Restart the Domain Controller in Directory Services Restore Mode Locally

Applies To: Windows Server 2008, Windows Server 2008 R2

If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller.

During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account.

Note

By default, you must start a domain controller in DSRM to log on by using the DSRM Administrator account. However, on domain controllers that are running Windows Server 2008, you can change this behavior by modifying the DSRMAdminLogonBehavior registry entry. By changing the value for this entry, you can configure a domain controller so that you can log on to it with the DSRM Administrator account if the domain controller was started normally but the AD DS service is stopped for some reason. For more information about changing this registry entry, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=88649).

You can restart a domain controller in DSRM manually by pressing the F8 key during domain controller startup, which requires watching the startup and waiting for the appropriate point in the startup to press the key. This method is tedious and can waste time if you miss the brief window of opportunity for selecting the restart mode.

On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line to restart the domain controller in DSRM:

  • Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode.

  • Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally.

When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode.

Note

A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore.

You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely.

Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Important

If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (https://go.microsoft.com/fwlink/?LinkId=92728).

Restarting the domain controller in DSRM locally

You can use either of the following methods to restart the domain controller in DSRM:

To restart a domain controller in DSRM locally by using the Windows GUI

  1. On the Start menu, point to Administrative Tools, and then click System Configuration.

  2. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK.

  3. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM.

  4. Perform procedures in DSRM.

  5. When you have finished performing procedures in DSRM, restart the domain controller normally:

    1. On the Start menu, point to Administrative Tools, and then click System Configuration.

    2. On the General tab, in Startup selection, click Normal startup, and then click OK.

      The domain controller restarts normally.

To restart a domain controller in DSRM locally by using the command line

  1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK.

  2. At the command prompt, type the following command, and then press ENTER:

    • bcdedit /set safeboot dsrepair
  3. At the command prompt, type the following command, and then press ENTER:

    • shutdown -t 0 -r
  4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:

    • bcdedit /deletevalue safeboot
  5. At the command prompt, type the following command, and then press ENTER:

    • shutdown -t 0 -r
Value Description

/set safeboot dsrepair

Configures the boot process to start in DSRM.

shutdown –t 0 -r

Shuts down the server and restarts it.

/deletevalue safeboot

Returns the boot process to the previous setting.

See Also

Concepts

Restart the Domain Controller in Directory Services Restore Mode Remotely