Reset the Directory Services Restore Mode (DSRM) Password

The Directory Services Restore Mode password is the credential nobody uses until the day they desperately need it. It is a local Administrator account on the domain controller, set when AD DS is installed, that exists outside the directory itself — the only account you can sign in with when AD is offline. Authoritative restores from a system-state backup, post-corruption recovery, and any operation that requires ntds.dit to be unmounted run from this account. If you cannot remember the password, none of those recoveries will work the moment you actually need them.

The fix is simple, runs from a normal elevated PowerShell against a healthy DC, and does not require the old DSRM password. ntdsutil rotates the credential in place. The catch is that the only way to verify the new password actually works is to reboot into DSRM and sign in — so the procedure has two halves: reset (a few minutes) and verify (a reboot, plus another reboot back to normal).

Server Manager Local Server view of a domain controller named Test-DC2 in fortesting.local — The starting state — a healthy domain controller (*Test-DC2* in *fortesting.local*) where the DSRM password has been forgotten. The fix runs entirely from this DC’s elevated PowerShell.

This walkthrough shows both halves on a real domain controller (Test-DC2 in fortesting.local): rotate the DSRM password with ntdsutil, reboot into DSRM, sign in as .\administrator with the new password, observe what AD looks like in repair mode (offline, services stopped), reboot back to normal, and confirm the directory is healthy again.

Why DSRM Matters

Authoritative restore. If a tombstoned object needs to come back — an OU, a security group, a user — the only sanctioned path is a system-state restore in DSRM, then ntdsutil › authoritative restore to mark the recovered object so it overrides replication.
Database corruption. ntds.dit is a Jet/ESE database. If it corrupts, the offline integrity check (ntdsutil › files › integrity) only runs when AD DS is stopped — which means DSRM.
Last-DC recovery. Single-DC environments that lose Active Directory for any reason recover via a system-state restore, which boots into DSRM. No DSRM password, no recovery.

The password rotates independently of the domain administrator credentials. It is set once at promotion (Install-ADDSDomainController -SafeModeAdministratorPassword) and stays put forever unless someone explicitly changes it. Document it in the same vault you keep break-glass credentials in, and rotate it on the same cadence.

Pre-flight

You need:

An account with Domain Admins membership — required to launch ntdsutil against the local DC and to log in normally afterwards.
RDP or console access to the domain controller. The reset itself runs from any elevated PowerShell on the DC; the verification half requires a real reboot.
A maintenance window. The DC will be offline during the DSRM verification reboots — in a multi-DC environment, replication catches up automatically; in a single-DC environment, the directory is fully unavailable for 5–10 minutes.

If this DC is the only DC in the domain, schedule the verification half for a window where five minutes of AD downtime is acceptable, and confirm with Get-ADDomainController -Filter * that no other DC needs to be quiesced first.

Capture the current ADUC view before you start, so you can spot-check it after the verify-and-return cycle:

Active Directory Users and Computers showing the OU structure and Domain Controllers container of the fortesting.local domain — The current OU structure in *dsa.msc*. Capture this so you can compare against the same view from inside DSRM later — the differences are the proof the password reset worked.

Step 1: Reset the DSRM Password with ntdsutil

Open an elevated Windows PowerShell on the DC. Launch ntdsutil and step into the DSRM password subcommand:

ntdsutil
activate instance ntds
set dsrm password
reset password on server null

The keyword null means “the local DC.” To reset the DSRM password on a different DC, replace null with the target DC’s hostname:

reset password on server DC02

ntdsutil prompts for the new password twice. Pick something that satisfies your domain’s password complexity policy — long, mixed-case, with digits and symbols — and store it in your password vault before you confirm. Once both prompts match you get Password has been set successfully. Type q twice to exit:

Elevated Windows PowerShell session showing the full ntdsutil set dsrm password / reset password on server null command sequence — The whole password reset in one elevated PowerShell session: `ntdsutil` → `set dsrm password` → `reset password on server null` → type and confirm the new password → `q` twice to exit. The *null* keyword means “the local DC.”

The reset is now in effect. Nothing has rebooted, no users were affected, AD continues running. The remaining steps verify that the new password works, which matters because a typo at the password prompt produces no error — ntdsutil just confirms whatever you typed.

