Isolate a DC - Part 4: Reset DSRM Password

This is Part 4 of a multi part blog post on Domain Recovery and DC Isolation with the aid of Powershell in todays installment we learn that Directory Services Restore Mode (DSRM) is not actually needed to perform a full forest recovery.

Reset DSRM Password

Another typically unnecessary step is getting your hands on your DSRM password - if you don’t already have it. DSRM password is only used in DSRM mode, which you don’t need for this fun exercise, but why not have it just in case!

Now this step is not really Powershell, and not really automated, if you wanted to do the later you could probably create an account, set its password, and then sync the password to the DSRM Administrator account, but I wasn’t feeling that energetic this morning. So just type your password a couple of times and be done with it.

function Reset-DSRMPassword (){
    Write-verbose "Calling NTDSUtil to reset the DSRM password on the local server"
    ntdsutil "set DSRM Password" "Reset Password on Server NULL" q q
}

Reset-DSRMPassword

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice