Maintain Your Directory Services Restore Mode (DSRM) Password

On your domain controllers, there is an account called the Directory Services Restore Mode account.  This account is quite special - it's not an Active Directory account.  It's a local account, that is isolated to that one domain controller, which means each DC has its own DSRM account with its own unique password.  (You use ntdsutil.exe to change this password.) This comes as a surprise to some people, as they might have thought that Active Directory domain controllers don't have any local accounts.  Well, they have this one.  As the name implies, you would only find yourself using the DSRM account if things have really gone off the rails.  In a disaster recovery scenario, basically.  But when that day comes, you really don't want to have forgotten what the password to that DSRM account is.

What if you have 50 domain controllers in your AD forest?  That means you have to keep up with 50 different DSRM passwords.  And what if your company has a security policy that requires you to change those passwords on a regular basis?

Alright, it's time to automate this.  We have better things to do than sit around changing passwords by hand all day.

So first off, create a new domain user in AD.  Disable the account so that it cannot be logged on to, and name the account something like "DSRM".  Set the account's password to something strong that you will remember and/or have recorded.

Next, create a new Group Policy Object, and link it to the Domain Controllers OU.  You want this policy to apply to all your domain controllers.  Edit the GPO, drill down to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks, and create a new Scheduled Task to be run on all your domain controllers at a regular interval (like, say, once a week.)

This scheduled task will run as the "SYSTEM" account.  For the action you want to run this command:

C:\Windows\System32\ntdsutil.exe "SET DSRM PASSWORD" "SYNC FROM DOMAIN ACCOUNT Dsrm" Q Q

This command will synchronize the local DSRM password on the domain controller to match the password of the "Dsrm" user account in Active Directory.

This means when it comes time to change the DSRM password, you only need to change it once, and that scheduled task will automatically disseminate it to all your DCs, no matter how many DCs you have.

ImAlive - RDP Activity Simulator

Sometimes I use Remote Desktop Protocol (RDP) to connect to machines remotely.  Good ole' mstsc.exe.  Sometimes, the remote server that I connect to has a policy that automatically disconnects idle sessions after some minutes.  This can be excruciatingly inconvenient when, for instance, I'm trying to transfer a large file to or from the server.  The file transfer may take hours, but I have to sit there and babysit the RDP session to make sure that the server doesn't disconnect me?

So that's why I made ImAlive.

Basically, this tiny program will send a "heartbeat" to all open RDP windows on your system every 10 seconds.  This keeps your RDP session in an "Active" state, even if you walk away from the keyboard for hours.  You run this program locally on your workstation, not on the remote machine.

Just launch the executable, and you will see this:

Press any key to terminate the program.  It will automatically locate all open RDP windows on your desktop, and send a "heartbeat" to them, thus keeping your session "Active," indefinitely.

Caveats and Limitations:

  • You mustn't minimize your RDP windows.  You can keep them in the background, but don't minimize them. If you minimize the RDP windows, they will not be able to receive the heartbeat messages.  It doesn't matter if the RDP session is full screen or windowed.
  • You can still use your computer to do other things while your RDP sessions are in the background, but you may see your RDP windows flash into the foreground for an instant as the heartbeats are sent to them.  After the heartbeat is sent, the program attempts to return focus to whatever window had focus before the heartbeat was sent.  If you have multiple monitors, I recommend shoving all your "idle" RDP windows to the side where they don't bother you if they briefly (like, 10 milliseconds, you may not even notice) flash to the foreground.
  • The program stops working if your workstation is locked or goes to sleep or hibernates.

If at any time I eliminate any of these bugs/limitations, I will update the program and post the updates to this page.

Download:

ImAlive.zip (90.6KB)