Restartable AD DS and DSRM Logon Behaviors
Ever since Windows 2000's implementation of Active Directory (AD) we have had a method to restore AD objects that were removed. Although it hasn’t been as easy as hitting CTRL-Z to undo a mistakenly deleted object or to try to restore from the Recycle Bin, we have had a method to restore objects. That method is to restart the Domain Controller (DC) in Directory Services Restore Mode (DSRM) and logon with the DSRM account and password that is generated using DCPROMO. (how to reset a DSRM account password)
Having to restart a DC to restore objects has always been a sore subject with me. Thankfully in Windows Server 2008, Active Directory Domain Services (AD DS) now functions as a service. This service may look the same from the outside but if you dig a little deeper you will see that it is a bit different. For example, you cannot pause this service and the startup is hard coded to Automatic...thus the only way you can start a DC with AD off is via DSRM, but you can Stop it while the server is up in a norm state.
The advantage of this is that you no longer have to bring down a DC to do an offline defrag of your ntds.dit. One thing you can't do by default is stop AD DS and then perform an authoritative restore. I say by default because this can change in Server 2008. This all changes with Server 2008 and you now have the ability to change the DSRM logon behavior. By modifying the following registry key you can select when you want to allow the DRSM administrator to log on:
There are three values that can be selected:
||DSRM Administrator can log on using DRSM boot option
||DSRM Administrator can log on while AD DS is stopped
||DSRM Administrator can log on at all times
I'm personally a fan of Value 1. Value 0 has to big of an impact for restores and maintenance and Value 2 is a little too liberal for my likings.
Finally some commands that can be used for those Server Core Admins:
- net start ntds (starts AD DS service)
- net stop ntds (stops AD DS service)
- sc \\ <DC Name> query ntds (queries AD DS service)
When you stop AD DS you are also stopping the following services on that DC:
- File Replication
- Kerberos Key Distribution Center
- Intersite Messaging
- DNS Server (hopefully your clients have multiple DNS sever entries)
- DFS Replication
Be aware that when you change the value of DSRMAdminLogonBehavior the DRSM Administrator account is not checked by any password policy.