How to Access Directory Services Restore Mode on a Remote DC

Modifying the boot.ini file does the trick

Readers

August 26, 2008

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Our company has a large Windows Server 2003 Active Directory (AD) environment. Recently I noticed that a domain controller (DC) in one of our branch offices was reporting AD errors. Past experience told me that the errors were most likely due to data corruption in the AD database.

The steps you’d typically follow to fix the problem would be to boot into Directory Services Restore Mode and use the Ntdsutil tool to check the database’s integrity. However, the problematic DC was in Sydney, Australia, and it was after hours there, so no one was available locally to help me troubleshoot. My only access to the DC was through Windows Server 2003 Terminal Services.

To access Directory Services Restore Mode, you typically press F8 prior to the machine booting into Windows, then select the Directory Services Restore Mode option from the menu that appears. Obviously, this wasn't possible, but a colleague reminded me of a neat workaround. If you modify the boot.ini file, you can restart the server in Directory Services Restore Mode so that you don’t lose the connection when the DC restarts.

Here are the steps you can follow to get into Directory Services Restore Mode remotely through RDP and run the Ntdsutil tool:

1. On your machine, select Run from the Start menu, type Mstsc /console, and click OK.
2. Type the IP address or Fully Qualified Domain Name (FQDN) of the server you want to connect to.
3. Log on to the server using the Active Directory account.
4. On the DC, select Run from the Start menu, type sysdm.cpl, and click OK.
5. On the Advanced tab, click Settings in the Startup and Recovery section.
6. Click Edit. This opens the boot.ini file in Notepad.
7. Add the following line to the end of the boot.ini file:

/SAFEBOOT:DSREPAIR

Save and close the boot.ini file.
8. Reboot the server.
9. After waiting a few minutes, performsteps 1 and 2 again.
10. When you reconnect, the servershould state that it’s in safe mode. Log onusing the Local Administrator account (notthe Active Directory account).
11. Open a command prompt window,type Ntdsutil, and press Enter.
12. Type Files and press Enter.
13. Type Integrity and press Enter. Windowswill examine the database and will letyou know the outcome.
14. After you’re done with Ntdsutil, type q and press Enter to exitFiles. Type q and press Enteragain to exit Ntdsutil.
15. Before rebooting,it’s important that youchange the boot.ini fileso that the DC bootsin normal mode. Openboot.ini by repeatingsteps 4 through 6.Remove the last line(/SAFEBOOT:DSREPAIR) that you addedearlier. Save and close the boot.ini file.
16. Restart the DC.

Fortunately for us, the integrity check came back OK. Just having the database offline and running the Integrity command fixed our problem. If you’re not as fortunate, some file management commands that you might find useful are Recover, Repair, and Compact to %s. You’ll need to do some research on these commands before using them. Besides typing ? at the command prompt to access the tool’s Help file, you can check out the Microsoft articles “Managing Active Directory Files” (www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsfl_ utl_wgzt.mspx?mfr=true) and “Ntdsutil” (technet2.microsoft.com/windowsserver/en/library/91559a2b-b666-442c-bdd2-df4b7c46983c1033.mspx?mfr=true).

—Stefan Fagerholm, enterprise AD administrator, Milliman

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like