[Today’s post comes to us courtesy of Shawn Sullivan]
The method in which the Directory Services Restore Mode (DSRM) password is set during an install of SBS 2008 is different than that of Windows Server 2008. Like most component installation in SBS 2008 setup, the dcpromo process is hidden from the user and they will not be prompted to enter a DSRM password.
In a clean install of SBS 2008, SBS setup will synchronize the DSRM password with that of the admin account password that you specify during setup.
During a migration, SBS setup will synchronize the DSRM password with that of the admin account you have specified in the SBS Answer file generator tool when creating the SBSAnswerfile.xml.
In either case, once the DSRM password is set by SBS setup, it does not change. So even if you change your domain administrator password a few months down the road, the DSRM password still remains the same. Therefore, it is extremely important for you to document and secure this information. If you have forgotten the DSRM password (and you can still boot into normal mode), you can manually set it by following the steps in http://support.microsoft.com/kb/322672 (you must type activate instance NTDS after launching NTDSUtil.exe). Example:
When logging into DSRM in SBS 2008, you have two choices:
- If another DC is available to service login requests, you can login to the server using a domain administrator account (http://technet.microsoft.com/en-us/library/cc732714.aspx). This is very convenient if you have forgotten your DSRM password.
- If no other DC is available, you must login locally using “.\administrator” or “machinename\administrator” and the DSRM password.
If you have forgotten your DSRM password, there is no other Domain Controller available to service logins, and you cannot boot into Normal Mode, you will not be able to login to the server.
NOTE: A new feature has recently been released that allows you to synchronize the DSRM password with that of a user account. Details regarding this can be found here http://support.microsoft.com/kb/961320. After you install the feature and reboot the server, you can run the following command to initiate the sync:
ntdsutil “set dsrm password” “sync from domain account <AccountName>” q q
Important: This sync only occurs once. If your user account’s password changes, the DSRM password is not automatically updated and you will need to run the command again