How to Access Directory Services Restore Mode on a Remote DC

Modifying the boot.ini file does the trick

Our company has a large Windows Server 2003 Active Directory (AD) environment. Recently I noticed that a domain controller (DC) in one of our branch offices was reporting AD errors. Past experience told me that the errors were most likely due to data corruption in the AD database.

The steps you’d typically follow to fix the problem would be to boot into Directory Services Restore Mode and use the Ntdsutil tool to check the database’s integrity. However, the problematic DC was in Sydney, Australia, and it was after hours there, so no one was available locally to help me troubleshoot. My only access to the DC was through Windows Server 2003 Terminal Services.

To access Directory Services Restore Mode, you typically press F8 prior to the machine booting into Windows, then select the Directory Services Restore Mode option from the menu that appears. Obviously, this wasn't possible, but a colleague reminded me of a neat workaround. If you modify the boot.ini file, you can restart the server in Directory Services Restore Mode so that you don’t lose the connection when the DC restarts.

Here are the steps you can follow to get into Directory Services Restore Mode remotely through RDP and run the Ntdsutil tool:

1. On your machine, select Run from the Start menu, type Mstsc /console, and click OK.
2. Type the IP address or Fully Qualified Domain Name (FQDN) of the server you want to connect to.
3. Log on to the server using the Active Directory account.
4. On the DC, select Run from the Start menu, type sysdm.cpl, and click OK.
5. On the Advanced tab, click Settings in the Startup and Recovery section.
6. Click Edit. This opens the boot.ini file in Notepad.
7. Add the following line to the end of the boot.ini file:


Save and close the boot.ini file.
8. Reboot the server.
9. After waiting a few minutes, perform steps 1 and 2 again.
10. When you reconnect, the server should state that it’s in safe mode. Log on using the Local Administrator account (not the Active Directory account).
11. Open a command prompt window, type Ntdsutil, and press Enter.
12. Type Files and press Enter.
13. Type Integrity and press Enter. Windows will examine the database and will let you know the outcome.
14. After you’re done with Ntdsutil, type q and press Enter to exit Files. Type q and press Enter again to exit Ntdsutil.
15. Before rebooting, it’s important that you change the boot.ini file so that the DC boots in normal mode. Open boot.ini by repeating steps 4 through 6. Remove the last line (/SAFEBOOT:DSREPAIR) that you added earlier. Save and close the boot.ini file.
16. Restart the DC.

Fortunately for us, the integrity check came back OK. Just having the database offline and running the Integrity command fixed our problem. If you’re not as fortunate, some file management commands that you might find useful are Recover, Repair, and Compact to %s. You’ll need to do some research on these commands before using them. Besides typing ? at the command prompt to access the tool’s Help file, you can check out the Microsoft articles “Managing Active Directory Files” ( utl_wgzt.mspx?mfr=true) and “Ntdsutil” (

—Stefan Fagerholm, enterprise AD administrator, Milliman

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.