AD DS: Restartable Active Directory Domain Services

Applies To: Windows Server 2008

Administrators can stop and restart Active Directory® Domain Services (AD DS) in the Windows Server® 2008 operating system by using Microsoft Management Console (MMC) snap-ins or the command line.

What does restartable AD DS do?

Restartable AD DS reduces the time that is required to perform certain operations. AD DS can be stopped so that updates can be applied to a domain controller. Also, administrators can stop AD DS to perform tasks, such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped.

Who will be interested in this feature?

Restartable AD DS provides benefits for:

  • Security update planners and administrators

  • AD DS management teams

  • AD DS administrators

Are there any special considerations?

Restartable AD DS is available by default on all domain controllers that run Windows Server 2008. There are no functional-level requirements or any other prerequisites for using this feature.

What new functionality does this feature provide?

In Active Directory in the Microsoft® Windows® 2000 Server operating system and Windows Server® 2003 operating system, offline defragmentation of the database required a restart of the domain controller in Directory Services Restore Mode (DSRM). Applying security updates also often required a restart of the domain controller.

In Windows Server 2008, however, administrators can stop and restart AD DS. This makes it possible to perform offline AD DS operations more quickly.

Note

You cannot perform a system state restore of a domain controller while AD DS is stopped. To complete a system state restore of a domain controller, you need to start in DSRM. You can however perform an authoritative restore of Active Directory objects while AD DS is stopped by using Ntdsutil.exe.

Restartable AD DS adds minor changes to existing MMC snap-ins. A domain controller running Windows Server 2008 AD DS displays Domain Controller in the Services (Local) node of the Component Services snap-in and the Computer Management snap-in. By using either snap-in, an administrator can easily stop and restart AD DS the same way as any other service that is running locally on the server.

What existing functionality is changing?

Although stopping AD DS is similar to logging on in DSRM, restartable AD DS provides a unique state for a domain controller running Windows Server 2008. This state is known as AD DS Stopped.

The three possible states for a domain controller running Windows Server 2008 are as follows:

  • AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server 2008 domain controller running in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003.

  • AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in DSRM and a domain-joined member server.

    As with DSRM, the Active Directory database (Ntds.dit) on the local domain controller is offline. Another domain controller can be contacted for logon if one is available. If no other domain controller can be contacted, by default you can either:

    • Log on to the domain controller locally in DSRM by using the DSRM password.

    • Restart the domain controller in order to log on with a domain account.

Note

To change the default behavior, you can modify the DSRMAdminLogonBehavior registry entry. For more information, see the Restartable AD DS Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=148205).

As with a member server, the server is joined to the domain. This means that Group Policy and other settings are still applied to the computer. However, a domain controller should not remain in the AD DS Stopped state for an extended period of time because in this state it cannot service logon requests or replicate with other domain controllers.  
  
  • Directory Services Restore Mode (DSRM). This mode (or state) is unchanged from Windows Server 2003, with one exception. In Windows Server 2008, you can run the dcpromo /forceremoval command to forcefully remove AD DS from a domain controller that is started in DSRM, just as you can in the AD DS Stopped state.

The following flowchart shows how a domain controller running Windows Server 2008 can make the transition between these three possible states.