Q: In Windows Server 2008, there's a feature that lets you use the Directory Service Restore Mode (DSRM) administrator account and password to log on to a Server 2008 domain controller (DC) at any time. What's this feature for and how do I enable it?

A: In previous versions of Windows, you can only log on to a DC with the DSRM administrator account when in DSRM, but in Server 2008, you can do it at any time. To enable this feature, you need to change the registry setting DsrmAdminLogonBehavior (REG_DWORD), located at HKLMSystemCurrentControlSetControlLsa. You can set the value of DsrmAdminLogonBehavior to:

The default DsrmAdminLogonBehavior setting (0) implies that you can only log on to the DC with a domain account. If the local AD service is down, you'll need an additional DC to authenticate your domain account. As a consequence, you won't be able to log on when the WAN link to the hub site is down if you're in a branch office setup that has only one local DC.

Let me further illustrate this using the example where you log on to a DC locally by using a domain administrator account. You stop the AD service to perform maintenance, and then a password-protected screen saver locks the DC. In this scenario, if DsrmAdminLogonBehavior is set to 0 and no other DC is available, you're stuck and will need to wait for the WAN link to come alive again. If you'd previously changed the DsrmAdminLogonBehavior to 1, you'd still be able log on to the DC with the DSRM Administrator account.

It's a best practice to change the DsrmAdminLogonBehavior entry to 1 for DCs that are located on sites that only have one DC. Use of the value 2 isn't recommended, because it creates too much security exposure for the DSRM administrator account. Also remember that the DSRM administrator account password isn't checked against any AD password policy.

Related Reading: