Monday, 18 March 2019

Automate DSRM Password Update

DSRM Password:


Managing DSRM Password is one of Key aspects in every AD Administrators, whether it’s to perform an authoritative restore or fix database issues, will need the local administrator password.
Typically, we don’t use DSRM password when dc running normal state, and the DSRM credentials are not like our regular credentials to use them daily usage, hence forgetting the password is quiet expected behavior.
The DSRM Password has been set during domain controller promotion, hence maintaining the password consistency is one of the other challenges.



Solution:
Microsoft had introduced one of the new features starting form windows server 2008, the DSRM Password can be synchronize your Active Directory Domain Account.



Key Feature:
Ø  DSRM Password can be change regular basis.
Ø  The process is including exiting Domain Controller and New Upcoming Domain Controllers.

Let’s jump into the LAB and see how it works:


> Create Standard Domain Account with following values.
> Account Disabled State for security reason.
> Password Never Expires Should be enable.
> The account does not need to be part of any privilege group.

> To Synchronize DSRMSync Account password into domain controller, run the following command.
 Ntdsutil "set dsrm password" "sync from domain account DSRMsync" q q

> The Account successfully Synced to DSRM, to validate the password I am going to reboot the DC with DSRM mode.


> Login the domain controller with password of DSRMSync Credentials. 
We successfully passed DSRM Console with AD Account.
   > DSRM process does not recognize AD Account password changes, hence we need to synchronize the password every password update.
      > Updating the password 100 plus domain controllers always not possible through manual, Hence, we perform this activity through GPO. Consider we are resetting our DSRMSync password every quarter during SOX etc. we will schedule to update our AD Password every 3 months once.
  >To Enable this feature, we would require one Service Account with “Domain Admin” Privileges. 
     
     > Open GPMC and create NEW GPO / Use Existing GPO on Domain Controller OU to enable this feature.






     > Create Schedule task under Computer Configuration




> Action Tab

> Wait for the GPO update, verify the DC task scheduler.

> Reset the Password of DSRMSync and Run Schedule task to manually check the sync process.

Password changed suceessfull.

A user account was changed.

Subject:
              Security ID:                         TEST\Administrator
              Account Name:                   Administrator
              Account Domain:                TEST
              Logon ID:                           0x457E8

Target Account:
              Security ID:                         TEST\DSRMsync
              Account Name:                   DSRMsync
              Account Domain:                TEST

Run Sync manually


> WOW it got synced!

                                      *****Happy Learning*****

1 comment:

  1. Interesting post Kumar. It will be useful for all AD administrators. Thanks for sharing.

    ReplyDelete