When a Windows Server machine is prompted to a domain controller (DC), the Directory Services Restore Mode (DSRM) password is created for the local administrator account. This password will be used only when booting into the recovery console or Directory Services Restore Mode. If you forget the DSRM password, you can’t use the recovery console nor restore the Active Directory (AD) database.
Change or Reset the DSRM Administrator Password
If you can log on domain controller using the domain administrator account, you can use the NT Directory Services utility (Ntdsutil.exe) to change the DSRM administrator password. To do so, follow these steps:
- Log on to the domain controller using an account with administrative rights.
- Go to Start | Run, type cmd, and press [Enter].
- At the command prompt, type cd %SystemRoot%\System32,and press [Enter].
- Type ntdsutil, and press [Enter].
- Type set dsrm password, and press [Enter].
- At the DSRM command prompt, you can reset the password for either the server on which you’re working or for another server. For the former, type reset password on server null, and enter the new password when prompted. (No characters will appear when you type the password.)
To reset the password for another server, type reset password on server <servername> (where <servername> is the DNS name for the server in question), and enter the new password when prompted. (No characters will appear when you type the password.)
- At the DSRM command prompt, type q to exit.
- At the Ntdsutil command prompt, type q to exit the utility and return to the command prompt.
Its always a good practice to store the password in a password manager or similar safe place.