Monday, April 13, 2015

Safely Restarting Active Directory

The restartable AD DS service is available in Windows Server 2008 and 2012 as an alternative to rebooting into the Directory Services Restore Mode (DSRM) safe mode in order to apply updates and fully defragment or move the database files. Simply put - Active Directory Domain Services is not a server that can be started and stopped via the Services MMC or PowerShell.

Warnings!
  • This means that without rebooting you might disable AD related services such as DNS AD-Integrated Zones, FRS, or Inter-site Messaging on that server. This is why it is so important to have a Department of Redundancy Department to ensure fault tolerance in your network!
  • You cannot run DCPROMO when stopped except with /ForceRemoval

Benefits:
  • Maintenance is speedier without the reboot
  • Other non-ad related services on the server can still function to support clients
  • Domain Admins can still log on to the domain controller (via another online DC) even when the local AD DS service is stopped
  • You can log on as the DSRM Safe Mode administrator, but only if you have set the registry to allow this behavior ahead of time: HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior set to 1
  • Administrators can mark items for an authoritative restore
  • You cannot perform a system restore while the AD DS service is stopped. The system restore operation must always be executed from DSRM mode.
  • Stopping the Active Directory Domain Service will impact the ability to authenticate domain clients and Active Directory applications.
I like to stop the service (and dependencies) nicely with PowerShell:
$ntdsdep = get-service ntds -dependentServices
stop-service $ntdsdep
stop-service ntds

and of course to start it...
$ntdsdep = get-service ntds -dependentServices
start-service $ntdsdep
start-service ntds

Let me know if you have any questions. Hope this helps!