Clarifications of a stopped Active Directory

In Windows Server 2008 you are able to stop Active Directory-Domain Services using the services snap-in or by typing

net stop ntds

However, this is for servicing only and not a state where the DC is intended to be kept for a longer period. Stopping AD is intended for servicing NTDS where there is a need of a stopped AD (such as in Directory Services Restore Mode, DSRM) but where is no need of a completely flushed Memory and stopped dependencies. So what you can do are things like offline defragmentation of the database or moving the database a.s.o.

I think, this is a good feature. Yes, it would be great to do other things. Yes, it would be great to restore AD without going in DRSM. There are things which would be nice. However … it’s better than before, and that’s what is important.

I love to do things using scripts. I love to use a toolbox, some script I’ve used before. Imagine – in the past doing offline defrags of the Active Directory database would require to reboot into Directory Service Restore Mode, log on as local admin (=DSRM-admin) then run ntdsutil with the options to do offline defrag into new files, then copy the new files over the old ones, reboot again into full more.

However, in Windows Server 2008 and above it is as easy as stopping NTDS, offline defrag, moving, starting NTDS.

It is urgent that you keep in mind that you can stop NTDS, however it’s not ment to be there for a longer period.

However, three things which made me worry if this feature is not well understood:

  1. It’s not a state to keep for a longer period, not a replacement for recovery-DCs (which are turned off in the closet).
  2. Not a replacement for DSRM when it comes to System State Recovery / Authoritative Restore which a Backup restored. If you need to restore a system state backup, the only supported way is to do it in DSRM.
  3. Authoritative marking object which haven’t been replicated to the DC in question is OK, same goes for file-management operations other than restoring a backup (the content of the dit basically needs to remain the same)
  4. You can’t logon with the DSRM-Admin when NTDS is stopped. This was hitting – in the beta-timeframe – someone who had a single DC, stopped NTDS, speared some time (screen saver kicked in) and couldn’t log on. DSRM-logon is not possible by default with a stopped NTDS when there are not other logon-servers available (if they are, e.g. you have a second DC, they are authenticating you on the DC with the stopped NTDS).
    DSRM-Admin (which equals to local admin on a DC) is only available on Small Business Server (by default) or if you modified the following registry-key:
    HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
    Value 0: DSRM-Logon only when in DSRM (default)
    Value 1: DSRM-Logon only when NTDS stopped (or DSRM) (default in
    Value 2: DSRM-Logon always

HTH, Ulf



2 Responses to “Clarifications of a stopped Active Directory”

  1.   joe Says:

    Hey Ulf,

    Do we still recommend powered down recovery DCs anymore? I would think possibly for short terms unrecoverable mods but in that case, I may be missing something, but why isn’t a stopped DSA good enough? Possibly this is reference to an enforced lag site? And even in that case I am not sure why a stopped DSA isn’t just as effective. Have you hit specific issues that pop up with the DSA stopped for some prolonged period?

    joe

    Reply

  2.   UlfBSimon-Weidner Says:

    Hi Joe,
    there are two many things about stopped DCs. Other DCs are getting events. DNS is not stopped and will respond with file-based entries but not domain based. Clients will find the DNS-Server but not the information they request. And the main one for me is “accidentally restarting it” – that’s the reason why I wouldn’t want to use the feature in a recovery scenario to ensure that I’m able to rollback. One Admin who things it should be running, one power-outage or anything else and it’s starting again and replicating. To rely my recovery/roll-back-strategy on a volatile state like this … without me ;)

    For those cases I still prefer virtualization or completely powering down, sometimes even additional to stopping replication or disabling the network adapter (or network in virtualization). Just to make sure that it’s not replicating at one point.

    Reply

Leave a Reply

*