Article ID: 223301 - View products that this article applies to.
This article was previously published under Q223301
This article discusses the security of the offline Security Accounts Manager (SAM) and the accounts in it.
Windows 2000 Domain Controllers store domain user accounts, group memberships and other objects in the Active Directory. The Windows 2000 Backup tool and other third-party backup programs can back up jet-based Active Directory on an online Windows 2000 domain controller.
System maintenance and restoring the Active Directory can only be performed by placing the Active Directory "offline" or in "Directory Services Restore" mode. Directory Services Restore mode, which uses a registry-based SAM accounts database to store the administrator account and other built-in users and groups, represents a different security context than the Active Directory.
Registry Based SAM CreationMicrosoft Windows NT version 4.0 and earlier store user accounts, machine accounts, and group information in a registry-based SAM. When you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows 2000, DCPROMO starts at the end of Windows 2000 Setup. Accounts in the SAM are migrated to the jet-based Active Directory. A new registry-based SAM containing the "offline" administrator account (and other built-in accounts needed to recover Windows 2000 domain controllers) is created. Accounts in the registry-based SAM are available only in Directory Services Restore mode by pressing F8 in the early part of the boot process. The registry based SAM is stored in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.
For new Windows 2000 domains, the active directory database is built and populated with a default set of users and groups. The same Windows NT version 4.0 type of registry-based SAM found in the Windows NT upgrade scenario is created in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.
Securing the Offline SAMThe methods of protecting the offline SAM are identical to the methods used in Windows NT 4.0. Administrators looking to secure the offline SAM may consider the following:
Administrators may experience more loss of service when unable to produce the password for the offline administrator account than to attacks against the offline SAM. Define an internal process for storing and retrieving offline administrator passwords that does not compromise security but makes passwords available for system maintenance and recovery. Consider that servers are typically rebuilt during off-peak hours months or even years after the original installation of the operating system.
You may remotely change the password for the offline same by using Windows NT Terminal Server in remote administration mode and toggling the Boot.ini switch between starting the computer in Offline Restore mode and Active Directory mode.
SETPWD.exe, which is included in Windows 2000 Service Pack 2, and the "Set DSRM Password" command in the .NET Server version of NTDSUTIL.exe allow administrators to change the DS Restore administrator password on a domain controller while the Directory service is online.