How to synchronize the DSRM password with the Windows Small Business Server 2011 Standard network administrator password

Published: March 10, 2011

Updated: March 17, 2009

Applies To: Windows Small Business Server 2011 Standard

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored. If your network administrator password and the DSRM password are different, DSRM will not boot.

During a clean, first-time install of Windows SBS 2011 Standard, the installation program sets the DSRM password to the network administrator account password that you specify during setup or in the migration answer file. When you change your network administrator password, as recommended typically every 60 days for increased server security, the password change is not forwarded to DSRM, resulting in a password mismatch. The following solutions outline the steps that you need to follow to manually or automatically synchronize your Network Administrator’s password with the DSRM password.

To manually synchronize the DSRM password with a network administrator account

  1. At a command prompt, run ntdsutil.exe to open the ntdsutil tool.

  2. To reset the DSRM password, type set dsrm password.

  3. To synchronize the DSRM password on a domain controller with the current network administrator’s account, type:

    sync from domain account<current_network_administrator_account>, and then press ENTER.

Because the network administrator account password will likely be changed periodically, to ensure that DSRM password is always the same as the current password of the network administrator, we recommend that you create a schedule task to automatically synchronize the DSRM password to the network administrator password daily.

To automatically synchronize the DSRM password with a network administrator account

  1. From the Start menu, click Administrative tools, and then click Task Scheduler.

  2. In the left pane, right-click Task Scheduler, and then click Create Task.

  3. In the Name text box, type the task name, and then select the Run with highest privileges option.

  4. Define when the task should run:

    1. In the Create task panel, click the Triggers tab, and then click the New button.

    2. We recommend that you set the task to run daily: In the New Trigger dialog box, click Settings, select Daily, set the task to recur every 1 day, and choose a start time within non-business hours.

    3. Click OK and return to the Create Task dialog box.

  5. Define the actions in the task:

    1. Click the Actions tab, and then click the New button to open New Action dialog box.

    2. In the Action list, click Start a program, and then browse to C:\WINDOWS\SYSTEM32\ntdsutil.exe.

    3. Type the following (you must include the quotation marks): “set dsrm password” “sync from domain account SBS_network_administrator_account” q q where SBS_network_administrator_account is the current network administrator’s account name.

  6. Click the OK button twice to finish the Create Task Wizard.