Step 2: Reboot into Directory Services Repair Mode

Reboot the DC. As Windows Server starts, press F8 to open Advanced Boot Options and pick Directory Services Repair Mode:

Windows Server Advanced Boot Options menu with Directory Services Repair Mode highlighted — Reboot the DC and press F8 at the boot screen to open *Advanced Boot Options*. Pick *Directory Services Repair Mode*. On modern hardware where F8 does not reach the menu, set the boot mode to Safe Mode + Active Directory repair via `bcdedit /set safeboot dsrepair` from an elevated prompt and reboot.

On modern Hyper-V VMs and most physical hardware, F8 does not reach the menu reliably. The portable workaround is to set the next boot to Safe Mode › AD repair from an elevated prompt before rebooting:

bcdedit /set safeboot dsrepair
shutdown /r /t 0

The DC reboots straight into DSRM. (Remember to run bcdedit /deletevalue safeboot after verification — otherwise it boots into DSRM forever.)

Step 3: Sign In as the Local Administrator

The DSRM logon screen looks like a normal Windows logon, but the rules are different. The domain itself is offline — you cannot use a domain account.

Windows logon screen in DSRM mode rejecting a domain administrator account — In DSRM, the domain account is not valid — the directory is offline. The error here is expected and confirms you actually rebooted into DSRM rather than a normal Safe Mode session.

Pick Other user and enter:

Username: .\administrator — the leading .\ tells Windows to use the local SAM, not the domain.
Password: the DSRM password you just set with ntdsutil.

Windows logon screen with Other user selected and .\\administrator typed in the username field — Pick *Other user*, enter `.\\administrator` (the leading `.\\` tells Windows to use the local SAM, not the domain), and type the **new DSRM password** — not the local admin password and not your domain admin password.

Do not type the local-administrator password and do not type your domain administrator password — both fail. The DSRM password is its own credential, completely separate from the local admin and the domain admin.

The desktop comes up with Safe Mode watermarks in all four corners. DSRM is a specialized Safe Mode where AD DS is intentionally not running:

Windows desktop with Safe Mode watermarks in all four corners and a callout reading We are in safe mode now — The desktop comes up with *Safe Mode* watermarks in all four corners. DSRM is implemented as a special Safe Mode where the AD DS database is mounted offline as flat files instead of a running directory service.

Step 4: Confirm the Directory Is Offline

This step is optional but worth doing once so you understand what DSRM looks like. Open Server Manager — AD DS reports a services issue:

Server Manager Dashboard showing the AD DS service group with red exclamation indicating Services issue — In DSRM, *AD DS* reports services issues in Server Manager. This is normal — the directory is intentionally not running so it can be repaired or restored.

Drill into the AD DS services view. NTDS, Intersite Messaging, DFS Replication, DNS Server, and KDC are all stopped:

AD DS Services Detail View listing NTDS, Intersite Messaging, DFSR, DNS Server, and Kerberos KDC all in Stopped state — Drilling into *Services* shows *NTDS*, *Intersite Messaging*, *DFS Replication*, *DNS Server*, and *KDC* all stopped with start type *Automatic*. Authoritative restore tools (`ntdsutil` › `authoritative restore`) operate against the offline database while these are stopped.

Trying to start them manually fails with One or more services cannot be started:

This is the protective behaviour DSRM is built around. The directory database (ntds.dit) is mounted as flat files instead of a running service, so ntdsutil’s file-mode commands (integrity check, defragment, soft / hard recovery) and authoritative-restore commands can run safely without an active replication topology fighting them.

dsa.msc opens but cannot connect to the directory — the root carries a red cross because there is nothing to bind to:

Active Directory Users and Computers in DSRM showing only the root node with a red cross icon and no readable directory data — *dsa.msc* opens but cannot connect to the directory — the root node carries a red cross. This is expected in DSRM and is exactly the state authoritative restores need: the directory is offline and the database file (`ntds.dit`) can be replaced or modified safely.

If any of those things looked normal, you would be in regular Safe Mode, not DSRM. The combination of Safe Mode watermarks plus stopped AD services plus an empty dsa.msc is what confirms you actually rebooted into DSRM and signed in with the right credential.

