[ Team LiB ] |
Recipe 16.3 Resetting the Directory Service Restore Mode Administrator Password16.3.1 ProblemYou want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain. 16.3.2 Solution16.3.2.1 Using a graphical user interface
16.3.2.2 Using a command-line interfaceWith the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1. > ntdsutil "set dsrm password" "reset password on server DC1" ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server DC1 Please type password for DS Restore Mode Administrator Account: ********** Please confirm new password: ********** Password has been set successfully. Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely. 16.3.3 DiscussionYou may be thinking that having a separate DS Restore Mode administrator password can be quite a pain. Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you'll see that it is quite necessary. Generally, you boot a domain controller into DS Restore Mode when you need to perform some type of maintenance on the Active Directory database. To do this, the database needs to be offline. If the database is offline, then there is no way to authenticate against it. The system has to use another user repository, so it reverts back to the legacy SAM database. The DS Restore Mode administrator account and password are stored in the SAM database just like with standalone Windows clients. 16.3.4 See AlsoRecipe 16.2 for booting into Directory Services Restore Mode, MS KB 239803 (How to Change the Recovery Console Administrator Password on a Domain Controller), and MS KB 322672 (HOW TO: Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003) |
[ Team LiB ] |