Since Windows Server 2008, Microsoft no longer offers the ability to restart a Domain Controller in Directory Services Restore Mode (DSRM) from the default F8 boot menu.
About Directory Services Restore Mode
For Windows Server-based Domain Controllers, a special startup mode exists, where the Active Directory database isn’t loaded. This startup mode is called the Directory Services Restore Mode (DRSM). After logging in with the DSRM account, an admin can use this mode to troubleshoot Active Directory issues. The DSRM account does not live in Active Directory and its password is set on each Domain Controller. The password may, therefore, not be identical on all Domain Controller in the forest.
In Windows Server 2008 and Windows Server 2008 R2, several enhancements were made that affect the Directory Services Restore Mode:
- Restartable Active Directory
Restartable Active Directory eliminates many of the reason to restart a Domain Controller in Directory Services Restore Mode (DSRM), with its capabilities to stop and start the Active Directory Domain Services. Reasons include offline defragmentation, However, restoring a previously made (system state) backup can only be performed within the Directory Services Restore Mode. - DSRM Admin Logon Behavior
When the Active Directory is stopped (through Restartable Active Directory) or not loaded (in Directory Services Restore Mode) you can use the DSRM password and Domain credentials to log in on the Domain Controller. The second option is only when other operational Domain Controllers exist in the domain. This behavior can be modified using the DSRMAdminLogonBehavior registry key, as described here. - Active Directory Recycle Bin
Directory Services Restore Mode is needed to restore objects in Active Directory from backup. The Active Directory Recycle Bin option in an all-Windows Server 2008 R2 forest, alleviates the need to use backups with built-in restore functionality. - Password syncing for the DSRM account
A feature is available for Windows Server 2008 that lets you synchronize the DSRM Administrator password with a domain user account. You can read more on this in Microsoft KnowledgeBase article 961320.
Default behavior in Windows Server 2008
According to this TechNet page, the procedure to access the Directory Services Restore Mode in Windows Server 2008 and Windows Server 2008 R2 is to either:
- Use the System Configuration utility (msconfig.exe) and on the Boot tab select Safe Boot and specify the Active Directory repair option. Then restart.
- Use the commandline: bcdedit /set safeboot dsrepair and restart. When done in Directory Services Restore Mode, type bcdedit /deletevalue safeboot and restart normally again.
When you’re deep in an undisclosed brown substance, however, these options are at least time consuming to perform. You can use the commandline when you choose to repair the Windows installation, but for this you’ll need to start from the Windows Server DVD, which might of might not be within reach, scratched or left in direct sunlight…
Adding the DSRM startup option
So, why not add the Directory Services Restore Mode startup option to the F8 boot menu as a default step after you’ve created a new Domain Controller? When you create a Domain Controller, normally, you’ll find some time to check its configuration, in contrast to the situation described earlier.
To add a Directory Services Restore Mode startup option to the Boot Configuration Database (BCD), perform the following commands:
bcdedit /copy {current} /d "Directory Services Restore Mode"
This command copies to current boot option ("Startup Normally") to a new startup option called "Directory Services Restore Mode". (If you want to use a different name, go ahead.)
Use the GUID from the above command, including the brackets) in the following command:
bcdedit /set {GUID} safeboot dsrepair
You’ve now added the startup option to the menu. If you want to make the Boot Menu visible by default every time the server (re)boots (instead of having to press F8), perform the following (optional) command, where you specify the seconds to display the menu:
bcdedit /timeout 5
In the example above, the menu gets displayed for five seconds. The result is a screen, every time you start or restart the Domain Controller, that will look something like this:
Concluding
I recommend every Active Directory administrator to perform the steps above to create a Directory Services Restore Mode (DSRM) startup entry. Whether you also specify a time-out by default is a choice, that depends on experience, your level of expertise, and your level of confidence.
Further reading
Restart the Domain Controller in Directory Services Restore Mode Locally
Restart the Domain Controller in Directory Services Restore Mode Remotely
Restartable AD DS Step-by-Step Guide
Securing the Directory Services Restore Mode Account
What Username and Password Do I Need to Use for Directory Services Restore Mode
Directory Services Restore to Virtual from Physical
Login