Central Management of DSRM password on Domain Controllers using Orchestrator

Introduction

DSRM (Directory Services Restore Mode) is used on Domain Controllers for maintenance and recovery operations. To access this mode, AD administrators need to use the Domain Controller local administrator account and know the DSRM password. DSRM password is set when a new Domain Controller was setup. Maintaining this password and changing it frequently is required for security reasons but it might be a difficult task in environments having many Domain Controllers in use.

This Wiki article shares how Orchestrator can be used to centrally manage DSRM password on Domain Controllers.

Synchronization of DSRM password with an AD DS user account

Domain Controllers running Windows Server 2008 with KB961320 (http://support.microsoft.com/kb/961320) installed, Windows Server 2008 R2 or a newer operating system have an available feature to synchronize DSRM password with an AD DS user account. By introducing this feature, Microsoft made the management of DSRM password easier to do by:

• Creating a new AD DS user account that will be used for the sync
• Using ntdsutil to run the sync of the DSRM password with the AD DS user account

With this implementation, an AD administrator will only need to maintain the password of the created AD DS user account and setup synchronization systems to maintain the DSRM password.

Configuration of Orchestrator for the synchronization of DSRM password

You need first to create the AD DS user account. Once created, you can create an Orchestrator Runbook that will:

• Get the list of Domain Controllers within an Active Directory Domain
• Run ntdsutil.exe "Set dsrm password" "Sync from domain account <ADDS_User_sAMAccountName>" on all the Domain Controllers to launch the sync of DSRM password with the AD DS user account

The Orchestrator Runbook needs to have four (4) activities:

• Monitor Data/Time: It will allow you to specify the time of when the Runbook need to start running

• Check Schedule: It allow you to specify the slot of days and hours when the Runbook can start running (By combining the settings in the activity and the ones from the previous activity, you will be able to precise the dates and times of when your runbook can start running)

• **Execute PS Script: **This activity will be available if you register and deploy Orchestrator Integration Pack for Powershell Script Execution ( http://blogs.technet.com/b/orchestrator/archive/2013/10/02/the-orchestrator-integration-pack-for-powershell-script-execution-1-2-is-now-available.aspx   This link is external to TechNet Wiki. It will open in a new window. ). It will allow you to get the list of the Domain Controllers within an AD Domain by running an LDAP query. The Powershell command to run is foreach ($DC in Get-ADComputer -SearchBase "OU=Domain Controllers,DC=CONTOSO,DC=COM" -filter *) {$DC.name} (“DC=CONTOSO,DC=COM” need to be replaced by your Domain DN).

• Run Program: It will allow executing ntdsutil.exe "Set dsrm password" "Sync from domain account <ADDS_User_sAMAccountName>" command on all the Domain Controllers. The list of Domain Controllers against which this command should be launched is provided from the previous activity

Below is a screen capture of all the activities included in the Runbook:

Conclusion

Having a proper management of DSRM password on Domain Controllers is recommended for security reasons. However, it was previously difficult to AD administrators to manage these passwords within large environments with multiple Domain Controllers in use. With the release of KB961320, it became easier to manage these passwords by taking benefit of a new feature that allows the synchronization of DSRM password with an AD DS user account. Orchestrator can improve that by adding the possibility to introduce a central management of DSRM password and this Wiki shared a way to implement it.