Installing new 2016 domain controllers...should I use my existing DSRM password or can I use a new one?
Hi, I am in the process of adding new domain controllers (Windows Server 2016) into my AD environment, which currently hosts Windows Server 2008 R2 domain controllers.
FFL = Windows Server 2008 R2
DFL = Windows Server 2008 R2
Features Enabled = AD Recycle Bin
AD Schema = 87 (Windows Server 2016)
Already migrated from FRS to DFRS.
My question is probably a simple one, but I still need to ask it anyways.
When installing the AD DS server role on the new Windows Server 2016, should I use the same DSRM (Directory Service Restore Mode) password as I have for my current Windows Server 2008 R2 domain controllers?
Or can I use a different DSRM password for these new Windows Server 2016 domain controllers, which will eventually replace my current Windows Server 2008 R2 domain controllers?
Just want to leave no stones unturned as I proceed. The last time I had to introduce new DC's in my environment was back in 2011. So, I am a little rusty and have been refreshing up on the process, as well as, checking for any changes since then.
Just wondering.
Thanks in advance.
FFL = Windows Server 2008 R2
DFL = Windows Server 2008 R2
Features Enabled = AD Recycle Bin
AD Schema = 87 (Windows Server 2016)
Already migrated from FRS to DFRS.
My question is probably a simple one, but I still need to ask it anyways.
When installing the AD DS server role on the new Windows Server 2016, should I use the same DSRM (Directory Service Restore Mode) password as I have for my current Windows Server 2008 R2 domain controllers?
Or can I use a different DSRM password for these new Windows Server 2016 domain controllers, which will eventually replace my current Windows Server 2008 R2 domain controllers?
Just want to leave no stones unturned as I proceed. The last time I had to introduce new DC's in my environment was back in 2011. So, I am a little rusty and have been refreshing up on the process, as well as, checking for any changes since then.
Just wondering.
Thanks in advance.
Cliff Galiher
While technically there are no known exploits that would allow traversal via DSRM, it is always a good idea for highly privileged accounts to have unique credentials.
ASKER
So, I should create a unique credentials for each individual domain controller's DSRM? Is that recommended best practice by Microsoft?
Ideally you should keep DSRM password complex enough and save it in lockers as it will not be required unless there are weird issues / circumstances and you are forced to restore AD from System state
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please clarify your question, dsrm password can be changed/set using ntdsutils.
ASKER
OK. Thanks all. So, the DSRM password is specific to the domain controller NOT stored in AD for all domain controllers.
Thanks for the clarification.
Have a great day.
Thanks for the clarification.
Have a great day.