

Manually synchronize the DSRM Password with a specified network administrator account

1. Open a Command Prompt window.

2. Run ntdsutil.exe in the command line to open the ntdsutil tool.

3. Type set dsrm password to reset the DSRM password.

4. Next, either synchronize the DSRM password on a domain controller with a specific domain account, or set the password directly. To synchronize the DSRM password on a domain controller with the current network administrator’s account:

   Type sync from domain account current_network_administrator_account and then press Enter.

For example, the following command uses ntdsutil.exe to synchronize the DSRM password with a network administrator account named Admin.

ntdsutil.exe “set dsrm password” “sync from domain account Admin” q q

Automatically synchronize the password

The network administrator account password will likely be changed periodically. To ensure that DSRM password is always the same as the current password of the network administrator, we recommend that you create a schedule task and synchronize the DSRM password to the network administrator password daily.

1. From the Start menu, choose Administrative tools, and then choose Task Scheduler.

2. Right-click the Task Scheduler in the left panel and then choose Create Task. In the Name text box, type the task name and select the Run with highest privileges option.

3. Create a trigger to define when the task should be executed:

   1. Click the Triggers tab in the Create task panel, and then click the New button.

   2. We recommend that you set the task to execute daily. In the New Trigger dialog box, Settings panel, select daily, set the task to recur every 1 day, and choose a start time that falls within typical non-business hours.

   3. Press the OK button and return to the Create Task dialog box.

4. Define the actions in the task.

   1. Click the Actions tab, and then click the New button to open New Action dialog box.

   2. Choose the action Start a program from the Action drop-down, then browse to C:\WINDOWS\SYSTEM32\ntdsutil.exe.

   3. Add arguments, including the quotation marks: “set dsrm password” “sync from domain account SBS_network_administrator_account” q q where SBS_network_administrator_account is the current network administrator’s account name.

5. Click the OK button twice to finish the Create Task wizard.