U-Tools: Unique Tools for Windows System Administrators
U-Move Help
Menu

Directory Services Restore Mode

What is DSRM?

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Note: Do not confuse DSRM with Safe Mode. Active Directory will still attempt to start in Safe Mode and if it fails you will not be able to log on. Instead use DSRM.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account name .\Administrator (language may vary).

DSRM is only needed when Active Directory is so damaged that you cannot log on using your normal AD Administrator password. Use DSRM when doing a domain-wide restore or a forest-wide restore when AD is so damaged that it will not boot normally.

How to Log on to DSRM

After booting DSRM (see below) click on Other User. When prompted for the logon account name type .\Administrator

The initial logon prompt will show the account name MyDomain\Administrator, where MyDomain is the name of the domain. This is incorrect and will not work. You must click on Other User and manually type the name .\Administrator.

If You Lost the DSRM Password

If you forgot the DSRM password for the .\Administrator account you can reset it using ntdsutil. See Reset DSRM Password. This requires a working Active Directory.

If Active Directory is also not working you can reset the DSRM password by using a standard desktop PC lost-password recovery tool:

If after you boot DSRM you need to recover your Active Directory password for the Domain Administrator account see Changing a Lost Domain Administrator Password.

How to Boot DSRM: F8 Key

To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

Windows Desktop: The F8 key is disabled on desktop editions of Windows. If you want to boot into Safe Mode, run msconfig and select Minimal. Then reboot.

Set up boot menu for F8

On Windows Server you can modify the boot configuration to allow you to press F8 during boot more easily. Open an administrative console and type the following:

bcdedit /set {bootmgr} displaybootmenu yes

If you cannot boot normally, you can boot WinPE or WinRE and run the bcdedit command in a recovery console window.

This will modify the Boot Configuration Database (BCD) to display a text menu at boot time where you can select the operating system to load. During this time you have a 30 second window to press F8 to boot DSRM. If you do nothing, the default operating system will boot when the time delay is over.

How to Boot DSRM using msconfig

You can configure Windows to boot DSRM using msconfig:

  1. Press WIN+R.
  2. In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
  3. Click on the tab Boot (top).
  4. Under “Boot options” check the box Safe boot.
  5. Select Active Directory repair and click OK.
  6. Reboot the computer: Click on Start -> (Power) -> Restart, or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer into DSRM.

To boot normally, reverse the procedure:

  1. Press WIN+R.
  2. In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
  3. Click on the tab Boot (top).
  4. Under “Boot options” uncheck the box Safe boot and click OK.
  5. Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer back into normal mode.

How to Boot DSRM using bcdedit

You can run bcdedit inside of an administrative console:

  1. To boot DSRM, type the command bcdedit /set safeboot dsrepair, then reboot: shutdown /r /f /t 5.
  2. When you are ready to boot normally, type bcdedit /deletevalue safeboot, then reboot: shutdown /r /f /t 5.

You can use this procedure when a graphical user interface (GUI) is not available (e.g., on Server Core).

For more information

See also Changing the Domain Administrator Password.

U-Move protects your Active Directory domain controller by offering strong backup and recovery protection, along with advanced upgrade capability.

U-Move for Active Directory
U-Move for Active DirectoryU-Move for Active Directory
Backing Up Active DirectoryBacking Up Active Directory
Restoring Active DirectoryRestoring Active Directory
Cloning Active DirectoryCloning Active Directory
ConceptsConcepts
Directory Services Restore ModeDirectory Services Restore Mode
What is DSRM?What is DSRM?
Changing the Domain Admin PasswordChanging the Domain Admin Password
Changing a Lost Domain Administrator PasswordChanging a Lost Domain Administrator Password
NetworkingNetworking
The Staging FolderThe Staging Folder
The System StateThe System State
User Account Control (UAC)User Account Control (UAC)
Upgrading Active DirectoryUpgrading Active Directory
Remote Use and ScriptingRemote Use and Scripting
AD Consulting and Repair ServiceAD Consulting and Repair Service
AD Recovery ServiceAD Recovery Service
Error MessagesError Messages