Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Active Directory

Active Directory Restore Mode Trick

How does Ntdsutil.exe know it’s in Directory Restore mode?

NTDSUTIL is a tool used for many Active Directory database maintenance tasks, such as defragmenting the DB, moving the DB and/or log files to a different place, cleaning the DB and more.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

NTDSUTIL will allow you to perform many of it’s functions while the DC is up and running. However some of the maintenance tasks (such as performing an offline defragmentation of the DB and moving the files to a different location, along with the Authoritive restore commands) require that you start the DC in Directory Restore mode, found when you access the boot menu by pressing F8 before the server starts it’s startup sequence.

When you start the domain controller in Directory Restore mode, the DC sets the environment variable safeboot_option to “dsrepair.”

If, for some reason, you want to access the “protected” features of NTDSUTIL while it is NOT in the Directory Restore mode, you will receive an error similar to this:

​C:\WINDOWS>ntdsutil
ntdsutil: files
*** Error: Operation only allowed when booted in DS restore mode
 "set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!
ntdsutil:

If you want to check something in NTDSUTIL that is allowed only in Directory Restore mode, you can “trick” the program by typing the following statement at a command prompt:

​set SAFEBOOT_OPTION=DSREPAIR

Lamer Note: Type the above command into a different CMD window, NOT the one that NTDSUTIL is running in.

Don’t use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn’t in Directory Restore mode.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: