Share via


Restartable AD DS Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use Microsoft Management Console (MMC) snap-ins, or the Net.exe command-line tool, to stop or restart Active Directory® Domain Services (AD DS) in the Windows Server® 2008 operating system. You can stop AD DS to perform tasks, such as offline defragmentation of the AD DS database, without restarting the domain controller. Other services that run on the server, but that do not depend on AD DS to function, are available to service client requests while AD DS is stopped. An example of such a service is Dynamic Host Configuration Protocol (DHCP).

What is restartable AD DS?

Restartable AD DS is a feature in Windows Server 2008 that you can use to perform routine maintenance tasks on a domain controller, such as applying updates or performing offline defragmentation, without restarting the server.

While AD DS is running, a domain controller running Windows Server 2008 behaves the same way as a domain controller running Microsoft® Windows® 2000 Server or Windows Server 2003.

While AD DS is stopped, you can continue to log on to the domain by using a domain account if other domain controllers are available to service the logon request. You can also log on to the domain with a domain account while the domain controller is started in Directory Services Restore Mode (DSRM) if other domain controllers are available to service the logon request.

If no other domain controller is available, you can log on to the domain controller where AD DS is stopped in Directory Services Restore Mode (DSRM) only by using the DSRM Administrator account and password by default, as in Windows 2000 Server Active Directory or Windows Server 2003 Active Directory.

You can change the default by modifying the DsrmAdminLogonBehavior registry entry. By modifying the value for that registry entry, you can log on using the DSRM Administrator account in normal startup mode to a domain controller that has AD DS stopped even if no other domain controller is available. You do not need to start the domain controller in DSRM. This can help prevent you from getting inadvertently locked out of a domain controller to which you have logged on locally and stopped the AD DS service. For more information, see Modifying the default logon behavior.

You cannot run the dcpromo command normally to remove AD DS from a domain controller while AD DS is stopped. However, you can run dcpromo /forceremoval to forcefully remove AD DS from a domain controller while AD DS is stopped. For more information about how to forcefully remove AD DS, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkID=86716).

Benefits of restartable AD DS

Restartable AD DS reduces the time that is required to perform offline operations such as offline defragmentation. It also improves the availability of other services that run on a domain controller by keeping them running when AD DS is stopped. In combination with the Server Core installation option of Windows Server 2008, restartable AD DS reduces the overall servicing requirements of a domain controller.

In Windows 2000 Server Active Directory and Windows Server 2003 Active Directory, you must restart the domain controller in DSRM when you perform offline defragmentation of the database or apply security updates. In contrast, you can stop Windows Server 2008 AD DS as you stop other services that are running locally on the server. This makes it possible to perform offline AD DS operations more quickly than you could with Windows 2000 Server and Windows Server 2003.

Note

You cannot perform a system state restore of a domain controller while AD DS is stopped. To complete a system state restore of a domain controller, you need to start in DSRM. You can however perform an authoritative restore of Active Directory objects while AD DS is stopped. For more information, see Mark an object or objects as authoritative.

A domain controller running Windows Server 2008 AD DS displays Active Directory Domain Services in the Services node of the Computer Management snap-in so that you can easily stop and restart AD DS.

States of a domain controller

A domain controller running Windows Server 2008 has three possible states:

  • AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a domain controller running Windows Server 2008 that is in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003.

  • AD DS Stopped. In this state, AD DS is stopped. Stopping AD DS is similar to logging on in DSRM. However, restartable AD DS provides the AD DS Stopped state for a domain controller running Windows Server 2008.

    Although this state is unique, the server has some characteristics of both a domain-joined member server and a domain controller in DSRM. As with DSRM, the AD DS database (Ntds.dit) on the local domain controller is offline. As with a member server, the server is joined to the domain. If another domain controller can be contacted, users can continue to log on to the domain. If no other domain controller can be contacted to service the logon requests, by default you can either:

    • Log on to the domain controller locally in DSRM by using the DSRM password.

    • Restart the domain controller in order to log on with a domain account.

Note

To change the default behavior, you can modify the DSRMAdminLogonBehavior registry entry, as mentioned earlier in this topic.

