Synchronize DSRM Password with a Domain Account

Hello,

If you ever need to start a Domain Controller in Directory Service Restore Mode, you know the pain to find the appropriate password. When the DC is up and running, you can reset this password pretty easily with ntdsutil.exe. Managing it by hand is error prone and so not offer any benefits, so let’s make a GPO !

Synchronize DSRM Password with a Domain Account

Step 1 : Create an AD user to sync password from :

Manage-DSRM-Password-With-GPO-1

Manage-DSRM-Password-With-GPO-2

Manage-DSRM-Password-With-GPO-3

That’s it, now we need to tell the Domain Controllers to pull the password from this account, and set it as their DSRM password.

Step 2 : Create a GPO :

Create a GPO and link it to the Domain Controller OU :

Manage-DSRM-Password-With-GPO-4

Name it :

Manage-DSRM-Password-With-GPO-5

Edit it :

Manage-DSRM-Password-With-GPO-6

Add a schedule task :

Manage-DSRM-Password-With-GPO-7

Fill in the blanks :

Manage-DSRM-Password-With-GPO-8

The important part is the “Arguments” box :

“SET DSRM PASSWORD” “SYNC FROM DOMAIN ACCOUNT DsrmAdmin” Q Q

Choose a schedule, you want to ensure that your DC will be up, and not under pressure :

Manage-DSRM-Password-With-GPO-9

Your GPO is ready for use !

Step 3 (Optional) :

If you’re in a hurry and on a recent operating system (>2012 for the management console, >2008 for the DC), you can force a remote GpUpdate :

Manage-DSRM-Password-With-GPO-10

Manage-DSRM-Password-With-GPO-11

Manage-DSRM-Password-With-GPO-12

Then, in the next 15 minutes, all of your Domain Controllers will refresh their GPO.

Leave a Reply