Share via


Directory services restore mode password and security best practices

Directory services restore mode password is something that you would need to know if you need to reboot a domain controller into the Directory services restore mode. There are some ways to get this password under control and automated in the environment in a secure way.

Read more about it here

https://adsecurity.org/?p=1714

Also have a look at the below articles for some interesting reads on the DSRM password best practices and other security implications.

https://blogs.technet.microsoft.com/askds/2009/03/11/ds-restore-mode-password-maintenance/

https://adsecurity.org/?p=3592

Here are some of the gotchas and best practices

  1. Try to ensure that the dsrm account password is different for each RODC and if possible each Writable DC too.
  2. One other thing you will notice is that, the scheduled task to sync the dsrm account via NTDSUTIL.exe will fail on an RODC unless you cache the account password in the RODC.

repadmin /rodcpwdrepl <Read_Only_Domain_Controller_name  <Writable_Domain_Controller_name>  "DN of the service account"

Once the password is cached successfully from the writable DC to the RODC the scheduled task will continue to succeed.

  1. To verify that the scheduled task succeeded look for the Task logs and/or also you can verify the password has been cached and working by setting a registry value on the RODC and logging into it with the DSRM account credentials without the need for a reboot.

Access DSRM without rebooting (Windows Server 2008 and newer)

  1. Set the registry key DsrmAdminLogonBehavior to 2 using the below Powershell script
  2.  New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\ -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
  3. Logon using DSRM credentials on the console. Make sure to provide the account name as <Computername\Administrator> in the “User name” field, otherwise it will default to login as the Builtin\Administrator for the <domain>.

4. You may also want to look at protecting the <Service_Accounts> created for the use of syncing the password in them to the DSRM account. One good way to protect these critical/privileged accounts is to create an “Service Admins” OU structure within your active directory. See the below link for more information. Refer to subsection “Strengthening Security on Service Administration Accounts and Groups”.

https://technet.microsoft.com/en-us/library/cc700835.aspx