Windows domain controllers perform regularly scheduled online defragmentation of the Active Directory database while the server is online. Advanced operations (including directory service repair functions and reducing the size of the Active Directory when objects are deleted) require that the domain controller be rebooted in Directory Service Restore mode. To transition a domain controller between online and Directory Service Restore mode:
- Configure the DC with Terminal Services in Remote Administration mode. You can add or modify Terminal Services in the Add/Remove Programs tool in Control Panel. Remote Administration mode is preferred for domain controllers so that performance is not adversely impacted.
For more information about Terminal Services, click the following article numbers to view the articles in the Microsoft Knowledge Base:
243213
Impact of running Remote administration on a Terminal Server
243212 Determining the mode of a Terminal Services server
- Create a new entry in the Boot.ini file (a hidden system file) for the domain controller installation to permit Windows to be booted in Offline Repair mode. Add the following switch:
/SAFEBOOT:DSREPAIR /SOS
The /SAFEBOOT:DSREPAIR switch only works for Windows 2000 or Windows Server 2003 domain controllers. For a sample Boot.ini file with the entry:
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect
Create a second entry with the same ARC path and /SAFEBOOT:DSREPAIR switch so the Boot.ini file appears as:
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name" /fastdetect /SAFEBOOT:DSREPAIR /SOS
NOTE: This should be tested locally prior to being used in a Remote Administration capacity. If the Boot.ini file is not modified properly, the computer will not come back up for connection by a Terminal Services session. Additionally, when you restart the computer, make certain you select Restart so it will properly restart. Choosing "Shut down" leaves the server turned off until someone physically goes to the server and turns it back on. The Terminal Services session will generate the following message if the server has not come back up for connection yet:
Terminal Services Client Disconnected
The server could not be found. Check that you have specified the correct server or IP address, and then try connecting again.
Click Close, and then connect again after a few moments to make the connection.
For more information about safeboot switches, click the following article number to view the article in the Microsoft Knowledge Base:
239780
Safe-mode boot switches for Windows Boot.ini file
- When transitions between Active Directory and Directory Service Restore mode are required, establish a Terminal Server session to the appropriate Windows domain controller, select the desired ARC entry in the Boot.ini file, and then restart the computer. Options to modify the Boot.ini file include:
- Use a text editor to modify the "default=" entry in the Boot.ini file.
- Use the "Startup and Recovery" option on the Advanced tab of the System tool in Control Panel to select the desired startup option.
Active Directory restorations, offline defragmentation and other advanced operations should be performed while the domain controller is booted in Offline Repair mode.
Computers can be rebooted by an administrator at the console or over a Terminal Server client session by clicking Start, clicking Shutdown, and then clicking Restart. Provide the server with enough time to reboot and generate the Welcome to Windows screen, also, you may need to try a few times if the computer is not ready yet. When you log on to the computer in Offline Restore mode, use the administrator account and current password designated for offline administration when the Windows domain controller was promoted with the Active Directory Installation Wizard (Dcpromo.exe).
For more information about security and access for Terminal Services remote administration and the offline administrator account, click the following article numbers to view the articles in the Microsoft Knowledge Base:
223301
Protection of the Administrator account in the offline SAM
247989 Domain controllers require the "Log on Locally" Group Policy object for Terminal Services client connections
250991 Cannot log on to Windows 2000 Terminal Services with an RDP client
253831 Remote administration of Terminal Services by non-administrators accounts