Home arrow How-To arrow HOW TO: Reset the Directory Services Restore Mode (DSRM)/ Safe Mode Password
HOW TO: Reset the Directory Services Restore Mode (DSRM)/ Safe Mode Password Print E-mail

The Directory Services Restore Mode password is different from the (domain) local administrator's password and is used to logon to a Windows Server Domain Controller in an offline state (Directory Services Restore Mode or Safe mode). If you forget this password, loose your documentation, or simply just wish to change this password you can reset it using the following methods:

Windows Server 2003

In Windows Server 2003 as well as the setpwd.exe utility, you can also reset the Directory Services Restore Mode password with the ntdsutil utility. This is achieved through the command reset dsrm password on server in the set dsrm password section, where can be the DNS name for the server you would like to reset the password on, or null (or localhost) which is the current server.

The following is an example of setting the password:

C:\>ntdsutil
ntdsutil: set dsrm password 
Reset DSRM Administrator Password: reset dsrm password on server null
Please type password for DS Restore Mode Administrator Account: 
Please confirm new password: 

Password has been set successfully.

Note. No characters are shown when you enter the new password. This is by design, and is not an error or bug.


Once you've typed the new password and pressed enter, type quit (q is enough to work) and then quit again.

Reset DSRM Administrator Password: quit

ntdsutil: quit

Windows 2000 Server

In Windows 2000 Server Service Pack (SP) 2 Microsoft incorporated the setpwd.exe utility into Windows. The setpwd utility is used for reseting the Directory Services Restore Mode password, and has the following syntax:

C:\>setpwd /?

Reset Directory Service Restore Mode Administrator Account Password.
SETPWD.EXE [/s:] [/p:]

/s: - Name of the server to use. Optional.
/p: - DS Restore Mode Administrator Account Password. Optional.

See Microsoft Knowledge Base article Q271641 at
http://support.microsoft.com for more information.

C:\>
This utility was updated in Windows 2000 Service Pack (SP) 4 to incorporate additional scripting abilities.

You can also, obviously, change the password when logged into Directory Services Restore Mode. You can either do this through Local Users and Groups (lusrmgr.msc) or via the net command utility, e.g.

C:\>net user administrator *

Will set a blank password.

If you choose to use the local users and groups snap-in, you do this like any other user, as this info. is stored in the local SAM - just like a member or stand-alone server.

Additional information

The DSRM password and the Safe mode password are one and the same. It is also worth noting that the account name is Administrator, regardless of whether or not you have changed (renamed) the administrator account in your domain. This is because the Safe mode/ DSRM password is using an account in a cut-down, local SAM database.

Document information

Author: Paul Williams
Written: 25-09-2004
Version: 2.0
Last updated: 07-08-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >