DS Restore mode password - is it perhaps replicated?

Discussion:

(too old to reply)

2008-06-02 21:42:28 UTC

I wouldn't think that it would be, considering that it's basically the
"workstation" local administrator account, but it always seem when I restore
my backups in the lab, it's from some non-critical domain controller that I
wouldn't have performed the "setpwd" and yet I seem to recall it taking the
DS Restore mode password. I spent about 10 minutes Googling but wasn't even
getting close with my search results so I bagged it and decided to post.

Anyone?

Herb Martin

2008-06-03 01:59:50 UTC

Permalink

Post by
I wouldn't think that it would be, considering that it's basically the
"workstation" local administrator account, but it always seem when I
restore my backups in the lab, it's from some non-critical domain
controller that I wouldn't have performed the "setpwd" and yet I seem to
recall it taking the DS Restore mode password. I spent about 10 minutes
Googling but wasn't even getting close with my search results so I bagged
it and decided to post.
Anyone?

The Local Administrator or more formally the "Directory Restore Mode
Administrative Password" is not replicated but it totally local that single
DC.

There is essentially a local SAM database, a la NT4 server's accounts
database (outside of a domain.)

It is specific to that one DC.

Ace Fekay [MVP]

2008-06-03 02:47:09 UTC

Permalink

Post by Herb Martin
The Local Administrator or more formally the "Directory Restore Mode
Administrative Password" is not replicated but it totally local that
single DC.
There is essentially a local SAM database, a la NT4 server's accounts
database (outside of a domain.)
It is specific to that one DC.

And more specifically for the original poster, it's the password that was
set by the administrator while running DCPROMO on that machine to make it a
DC.
--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

S. Pidgorny <MVP>

2008-06-10 08:08:39 UTC

Permalink

And it can be reset using a number of tools.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Ace Fekay [MVP]

And more specifically for the original poster, it's the password that was
set by the administrator while running DCPROMO on that machine to make it
a DC.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations

Paul Bergson [MVP-DS]

2008-06-10 13:12:42 UTC

Permalink

Dean Wells (An AD MVP) has a tool to change the dsrm password on all dc's.

Script is based on SETPWD available from here that will reset all DSRM
passwords within a supplied forest.

ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by S. Pidgorny <MVP>
And it can be reset using a number of tools.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Ace Fekay [MVP]

And more specifically for the original poster, it's the password that was
set by the administrator while running DCPROMO on that machine to make it
a DC.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations

Herb Martin

2008-06-10 15:17:34 UTC

Permalink

Post by Paul Bergson [MVP-DS]
Dean Wells (An AD MVP) has a tool to change the dsrm password on all dc's.
Script is based on SETPWD available from here that will reset all DSRM
passwords within a supplied forest.
ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?

Cool.

Jorge de Almeida Pinto [MVP - DS]

2008-06-10 16:05:00 UTC

Permalink

yep, it is that simple! ;-)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Post by Herb Martin

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?
Cool.

Paul Bergson [MVP-DS]

2008-06-10 20:37:12 UTC

Permalink

Sure, plus you can already set the DSRM password by running setpwd from a
command prompt.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Herb Martin

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?
Cool.

Herb Martin

2008-06-11 01:47:07 UTC

Permalink

Post by Paul Bergson [MVP-DS]
Sure, plus you can already set the DSRM password by running setpwd from a
command prompt.

Sorry -- should have put this in the previous: And it works on Win2000 DCs?

Post by Paul Bergson [MVP-DS]
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Herb Martin

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?
Cool.

Paul Bergson [MVP-DS]

2008-06-11 12:44:11 UTC

Permalink

Yes
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Herb Martin

Post by Paul Bergson [MVP-DS]
Sure, plus you can already set the DSRM password by running setpwd from a
command prompt.

Sorry -- should have put this in the previous: And it works on Win2000 DCs?

Post by Herb Martin

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?
Cool.

Jorge de Almeida Pinto [MVP - DS]

2008-06-03 16:27:52 UTC

Permalink

nope it is not replicated to other DCs. It is a local configuration for a
specific DC only
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

2008-06-03 22:34:33 UTC

Permalink

Weird, I must have set it on all the domain controllers. But of course it
is logical since it is identical to the local Administrator account, still
existing "underground" when DS is not running on the DC.

Thanks for clearing it up.

"Jorge de Almeida Pinto [MVP - DS]"

Post by Jorge de Almeida Pinto [MVP - DS]
nope it is not replicated to other DCs. It is a local configuration for a
specific DC only
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Herb Martin

2008-06-03 22:54:54 UTC

Permalink

Post by
Weird, I must have set it on all the domain controllers. But of course it
is logical since it is identical to the local Administrator account, still
existing "underground" when DS is not running on the DC.
Thanks for clearing it up.

You are required to set it when running DCPromo -- many people set it
to whatever password the server had previously (before it started
becoming a DC) or to the domain admin password.

The latter is a VERY poor choice as this sensitive password should
NEVER be reused anywhere.

The local (DSRestore) password does not need to be AS secure in
most cases IF you lock up your DCs in controlled rooms where
only trusted admins have entry.

IF they are exposed, either in the open or with non-trusted people
admitted to their location then again these passwords need to be
VERY secure.

A secure password is never used in more than one place -- because
if one of the locations is compromised this would compromise ALL
of them.

Post by
"Jorge de Almeida Pinto [MVP - DS]"

Post by Jorge de Almeida Pinto [MVP - DS]
nope it is not replicated to other DCs. It is a local configuration for a
specific DC only