Password
In Windows 2000, the DSRM password is typically created as a null value (blank), which is also the Recovery Console password. In Windows Server 2003, a DSRM password must be defined when DCPromo is run.
As with any highly privileged administrative login, the DSRM password should be changed at regular intervals because absent third-party auditing controls, anyone with the password who has access to the domain controller can reboot the machine, copy and modify the Active Directory database, and reboot the server without leaving any trace of the activity. DSRM password changes cannot be scripted, but can be accomplished manually through the command line; DSRM passwords can also be automatically changed and audited using privileged identity management software.
Read more about this topic: Directory Services Restore Mode