The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

Restartable AD DS and DSRM Logon Behaviors

Ever since Windows 2000's implementation of Active Directory (AD) we have had a method to restore AD objects that were removed.  Although it hasn’t been as easy as hitting CTRL-Z to undo a mistakenly deleted object or to try to restore from the Recycle Bin, we have had a method to restore objects.  That method is to restart the Domain Controller (DC) in Directory Services Restore Mode (DSRM) and logon with the DSRM account and password that is generated using DCPROMO.  (how to reset a DSRM  account password)

Having to restart a DC to restore objects has always been a sore subject with me.  Thankfully in Windows Server 2008, Active Directory Domain Services (AD DS) now functions as a service.  This service may look the same from the outside but if you dig a little deeper you will see that it is a bit different.  For example, you cannot pause this service and the startup is hard coded to Automatic...thus the only way you can start a DC with AD off is via DSRM, but you can Stop it while the server is up in a norm state.

The advantage of this is that you no longer have to bring down a DC to do an offline defrag of your ntds.dit.  One thing you can't do by default is stop AD DS and then perform an authoritative restore.  I say by default because this can change in Server 2008.   This all changes with Server 2008 and you now have the ability to change the DSRM logon behavior.  By modifying the following registry key you can select when you want to allow the DRSM administrator to log on:
HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior

There are three values that can be selected:

Value Description
0 (default) DSRM Administrator can log on using DRSM boot option
1 DSRM Administrator can log on while AD DS is stopped
2 DSRM Administrator can log on at all times

I'm personally a fan of Value 1.  Value 0 has to big of an impact for restores and maintenance and Value 2 is a little too liberal for my likings.

Finally some commands that can be used for those Server Core Admins: 

  • net start ntds (starts AD DS service)
  • net stop ntds (stops AD DS service)
  • sc \\ <DC Name> query ntds (queries AD DS service)

Important Notes:
When you stop AD DS you are also stopping the following services on that DC:

  • File Replication
  • Kerberos Key Distribution Center
  • Intersite Messaging
  • DNS Server (hopefully your clients have multiple DNS sever entries)
  • DFS Replication

Be aware that when you change the value of DSRMAdminLogonBehavior the DRSM Administrator account is not checked by any password policy.

Posted: Tue, Oct 21 2008 12:18 by BrianM | with 4 comment(s)
Filed under: , ,

Comments

GrammarGuy said:

Nice post - but please check your spelling and grammar before you post.

Examples from your post above:

...where removed.  (were)

Although it hasn’t been as easy as hitting CTRL-Z to undo a mistakenly deleted object or to try to restore from the Recycle Bin. (Poor sentence structure).

...now functions as service. (as a service)

...in a norm state. (normal)

Value 0 had to big of an impact (too)

...a little to liberal for my likings (too)

...when you want to all the DRSM (allow)

# October 22, 2008 2:41 PM

BrianM said:

That is what I get for posting way to early in the morning for me.  :)

# October 22, 2008 3:49 PM

grinder said:

Very thanks for Instructions.

# January 27, 2009 12:58 PM

grinder said:

On technet.microsoft.com/.../cc732714.aspx another options for DSRMAdminLogonBehavior

0 (default for Windows Server 2008) - The DSRM Administrator account cannot be used to log on.

You can only log on to the domain controller with a domain account. This requires an additional domain controller to authenticate the request and working connectivity, name resolution, authentication, and authorization between the local domain controller and the authenticating domain controller.

1 - The DSRM Administrator account can be used to log on only when the AD DS service is stopped.

This value can improve functionality by allowing more options for logging on to a domain controller. However, keep in mind that the DSRM Administrator account password is not checked against any password policy.

You might change the entry to this value in a domain that has a single domain controller, or on a domain controller that is on an isolated network, or on one that points to itself or other offline domain controllers exclusively for name resolution.

2 - The DSRM Administrator account can be used to log on at any time. Using this value is not recommended because the DSRM Administrator account password is not checked against any password policy.

# January 27, 2009 1:23 PM