In this state, you can run the **dcpromo /forceremoval** command to forcefully remove AD DS from the domain controller.
  • Directory Services Restore Mode (DSRM). This mode (or state) is unchanged from Windows Server 2003, with one exception. In Windows Server 2008, you can run the dcpromo /forceremoval command to forcefully remove AD DS from a domain controller that is started in DSRM, just as you can in the AD DS Stopped state. A domain controller must still be started in DSRM to restore system state data from a backup.

The following flowchart shows how a domain controller running Windows Server 2008 can make the transition between these three states.

Considerations for using restartable AD DS

Keep the following considerations in mind as you experiment with restartable Active Directory in Windows Server 2008:

  • Although you cannot start a domain controller that is running Windows Server 2008 in the AD DS Stopped state, you can restart it in DSRM.

  • Services that do not depend on AD DS continue to run while AD DS is stopped. However, services that depend on AD DS shut down before AD DS shuts down. These services include File Replication Service (FRS), Kerberos Key Distribution Center (KDC), and Intersite Messaging. If these dependent services are running, they restart when AD DS restarts.

  • If the domain controller is a Domain Name System (DNS) server, it will not respond to any queries for Active Directory–integrated zones while AD DS is stopped. To help prevent DNS lookup failures in this case, be sure to configure the DNS client settings on member computers, application servers, and domain controllers to point to more than one DNS server, for redundancy.

  • If a domain controller that is stopped hosts operations master roles or the global catalog, those functions are not reassigned to another domain controller.

  • In MMC snap-ins, you can stop and start AD DS, but you cannot pause it. The only startup type is Automatic.

  • Options for logon in the AD DS Stopped state depend on whether another domain controller can service domain logon requests. If another domain controller services the logon request, the computer on which AD DS is stopped acts as the member server. When you try to log on to the domain from that server, if another domain controller can service the logon request, normal Group Policy settings apply to the user and computer accounts. If another domain controller cannot service the domain logon request, you can only log on to the server in DSRM by default, which requires the DSRM administrator account and password. For more information about changing the default, see Modifying the default logon behavior.

Steps for using restartable AD DS

This section explains the steps for stopping and restarting AD DS on a server running Windows Server 2008. It also provides suggestions for further testing restartable AD DS. For instructions for installing AD DS on Windows Server 2008, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (https://go.microsoft.com/fwlink/?LinkID=86716).

Modifying the default logon behavior

By default, you must start a domain controller in DSRM to log on by using the DSRM Administrator account. However, you can change this behavior by modifying the DSRMAdminLogonBehavior registry entry. By changing the value for this entry, you can configure a domain controller so that you can log on to it with the DSRM Administrator account if the domain controller was started normally but the AD DS service is stopped for some reason.

For example, suppose these actions occur:

  1. You log on to a domain controller locally by using a Domain Admin account.

  2. You stop the AD DS service to perform maintenance.

  3. A password-protected screen saver locks the domain controller.

By default in this situation, you can only unlock the domain controller if another domain controller is available to service the request. To change the default behavior, modify the value of the following registry entry:

HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

The following table lists the possible values for this entry. The DSRM admin account can always be used to log on to a domain controller in DSRM. This table describes the options for using the DSRM Administrator account to log on when the domain controller is started normally.

Value Description

0 (default for Windows Server 2008)

The DSRM Administrator account cannot be used to log on.

You can only log on to the domain controller with a domain account. This requires an additional domain controller to authenticate the request and working connectivity, name resolution, authentication, and authorization between the local domain controller and the authenticating domain controller.

1 (default for Windows Small Business Server 2008)

The DSRM Administrator account can be used to log on only when the AD DS service is stopped.

This value can improve functionality by allowing more options for logging on to a domain controller.

You might change the entry to this value in a domain that has a single domain controller, or on a domain controller that is on an isolated network, or on one that points to itself or other offline domain controllers exclusively for name resolution.

2

The DSRM Administrator account can be used to log on at any time. Using this value is not recommended because the DSRM Administrator account password is not checked against any password policy.

Stopping and restarting AD DS

Install Windows Server 2008 on a server, assign it a static IP address, and then install AD DS. For steps to install AD DS, see (https://go.microsoft.com/fwlink/?LinkId=93054).

