The Directory Services Restore Mode (DSRM) password is required for logon to a domain controller when Active Directory Domain Services (AD DS) is not running, either because AD DS is stopped or because the domain controller has been started in DSRM.
Note | |
The DSRM password is not the same as the password for the domain Administrator account. |
If you are creating the first domain controller in the forest, the password policy that is in effect on the local server is enforced by the Active Directory Domain Services Installation Wizard.
For all other domain controller installations, the Active Directory Domain Services Installation Wizard enforces the password policy that is in effect on the domain controller that is used as the installation partner. This means that the DSRM password that you specify must meet the minimum password length, history, and complexity requirements for the domain that contains the installation partner. By default, a strong password that contains a combination of uppercase and lowercase letters, numbers, and symbols must be provided.
Be sure to safeguard the DSRM password. Divulging the DSRM password to unauthorized personnel after the installation presents a security risk. A malicious user can use the password to start the domain controller in DSRM and subsequently cause problems in the forest. For example, a malicious user might start the domain controller in DSRM and then force the removal of AD DS from the server.