Using Terminal Services for remote administration of Windows 2000 or Windows Server 2003 domain controllers in Directory Service Restore mode (256588)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q256588

SUMMARY

Some low-level maintenance of Active Directory requires that Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers (DCs) boot to Directory Service Restore mode. Configuring domain controllers with Terminal Services in Remote Administration mode permits administrators to perform operations requiring Directory Service Restore mode without having to be present at the console of the server. This article describes the use of Terminal Services to transition a domain controller between online and Directory Service Restore mode.

MORE INFORMATION

Windows domain controllers perform regularly scheduled online defragmentation of the Active Directory database while the server is online. Advanced operations (including directory service repair functions and reducing the size of the Active Directory when objects are deleted) require that the domain controller be rebooted in Directory Service Restore mode. To transition a domain controller between online and Directory Service Restore mode:
  1. Configure the DC with Terminal Services in Remote Administration mode. You can add or modify Terminal Services in the Add/Remove Programs tool in Control Panel. Remote Administration mode is preferred for domain controllers so that performance is not adversely impacted. For more information about Terminal Services, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    243213 Impact of running Remote administration on a Terminal Server

    243212 Determining the mode of a Terminal Services server

  2. Create a new entry in the Boot.ini file (a hidden system file) for the domain controller installation to permit Windows to be booted in Offline Repair mode. Add the following switch:

    /SAFEBOOT:DSREPAIR /SOS

    The /SAFEBOOT:DSREPAIR switch only works for Windows 2000 or Windows Server 2003 domain controllers. For a sample Boot.ini file with the entry:

    multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect

    Create a second entry with the same ARC path and /SAFEBOOT:DSREPAIR switch so the Boot.ini file appears as:

    multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect /SAFEBOOT:DSREPAIR /SOS

    NOTE: This should be tested locally prior to being used in a Remote Administration capacity. If the Boot.ini file is not modified properly, the computer will not come back up for connection by a Terminal Services session. Additionally, when you restart the computer, make certain you select Restart so it will properly restart. Choosing "Shut down" leaves the server turned off until someone physically goes to the server and turns it back on. The Terminal Services session will generate the following message if the server has not come back up for connection yet:
    Terminal Services Client Disconnected

    The server could not be found. Check that you have specified the correct server or IP address, and then try connecting again.
    Click Close, and then connect again after a few moments to make the connection. For more information about safeboot switches, click the following article number to view the article in the Microsoft Knowledge Base:

    239780 Safe-mode boot switches for Windows Boot.ini file

  3. When transitions between Active Directory and Directory Service Restore mode are required, establish a Terminal Server session to the appropriate Windows domain controller, select the desired ARC entry in the Boot.ini file, and then restart the computer. Options to modify the Boot.ini file include:

    • Use a text editor to modify the "default=" entry in the Boot.ini file.
    • Use the "Startup and Recovery" option on the Advanced tab of the System tool in Control Panel to select the desired startup option.
    Active Directory restorations, offline defragmentation and other advanced operations should be performed while the domain controller is booted in Offline Repair mode.

    Computers can be rebooted by an administrator at the console or over a Terminal Server client session by clicking Start, clicking Shutdown, and then clicking Restart. Provide the server with enough time to reboot and generate the Welcome to Windows screen, also, you may need to try a few times if the computer is not ready yet. When you log on to the computer in Offline Restore mode, use the administrator account and current password designated for offline administration when the Windows domain controller was promoted with the Active Directory Installation Wizard (Dcpromo.exe). For more information about security and access for Terminal Services remote administration and the offline administrator account, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    223301 Protection of the Administrator account in the offline SAM

    247989 Domain controllers require the "Log on Locally" Group Policy object for Terminal Services client connections

    250991 Cannot log on to Windows 2000 Terminal Services with an RDP client

    253831 Remote administration of Terminal Services by non-administrators accounts

Modification Type:MajorLast Reviewed:8/8/2005
Keywords:kbDisasterRec kbhowto kbnetwork kbTermServ KB256588
©2004 Microsoft Corporation. All rights reserved.