Accessing Domain Controller from Local DSRM Account

Directory Services Restore Mode (DSRM) is a special boot mode in Microsoft Windows Server operating systems used to perform maintenance tasks on Active Directory (AD) Domain Services, such as restoring or repairing a failed domain controller.

When a domain controller fails or experiences critical issues, booting in normal mode may not be possible. In such cases, DSRM can be used to boot the domain controller in a mode where the AD database can be repaired or restored from backup.

In DSRM, the domain controller is started in a mode where only essential services are loaded, and no Active Directory services are started. This allows administrators to access the AD database and perform maintenance tasks, such as running backup and restore operations, resetting passwords, and repairing the AD database.

Note. Check our guide on how to login with a local Windows account instead of domain account.

Table of Contents

What Can You Do in DSRM?

When a domain controller is booted in Directory Services Restore Mode (DSRM), administrators can perform several maintenance tasks related to Active Directory (AD) Domain Services. Some of the common tasks that can be performed in DSRM include:

Restoring Active Directory data: DSRM can be used to restore AD data from backups in case of failure or corruption.
Repairing the AD database: DSRM allows administrators to perform repair operations on the AD database in case of corruption.
Managing AD-related services: DSRM can be used to manage AD-related services such as DNS, DHCP, and Group Policy.
Performing offline defragmentation: DSRM can be used to perform offline defragmentation of the AD database to improve performance.

Reset the DSRM Password

DSRM requires a special password set during the Active Directory Domain Services installation.

This password should be kept safe and known only to the domain administrator or designated IT personnel responsible for maintaining the domain controllers.

But don’t worry if the DSRM password was lost or forgotten. You can still reset it using the ntdsutil utility, and here’s how.

Related post. Check our tutorial on using Ntdsutil tool to manage Active Directory.

Open a CMD window as admin and run ntdsutil.
Type set dsrm password and press Enter.
Type **reset password on server NULL** and press Enter. The NULL part assumes that you’re resetting the DSRM password on the local machine. If resetting the DSRM password on a remote server, replace NULL with the remote server name.
Enter the new DSRM password and press Enter.
Re-enter the password and press Enter.
Type quit and press Enter to exit the Reset DSRM Administrator Password context.
Type quit and press Enter to exit ntdsutil.

Note. Check the Join Domain and Login over a VPN Connection article.

Boot to DSRM

In the old Windows Server operating systems, you could press F8 immediately after the power on self-test (POST), and it would bring up the Advanced Boot Options. But since Windows 2012, the boot process has become quicker, and the F8 key technique is no longer viable.

So how do you access the Advanced Boot Options? Here are the different ways.

Method 1: SHIFT+Restart

Click Start > Power > Hold SHIFT and click Restart.

Method 2: Shutdown Command

Open the Run dialog and run the shutdown /r /o command. The /o flag was introduced in Windows Server 2012 and can only be used with the /r flag.

dsrm

Method 3: Systems Settings App

Open the Windows Settings app. Click Update and Security > Recovery > Advanced Startup> Restart now.

When the computer restarts, click Troubleshoot.

Click Startup Settings.

Click Restart.

Once you see the Advanced Boot Options menu, highlight Directory Services Repair Mode and press Enter.

ad dsrm

Click “Other user” on the login screen. Type administrator as the username and enter the DSRM password.

And you can now troubleshoot the DC.

Can I Log In to Normal Mode using the DSRM Administrator Account?

Yes, you can. Starting with Windows Server 2008, the local administrator account can be used to log in to the server without booting into the DSRM.

All you need to do is modify the following registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
"DsrmAdminLogonBehavior"=dword:00000000

The DsrmAdminLogonBehavior can have one of these three values.

Value	Meaning
0	DSRM administrator can log in on the DC only in DSRM mode.
1	DSRM administrator can log in when the NTDS service is stopped.
2	DSRM administrator can access DC at any time. This value is the least secure.

Keeping in mind the security level of each, you can change the registry value as needed.

Enable DSRM Administrator Login in Normal Mode When the Adds Service Is Stopped

To enable DSRM administrator login in normal mode when the ADDS service is stopped:
```
New-ItemProperty ` 

-Name DsrmAdminLogonBehavior ` 

-Path HKLM:\System\CurrentControlSet\Control\Lsa ` 

-PropertyType Dword ` 

-Value 1 ` 

-Force
```
Stop the Active Directory Domain Services service and log off from the current session:
```
Stop-Service NTDS
```
Log in using the DSRM administrator account.

Conclusion

Accessing a domain controller from a Local DSRM account can be useful and necessary for network administrators, especially in emergencies. It requires a careful and thorough understanding of the underlying technologies, including Active Directory.

The steps outlined in this blog can serve as a useful guide for performing this task, but it’s important to note that this process should only be used in limited circumstances and with caution. It’s always best to follow established security protocols and guidelines and to consult with IT professionals whenever possible.