One upon a time in a land far far away…there was a castle with two Kings.
One King was born before the other one and ensured that all in the Kingdom were safe in case something bad happened.
The other King ran the Castle. The two Kings shared all their most key secrets including secret information known only to the Kings. Things like secret passwords. They ensured that these passwords were kept in sync so should the people of the kingdom come to them one day they wouldn’t have to guess at what the secret passwords were. The Kings would share these passwords to ensure that the Kingdom was never put at risk.
Then one day an evil spell was cast over the Kingdom.
This evil spell separated the two Kings. No longer were they able to share the secret information they once did.
The Kingdom was kept in this state for many years. There were times that the people of the Kingdom went to the one King and they couldn’t access what they needed to.
Then one day the spell was broken. A fairy godmother broke the evil spell and put back the ability to the two Kings to share their secret information.
To make sure that the two Kings always kept the secret information like passwords safe, she gave the power to the people of the Kingdom to prevent this evil spell all they had to do was to say the words “Abra Cadabra, bibbity bobbity boo, I see a KB, what about you?”
(Okay so maybe I was watching the movie Enchanted on TV, a bit too much tonight)
A long time ago.. or rather about seven years ago which is a long time ago in Computer years…. Windows 2003 had the ability to sync up on a regular basis the DSRM admin’s password with the Domain Administrator password. Why is this important? Because if you need to to a system state restore or restore a DC you need to log into the Directory Services Restore mode …and …and here’s the kicker…you need to remember the DSRM Admin password. What is this DSRM password? It’s a password entered by you when you make a server a DC. Now, for “normal” servers where you’ve dcpromo.exe’d a thousand times you know the screen I’m talking about where it asks you to set the DSRM password. In the SBS world however, you don’t because the dcpromo process is done for you.
The SBS install routine (and this is true for Aurora, EBS, and SBS) the DSRM password is the same as the Domain admin password you inititally set. SBS 2003 pre sp1 used to have a routine that automatically synced the DSRM password up with the Domain Administrator password so at all times, that DSRM mode password was one and the same as the Administrator password.
When Windows 2003 sp1 came out that added more security, this feature was ‘broken’ and no longer sync’d. So that DSRM password was the first password you set on the server, but thereafter, it never synced again. Now if you don’t know it… there is a way to reset the DSRM password, but life is easier with this autosync in place.
Now…here’s where the fairy breaks the evil spell. http://support.microsoft.com/kb/961320 puts the feature back. If you have SBS 2008 and you’ve applied SP2 you have the bits under the hood to set a scheduled task to automatically sync these two passwords back again.
Enter in the SBS 2008 (or Aurora, or SBS v7) the following sync command — ntdsutil “set dsrm password” “sync from domain account <AccountName>” q q
The <AccountName> should be the Domain Administrator account name.
Go into the computer and launch the task scheduler
On the right hand side we want to create a task
We call it something
We set a schedule.. once a month..once a week, something reasonable to resync the passwords
Confirm the schedule
You will start a program
And it’s brilliant enough to parse it for me.
And enter it in properly
And there ya go. The two Kings… uh.. I mean the DSRM admin account and the Domain Admin account will now sync up their passwords to each other.