Booting a DC into DSRM without touching it locally.

Short answer:


Long answer:

So you will run into it often when being an AD admin that you need to boot a DC into DSRM (Directory Service Restore Mode), so what is the easiest way of doing this without having someone stand at the console and hit F8 on reboot and select DSRM from the menu?

1) Reset the DSRM admin password, because it would really suck if you got to the logon screen and did not know the password to logon.  You'll notice below that NTDSUTIL excepts shorthand...

ntdsutil: set dsrm pas
Reset DSRM Administrator Password: res pa on serve brad-dc-01
Please type password for DS Restore Mode Administrator Account: ************
Please confirm new password: ************
Password has been set successfully.

2) Configure the boot.ini on the server, first we have to turn off all those attributes:

attrib -r -h -a -s \\brad-dc-01\c$\boot.ini

3) Now we can adjust the boot.ini remotely, I like to copy the orignal line and put it below my modified line so "just in case" we have our old string handy.  All you need to do is add the line /safeboot:DSRepair

[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003 Enterprise x64 Edition" /fastdetect /sos /3GB /usepmtimer /safeboot:DSRepair

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003 Enterprise x64 Edition" /fastdetect /sos /3GB /usepmtimer  <-- Original

4) Now use shutdown.exe to reboot the machine.

So you have officially never TS'd to the machine and when it starts pinging again, you'll be in DS repair mode.



Comments (0)

Skip to main content