John Policelli's Blog

Covering Identity and Access Solutions, Unified Communications, Collaboration, and Server Infrastructure.

  • Subscribe

  • SAMS Active Directory Domain Services 2008 How-To

    SAMS Active Directory 20008 How-To

  • MCITP Self-Paced Training Kit (Exam 70-647): Windows Server® Enterprise Administration

    MCITP Self-Paced Training Kit (Exam 70-647): Windows Server® Enterprise Administration

  • Disclaimer

    All data and information provided on this site is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.
«
»

Synchronize the DSRM Administrator Password with a Domain User Account

Posted by John Policelli on February 19th, 2009

Microsoft has released a new feature for Windows Server 2008 that allows you to synchronize the Directory Services Restore Mode (DSRM) password with the password of a domain user account.

This new feature is enabled by installing a hotfix, which can be found here. The hotfix is only available for Windows Server 2008, so you cannot leverage this new feature for the DSRM account on domain controllers that have Windows 2000 Server or Windows Server 2003 installed. I had a look at the beta release of Windows Server 2008 R2, but this feature is not included. I expect it will be once Windows Server 2008 R2 goes RTM.

In reality, not all organizations have deployed Windows Server 2008 domain controllers. Furthermore, those that have started deploying Windows Server 2008 domain controllers, will likely be in a transitions state that consists of pre-Windows Server 2008 and Windows Server 2008 domain controllers. If these organizations choose to leverage this new feature while in this transition state, they will have to live with the use of multiple tools and processes to manage DSRM passwords. Nonetheless, this new feature is definitely a step in the right direction.

Once the hotfix has been installed, and you’ve rebooted your domain controller, you can use the ntdsutil command-line tool to synchronize the DSRM password with the password of a domain user account. You would type the following command to do so:

ntdsutil "set dsrm password" "sync from domain account <AccountName>" q q

In the above example, <AccountName> must be replaced with the name of the domain user account that you want the DSRM password to be synched with.

It is important to note that this new feature WILL ONLY SYNCHRONIZE THE PASSWORD ONE TIME. As such, if you change the password of the domain user account you specified in the above command, you need to rerun the above command in order to resynchronize the passwords.

Another important, but warranted, obvious point, is that the above command performs a one-way synchronization. The password of the domain user account will be synchronized to the DSRM account, but not vice versa.

All in all, I believe Microsoft is moving in the right direction by providing this new feature. However, this is not a complete solution to streamlining the management of DSRM passwords on domain controllers, or to securing the DSRM accounts.

In my opinion, it would be ideal to have this ability on pre-Windows Server 2008 domain controllers as well. Furthermore, it would be ideal to see this new feature have some more granularity. For example, adding capabilities that will allow us to keep the DSRM password synchronized when the password for the domain user changes would be a huge improvement. While we’re at it, let’s include some capabilities that allow us to use a password and account lockout policy on DSRM accounts.

I cannot emphasize how important it is to properly secure DSRM accounts. If someone gets access to one of your DSRM accounts, it will not take them long to completely destroy your forest. The scary thing is that most IT administrators tend to forget about the DSRM account after they promote a DC.

I once performed an Active Directory security assessment for a client and I found that they were using the same password for the DSRM account on every one of their production and development DCs. Not only was this password weak and hadn’t been changed in the previous 6-7 years, but other teams in the organization were using the same password for various accounts. I remember being on an unrelated triage call late one night for an LDAP application. We had to sniff the network traffic between the application servers and the DCs to identify the cause of the issue. In the network trace, I saw the LDAP application, which was not using secure LDAP, was using the same password for the account it used to bind to Active Directory. Because regular LDAP (non-secure) sends credentials in clear text, I was able to see the password in the network trace. I’m pretty sure I fell off my seat when I saw that the password was the same as the DSRM password being used on EVERY domain controller.

The moral of this story is you can leverage tools, such as this new feature from Microsoft, to streamline password management for DSRM accounts. However, you MUST ensure in doing so you do not expose yourself to more risk. When it comes to DSRM account passwords, your number one priority must be ensuring they are as strong, if not stronger, than the passwords on your Domain Admin accounts. This includes the password itself, but also the frequency of the password changes, and the processes used to change the passwords.

Tags: , ,
This entry was posted on Thursday, February 19th, 2009 at 2:30 PM and is filed under AD DS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.

«
»