上QQ阅读APP看书,第一时间看更新
Document the passwords
In large organizations, you can't get anything done without the proper changes being filed through change management. Even if your organization doesn't require these steps, it's still a recommended practice to document at least these items:
- Document the password for the built-in administrator account: When deploying a new Active Directory forest or domain, deploy using a pre-configured password for the built-in administrator account. After successful promotion, change the password to one that you intend to assign to this account for a longer period of time. Document the latter password in a password vault.
As domain controllers are promoted using scripts, there is a chance the password for the built-in account lingers around unintentionally. Also, the password initially set for this account is stored with a weaker hashing algorithm than changed passwords.
- Document the Directory Services Restore Mode (DSRM) password: In dire situations, when the Active Directory-related services are no longer able to start, an administrator can sign in to the server using a fallback account with the DSRM password. Intend to use different DSRM passwords for each domain controller and document these properly in a password vault.
Now we will look at the recipes covered in this chapter.