Step 5: Reboot Back to Normal

Restart the server. Do not press F8 this time. If you used bcdedit /set safeboot dsrepair to get into DSRM, run this from an elevated prompt before rebooting (or the box keeps coming up in DSRM):

bcdedit /deletevalue safeboot

Let the OS boot normally and sign in with your domain administrator account:

Windows logon screen showing FORTESTING domain administrator with password being entered to sign in — Restart the server from DSRM. Do *not* press F8 this time — let it boot normally. If you used `bcdedit /set safeboot dsrepair` earlier, also run `bcdedit /deletevalue safeboot` from an elevated prompt before rebooting, otherwise the box keeps coming up in Safe Mode. Sign in with the domain administrator.

Once it is up, Server Manager shows AD DS and DNS green again:

Server Manager Dashboard showing AD DS and DNS service groups green and healthy — After a normal boot, *AD DS* and *DNS* are green again in Server Manager. The directory is back online and the DC is serving its domain role.

And ADUC pulls the full OU tree:

Active Directory Users and Computers showing the full OU tree and HR User 01 in the HR OU after returning from DSRM — *dsa.msc* shows the full OU tree and user objects again. The DSRM password is reset, the directory is back online, and the next time someone needs to do an authoritative restore they will not get stuck at the DSRM logon screen.

Reset, verified, returned to normal. The DSRM password is documented and known-good; if a real recovery scenario hits next quarter, the credential is not the bottleneck.

Doing It Across Multiple DCs

The DSRM password is per-DC, not per-domain — every DC has its own. To rotate them all at once, run ntdsutil against each DC by name from a single elevated prompt on one of them:

ntdsutil
activate instance ntds
set dsrm password
reset password on server DC01
... (enter password twice)
reset password on server DC02
... (enter password twice)
reset password on server DC03
... (enter password twice)
q
q

Each DC needs the password typed twice. Vault all of them — preferably with one shared password across the fleet so a recovery from any DC uses the same credential, but that decision is yours.

If you would rather sync the DSRM password to a real domain user account’s password (so it rotates automatically with that account), the ntdsutil › set dsrm password › sync from domain account <username> path does that. It is convenient, but it ties the recovery credential to a directory-resident object — if the directory is the thing that broke, the password sync is too. The break-glass pattern (independent password in a vault, rotated on a calendar) is the more defensible answer for most environments.

Common Pitfalls

Typo at the password prompt. ntdsutil’s second prompt validates that the two entries match, not that the entries are what you intended. Verify by actually rebooting into DSRM — it is the only way to know the credential works.
Trying the local admin password in DSRM. .\administrator in DSRM uses the DSRM credential, not the regular local administrator’s password. Even if the DC has the same name for both accounts, the passwords are independent.
Forgetting the safeboot flag. bcdedit /set safeboot dsrepair survives reboots until you delete it. Always pair the set with the delete: get into DSRM, do the work, delete the flag, reboot.
Skipping the verification reboot. The reset succeeds silently regardless of typos. If the next time you need DSRM is also the first time you sign in with the new password, that is the wrong moment to find out the password does not work.
Resetting only on one DC in a multi-DC environment and assuming the rest are fine. Each DC has its own DSRM password. Rotate all of them or document explicitly which DC has which credential.
Storing the DSRM password in the same place as the domain admin password. The whole point of DSRM is that it works when the domain is broken. If the only copy of the credential is in a system that requires the domain to log in to (or a vault that depends on AD-integrated SSO), the recovery plan has a circular dependency. Keep the DSRM password in a tier-zero offline vault.

Conclusion

The DSRM reset itself is four lines of ntdsutil and takes a minute. The reason this article is fourteen screenshots long is the verification half — getting into DSRM, signing in with the new credential, observing that AD really is offline, and getting back out cleanly. Skip that half and you are betting the next disaster on a password you never confirmed. Bake the full reset-and-verify into the same calendar as your domain admin password rotation, document the credential in a tier-zero vault, and the DSRM password stops being the recovery scenario’s weakest link.

Tags: #Active Directory #Authoritative Restore #Disaster Recovery #Domain Controller #DSRM #ntdsutil #PowerShell #Safe Mode