- Active Directory Administration Cookbook
- Sander Berkouwer
- 204字
- 2021-06-24 14:42:05
Document the passwords
In large organizations, you can't get anything done without the proper changes being filed through change management. Even if your organization doesn't require these steps, it's still a recommended practice to document at least these items:
- Document the password for the built-in administrator account: When deploying a new Active Directory forest or domain, deploy using a pre-configured password for the built-in administrator account. After successful promotion, change the password to one that you intend to assign to this account for a longer period of time. Document the latter password in a password vault.
As domain controllers are promoted using scripts, there is a chance the password for the built-in account lingers around unintentionally. Also, the password initially set for this account is stored with a weaker hashing algorithm than changed passwords.
- Document the Directory Services Restore Mode (DSRM) password: In dire situations, when the Active Directory-related services are no longer able to start, an administrator can sign in to the server using a fallback account with the DSRM password. Intend to use different DSRM passwords for each domain controller and document these properly in a password vault.
Now we will look at the recipes covered in this chapter.