In Windows Server 2008 you are able to stop Active Directory-Domain Services using the services snap-in or by typing
net stop ntds
However, this is for servicing only and not a state where the DC is intended to be kept for a longer period. Stopping AD is intended for servicing NTDS where there is a need of a stopped AD (such as in Directory Services Restore Mode, DSRM) but where is no need of a completely flushed Memory and stopped dependencies. So what you can do are things like offline defragmentation of the database or moving the database a.s.o.
I think, this is a good feature. Yes, it would be great to do other things. Yes, it would be great to restore AD without going in DRSM. There are things which would be nice. However … it’s better than before, and that’s what is important.
I love to do things using scripts. I love to use a toolbox, some script I’ve used before. Imagine – in the past doing offline defrags of the Active Directory database would require to reboot into Directory Service Restore Mode, log on as local admin (=DSRM-admin) then run ntdsutil with the options to do offline defrag into new files, then copy the new files over the old ones, reboot again into full more.
However, in Windows Server 2008 and above it is as easy as stopping NTDS, offline defrag, moving, starting NTDS.
It is urgent that you keep in mind that you can stop NTDS, however it’s not ment to be there for a longer period.
However, three things which made me worry if this feature is not well understood:
- It’s not a state to keep for a longer period, not a replacement for recovery-DCs (which are turned off in the closet).
- Not a replacement for DSRM when it comes to System State Recovery / Authoritative Restore which a Backup restored. If you need to restore a system state backup, the only supported way is to do it in DSRM.
- Authoritative marking object which haven’t been replicated to the DC in question is OK, same goes for file-management operations other than restoring a backup (the content of the dit basically needs to remain the same)
- You can’t logon with the DSRM-Admin when NTDS is stopped. This was hitting – in the beta-timeframe – someone who had a single DC, stopped NTDS, speared some time (screen saver kicked in) and couldn’t log on. DSRM-logon is not possible by default with a stopped NTDS when there are not other logon-servers available (if they are, e.g. you have a second DC, they are authenticating you on the DC with the stopped NTDS).
DSRM-Admin (which equals to local admin on a DC) is only available on Small Business Server (by default) or if you modified the following registry-key:
HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
Value 0: DSRM-Logon only when in DSRM (default)
Value 1: DSRM-Logon only when NTDS stopped (or DSRM) (default in
Value 2: DSRM-Logon always
HTH, Ulf