Q. How do I make the Directory Services Restore Mode (DSRM) administrator password work on my Windows 2008 domain controllers (DCs) if the Active Directory Directory Service (AD DS) is stopped and no other DCs are available?
April 9, 2009
A. Using the DsrmAdminLogonBehavior registry value, you can allow the DSRM administrator account to log on to controller DC when its AD DS is stopped. This would be useful if you've stopped the local AD DS service, no other DCs are available, and you logged off or your password-protected screen saver activated.
The registry value is located at HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior. Its possible values are:
0 (default): You can only use the DSRM administrator account if the DC is started in DSRM.
1: You can use the DSRM administrator account to log on if the local AD DS service is stopped.
2: You can always use the DSRM administrator account (This setting isn't recommended, because password policies don't apply to the DSRM administrator account).
Related Reading:
Q. If I add a new writable Windows Server 2008 domain controller (DC) to a hub location, do I need to do anything to redistribute replication connections to my Read Only Domain Controllers (RODCs) in spoke/hub locations?
Q. I have a very slow link between a location and a hub. Can I increase compression on the replication traffic?
Q. Where should the primary DNS for a Read Only Domain Controller (RODC) that's a DNS server point?
If I have Exchange 2007 in only one location, do I need a hub transport server?
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
About the Author
You May Also Like