The Directory Services Restore Mode (DSRM) password is used for restoring Active Directory data on a Domain Controller. During an AD restore you can’t authenticate to Acitve Directory because it isn’t started while you boot into the restore mode and there aren’t any local accounts on a Domain Controller, so the DSRM password is used instead. This is a particularly important password to know in a single Domain Controller environment like an Small Business Server domain (although you can add additional DCs). It’s also a very good password to reset if you take on a new client with existing infrastructure that has been setup by someone else.
On SBS 2011 although you are not prompted to specify the DSRM password, it defaults to the password you use to install the server with. On Windows 2008, 2012, 2012 R2 when you promote a Member Server to a Domain Controller, you are asked to specify the password.
To reset it is a relatively painless process:
1. From an elevated command prompt type ntdsutil.
2. At the ntdsutil prompt type set dsrm password.
3. At the Reset DSRM Administrator Password prompt type reset password on server servername, where servername is the name of the server you are on.
4. Enter the new password, and then hit return.
5. Confirm your password and hit return and you should see the message: Password has been set successfully.
6. Press q or type quit twice to exit back to the command prompt.