Jump to content

Directory Services Restore Mode

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Garyp01 (talk | contribs) at 12:30, 14 May 2013. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Directory Services Restore Mode (DSRM) is used on a Microsoft Windows Domain Controller to take the Active Directory on that machine offline.

How to Boot

To boot into DSRM, the user can reboot the computer and press F8 during the start-up sequence. The following options will be displayed:

  • Safe Mode
  • VGA Mode
  • Last Known Good Configuration
  • Directory Services Restore Mode

The user must select Directory Services Restore Mode.

Password

In Windows 2000, the DSRM password is typically created as a null value (blank), which is also the Recovery Console password. In Windows Server 2003, a DSRM password must be defined when DCPromo is run.

As with any highly privileged administrative login, the DSRM password should be changed at regular intervals because absent third-party auditing controls, anyone with the password who has access to the domain controller can reboot the machine, copy and modify the Active Directory database, and reboot the server without leaving any trace of the activity. [1] DSRM password changes cannot be scripted, but can be accomplished manually through the command line; DSRM passwords can also be automatically changed and audited using Privileged Identity Management software.[2]

Partial Deprecation

Microsoft Windows 2008 R2 Server has introduced a new Active Directory "Recycle Bin" feature, which works analogously to the well-known Windows recycle bin. [1] Using the ADRB functionality allows on-line restoration of accidentally-deleted AD objects, alleviating the need to take a DC off-line for minor recovery tasks, e.g. to revive a few users or an OU. The new "AD Recycle Bin" facility is only available at the native 2008 R2 domain and forest levels or higher.

References

  1. ^ "Secure the DSRM Password, TechRepublic, 5/11/2006". {{cite web}}: Cite has empty unknown parameter: |1= (help)
  2. ^ "Directory Services Restore Mode Security, Lieberman Software, accessed 7/12/2012". {{cite web}}: Cite has empty unknown parameter: |1= (help)

See also