I wouldn't think that it would be, considering that it's basically the 
"workstation" local administrator account, but it always seem when I restore 
my backups in the lab, it's from some non-critical domain controller that I 
wouldn't have performed the "setpwd" and yet I seem to recall it taking the 
DS Restore mode password.  I spent about 10 minutes Googling but wasn't even 
getting close with my search results so I bagged it and decided to post.

Anyone?

<-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...
>I wouldn't think that it would be, considering that it's basically the 
>"workstation" local administrator account, but it always seem when I 
>restore my backups in the lab, it's from some non-critical domain 
>controller that I wouldn't have performed the "setpwd" and yet I seem to 
>recall it taking the DS Restore mode password.  I spent about 10 minutes 
>Googling but wasn't even getting close with my search results so I bagged 
>it and decided to post.
>
> Anyone?

The Local Administrator or more formally the "Directory Restore Mode
Administrative Password" is not replicated but it totally local that single
DC.

There is essentially a local SAM database, a la NT4 server's accounts
database (outside of a domain.)

It is specific to that one DC.

In news:uIhZD2RxIHA.5520@TK2MSFTNGP06.phx.gbl,
Herb Martin  typed:
> <-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...

> The Local Administrator or more formally the "Directory Restore Mode
> Administrative Password" is not replicated but it totally local that
> single DC.
>
> There is essentially a local SAM database, a la NT4 server's accounts
> database (outside of a domain.)
>
> It is specific to that one DC.

And more specifically for the original poster, it's the password that was 
set by the administrator while running DCPROMO on that machine to make it a 
DC.

-- 
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

nope it is not replicated to other DCs. It is a local configuration for a 
specific DC only

-- 

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...
>I wouldn't think that it would be, considering that it's basically the 
>"workstation" local administrator account, but it always seem when I 
>restore my backups in the lab, it's from some non-critical domain 
>controller that I wouldn't have performed the "setpwd" and yet I seem to 
>recall it taking the DS Restore mode password.  I spent about 10 minutes 
>Googling but wasn't even getting close with my search results so I bagged 
>it and decided to post.
>
> Anyone?
>

Weird, I must have set it on all the domain controllers.  But of course it 
is logical since it is identical to the local Administrator account, still 
existing "underground" when DS is not running on the DC.

Thanks for clearing it up.


"Jorge de Almeida Pinto [MVP - DS]" 
 wrote in message 
news:%23hQfKbZxIHA.1772@TK2MSFTNGP03.phx.gbl...
> nope it is not replicated to other DCs. It is a local configuration for a 
> specific DC only
>
> -- 
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no 
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> <-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...
>>I wouldn't think that it would be, considering that it's basically the 
>>"workstation" local administrator account, but it always seem when I 
>>restore my backups in the lab, it's from some non-critical domain 
>>controller that I wouldn't have performed the "setpwd" and yet I seem to 
>>recall it taking the DS Restore mode password.  I spent about 10 minutes 
>>Googling but wasn't even getting close with my search results so I bagged 
>>it and decided to post.
>>
>> Anyone?
>>
>

<-> wrote in message news:uHFKAocxIHA.4912@TK2MSFTNGP03.phx.gbl...
> Weird, I must have set it on all the domain controllers.  But of course it 
> is logical since it is identical to the local Administrator account, still 
> existing "underground" when DS is not running on the DC.
>
> Thanks for clearing it up.

You are required to set it when running DCPromo -- many people set it
to whatever password the server had previously (before it started
becoming a DC) or to the domain admin password.

The latter is a VERY poor choice as this sensitive password should
NEVER be reused anywhere.

The local (DSRestore) password does not need to be AS secure in
most cases IF you lock up your DCs in controlled rooms where
only trusted admins have entry.

IF they are exposed, either in the open or with non-trusted people
admitted to their location then again these passwords need to be
VERY secure.

A secure password is never used in more than one place -- because
if one of the locations is compromised this would compromise ALL
of them.

> "Jorge de Almeida Pinto [MVP - DS]" 
>  wrote in message 
> news:%23hQfKbZxIHA.1772@TK2MSFTNGP03.phx.gbl...
>> nope it is not replicated to other DCs. It is a local configuration for a 
>> specific DC only

And it can be reset using a number of tools.

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ace Fekay [MVP]"  wrote in message 
news:uUg02QSxIHA.4376@TK2MSFTNGP06.phx.gbl...
> In news:uIhZD2RxIHA.5520@TK2MSFTNGP06.phx.gbl,
> Herb Martin  typed:
>> <-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...
>
>> The Local Administrator or more formally the "Directory Restore Mode
>> Administrative Password" is not replicated but it totally local that
>> single DC.
>>
>> There is essentially a local SAM database, a la NT4 server's accounts
>> database (outside of a domain.)
>>
>> It is specific to that one DC.
>
> And more specifically for the original poster, it's the password that was 
> set by the administrator while running DCPROMO on that machine to make it 
> a DC.
>
> -- 
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>

Dean Wells (An AD MVP) has a tool to change the dsrm password on all dc's.

Script is based on SETPWD available from here that will reset all DSRM 
passwords within a supplied forest.



ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt




-- 
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"S. Pidgorny <MVP>"  wrote in message 
news:eBX%230EtyIHA.4168@TK2MSFTNGP06.phx.gbl...
> And it can be reset using a number of tools.
>
> -- 
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Ace Fekay [MVP]"  wrote in message 
> news:uUg02QSxIHA.4376@TK2MSFTNGP06.phx.gbl...
>> In news:uIhZD2RxIHA.5520@TK2MSFTNGP06.phx.gbl,
>> Herb Martin  typed:
>>> <-> wrote in message news:%235diPmPxIHA.2384@TK2MSFTNGP02.phx.gbl...
>>
>>> The Local Administrator or more formally the "Directory Restore Mode
>>> Administrative Password" is not replicated but it totally local that
>>> single DC.
>>>
>>> There is essentially a local SAM database, a la NT4 server's accounts
>>> database (outside of a domain.)
>>>
>>> It is specific to that one DC.
>>
>> And more specifically for the original poster, it's the password that was 
>> set by the administrator while running DCPROMO on that machine to make it 
>> a DC.
>>
>> -- 
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
>> MVP Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> For urgent issues, you may want to contact Microsoft PSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Infinite Diversities in Infinite Combinations
>>
>>
>
>

"Paul Bergson [MVP-DS]"  wrote in message 
news:eaC5ruvyIHA.4492@TK2MSFTNGP02.phx.gbl...
> Dean Wells (An AD MVP) has a tool to change the dsrm password on all dc's.
>
> Script is based on SETPWD available from here that will reset all DSRM 
> passwords within a supplied forest.
>
>
>
> ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt

So I am guessing you mean this work even when booted as a DC,
i.e., without being in DSRMode?

Cool.

yep, it is that simple! ;-)

-- 

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin"  wrote in message 
news:eWNhd0wyIHA.3680@TK2MSFTNGP05.phx.gbl...
>
> "Paul Bergson [MVP-DS]"  wrote in message 
> news:eaC5ruvyIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Dean Wells (An AD MVP) has a tool to change the dsrm password on all 
>> dc's.
>>
>> Script is based on SETPWD available from here that will reset all DSRM 
>> passwords within a supplied forest.
>>
>>
>>
>> ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt
>
> So I am guessing you mean this work even when booted as a DC,
> i.e., without being in DSRMode?
>
> Cool.
>

Sure, plus you can already set the DSRM password by running setpwd from a 
command prompt.

-- 
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Herb Martin"  wrote in message 
news:eWNhd0wyIHA.3680@TK2MSFTNGP05.phx.gbl...
>
> "Paul Bergson [MVP-DS]"  wrote in message 
> news:eaC5ruvyIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Dean Wells (An AD MVP) has a tool to change the dsrm password on all 
>> dc's.
>>
>> Script is based on SETPWD available from here that will reset all DSRM 
>> passwords within a supplied forest.
>>
>>
>>
>> ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt
>
> So I am guessing you mean this work even when booted as a DC,
> i.e., without being in DSRMode?
>
> Cool.
>

"Paul Bergson [MVP-DS]"  wrote in message 
news:%23l6zEnzyIHA.4848@TK2MSFTNGP05.phx.gbl...
> Sure, plus you can already set the DSRM password by running setpwd from a 
> command prompt.

Sorry -- should have put this in the previous:  And it works on Win2000 DCs?


> -- 
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
>
> "Herb Martin"  wrote in message 
> news:eWNhd0wyIHA.3680@TK2MSFTNGP05.phx.gbl...
>>
>> "Paul Bergson [MVP-DS]"  wrote in message 
>> news:eaC5ruvyIHA.4492@TK2MSFTNGP02.phx.gbl...
>>> Dean Wells (An AD MVP) has a tool to change the dsrm password on all 
>>> dc's.
>>>
>>> Script is based on SETPWD available from here that will reset all DSRM 
>>> passwords within a supplied forest.
>>>
>>>
>>>
>>> ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt
>>
>> So I am guessing you mean this work even when booted as a DC,
>> i.e., without being in DSRMode?
>>
>> Cool.
>>
>
>

Yes

-- 
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Herb Martin"  wrote in message 
news:u5TiPU2yIHA.3384@TK2MSFTNGP03.phx.gbl...
>
> "Paul Bergson [MVP-DS]"  wrote in message 
> news:%23l6zEnzyIHA.4848@TK2MSFTNGP05.phx.gbl...
>> Sure, plus you can already set the DSRM password by running setpwd from a 
>> command prompt.
>
> Sorry -- should have put this in the previous:  And it works on Win2000 
> DCs?
>
>
>> -- 
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>> "Herb Martin"  wrote in message 
>> news:eWNhd0wyIHA.3680@TK2MSFTNGP05.phx.gbl...
>>>
>>> "Paul Bergson [MVP-DS]"  wrote in message 
>>> news:eaC5ruvyIHA.4492@TK2MSFTNGP02.phx.gbl...
>>>> Dean Wells (An AD MVP) has a tool to change the dsrm password on all 
>>>> dc's.
>>>>
>>>> Script is based on SETPWD available from here that will reset all DSRM 
>>>> passwords within a supplied forest.
>>>>
>>>>
>>>>
>>>> ftp://falcon.msetechnology.com/scripts/dsrmreset.cmd.txt
>>>
>>> So I am guessing you mean this work even when booted as a DC,
>>> i.e., without being in DSRMode?
>>>
>>> Cool.
>>>
>>
>>
>
>