Use the following procedure to stop and restart AD DS.

Administrative credentials

To stop and restart AD DS, you must be a member of the built-in Administrators group on the domain controller.

To stop and restart AD DS

  1. Click Start, click Administrative Tools, and then click Computer Management.

  2. Double-click Services and Applications, and then click Services.

  3. To stop AD DS, in the details pane, right-click Active Directory Domain Services, and then click Stop.

  4. In Stop Other Services, review the list of dependent services that will also stop when you stop AD DS, and then click Yes.

    If you right-click Active Directory Domain Services, and then click Properties, you see a list of the other services that depend on AD DS to function and another list of services that AD DS depends on to function. All dependent services stop before AD DS stops.

  5. Right-click Active Directory Domain Services again, and then click Start.

    Dependent services start before AD DS starts.

Use the following procedure to query whether AD DS is running or stopped on a domain controller.

Note

The following procedure shows how to query from a command prompt. If you are developing an application, you can query whether AD DS is running or stopped by invoking the DSRoleGetPrimaryDomainInformation function and using the DSROLE_PRIMARY_DOMAIN_INFO_BASIC structure. For more information, see DSROLE_PRIMARY_DOMAIN_INFO_BASIC Structure (https://go.microsoft.com/fwlink/?LinkId=116177).

Administrative credentials

To query whether AD DS is running or stopped, you must be a member of the built-in Administrators group on the computer where you run the command. You can use the following procedure to query the local domain controller or a remote domain controller.

To query whether AD DS is running or stopped on a domain controller

  1. Click Start, right-click Command Prompt, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. To query whether AD DS is running on the local domain controller, type the following command, and then press ENTER:

    sc query ntds

    To query whether AD DS is running on a remote domain controller, type the following command, and then press ENTER:

    sc \\<hostname> query ntds

    Where <hostname> is the name of the domain controller that you want to query.

Performing offline database operations

Restartable AD DS makes it possible for you to perform offline database operations quickly because you do not have to restart the domain controller in DSRM. To experiment with this feature, you can perform some common tasks that formerly required restarting in DSRM, such as offline defragmentation.

Performing an offline defragmentation operation on the AD DS database

Although a newly installed domain controller does not require offline defragmentation, you can compact the AD DS database to see how you can perform this task by stopping AD DS instead of restarting the domain controller in DSRM. Restarting the domain controller in DSRM is required for Windows 2000 Server Active Directory and Windows Server 2003 Active Directory.

For step-by-step instructions for performing an offline defragmentation operation, see Compact the directory database file (offline defragmentation) (https://go.microsoft.com/fwlink/?LinkId=106343).

Important

Be sure to perform a system state backup of the server before you perform offline defragmentation.

Mark an object or objects as authoritative

You can stop AD DS if you need to mark an object or objects as authoritative. Marking an object as authoritative is one step in the process for performing an authoritative restore. You typically need to perform an authoritative restore to recover an object that you have accidentally deleted. In previous versions of Windows Server, you had to start the domain controller in DSRM and then perform a nonauthoritative restore before you could mark an object as authoritative. On a domain controller that runs Windows Server 2008, you can stop AD DS to mark the object as authoritative instead of starting the domain controller in DSRM.

To mark an object as authoritative, you use the ntdsutil authoritative restore command. For more information about using the ntdsutil authoritative restore command, see Mark the object or objects authoritative (https://go.microsoft.com/fwlink/?LinkId=116176).

Verifying the availability of other services

To test the availability of other services that are running on the server while AD DS is stopped, install a service that does not depend on AD DS to function, such as DHCP. Create a scope for the DHCP server, join a client to the test domain, and then configure the client so that it obtains its IP address from the DHCP server. While AD DS is stopped, perform simple tests using the Ipconfig command-line tool to verify that the client can use the DHCP server to release and renew its IP address.

Testing logon using another domain controller

To test different logon experiences, you can install additional domain controllers and then log on to a domain controller running Windows Server 2008 to stop AD DS. Log off the domain controller running Windows Server 2008, and then log on again. Try this while another domain controller is available and while another domain controller is not available.