Ad Nauseam - ramblings of a technologist

I've been with Microsoft, as a technologist, for over 10 years. Occasionally, I stumble across a nugget that I think others will find interesting. I put those nuggets here.

Restartable Active Directory in Windows Server 2008

Restartable Active Directory in Windows Server 2008

  • Comments 3
  • Likes

Neil is a brilliant manager.  He also has a rapier wit and keen sense of style.  A couple of times recently he has mentioned in passing that my blog has been lacking in technical posts lately.  Hint taken, boss.

Sometimes, you have to take a Domain Controller offline for maintenance.  Maybe you want to defrag the AD database.  Maybe you need to perform an Authoritative Restore.  As long as you have another DC up and running, it’s not too big a deal to take a DC offline for a little while.  If the DC is performing multiple roles, like DHCP or File and Print (branch office server, anyone?), taking it offline for any amount of time could be… inconvenient

Fortunately, those clever folks in Windows Server development have come up with a solution:  Restartable Active Directory

 

In Server 2000 and 2003, your one choice for offline AD database changes was to reboot the machine in Directory Services Restore Mode.  Server 2008 gives you another option.  Either via the Services MMC or a command line, you can stop AD services on your domain controller.  Any services that depend on AD will be stopped along with it: File Replication Service,  Kerberos Key Distribution Center, etc.  Non-AD dependent services will continue to run, and AD requests will be redirected to another DC.  While AD is in the stopped state, the server will behave just like any other member server.

Other info:

· Works in 2000 or 2003 compatible AD mode.  No dependency on 2008 AD

· While in the stopped state, if no other DC is available to authenticate, you can login using the Directory Services Restore Mode password

· command line to stop the AD:  net stop ntds

for more info, try these links:

Restartable AD on TechNet

Step-by-Step Guide

Comments
  • There is a new registry key that has to be set in order to be able to log on when you have only one DC and the ntds is stopped:

    dsrmadminlogonbehavior

    (Ask Dmitri ;-)

  • I think you are technical Adam, no matter what your boss says!

  • This feature is currently known as the “Database Mounting Tool” (DMT), which is better than the previous

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment