1
00:00:01,040 --> 00:00:05,430
How about mechanisms to maintain the integrity of Active Directory,

2
00:00:05,430 --> 00:00:07,480
particularly Directory Services Restore Mode,

3
00:00:07,480 --> 00:00:09,370
or DSRM.

4
00:00:09,370 --> 00:00:13,450
DSRM, in a nutshell, is a password‑protected,

5
00:00:13,450 --> 00:00:14,220
offline,

6
00:00:14,220 --> 00:00:18,970
safe mode environment for Active Directory recovery and maintenance on domain

7
00:00:18,970 --> 00:00:25,270
controllers. In DSRM, you can perform things like authoritative restore. Now

8
00:00:25,270 --> 00:00:30,370
authoritative means that when you restore a deleted object, it becomes a

9
00:00:30,370 --> 00:00:33,840
first‑class citizen in the domain and forest.

10
00:00:33,840 --> 00:00:34,750
In other words,

11
00:00:34,750 --> 00:00:40,770
that domain controller that has the authoritatively restored object is when it

12
00:00:40,770 --> 00:00:44,580
receives a pull request from its partner domain controller,

13
00:00:44,580 --> 00:00:46,330
that partner will say, whoa.

14
00:00:46,330 --> 00:00:51,830
Whatever version of the object is in this authoritative restore is the latest,

15
00:00:51,830 --> 00:00:54,840
make sure that that is so. You see what I mean?

16
00:00:54,840 --> 00:00:59,340
It ensures that your restored object will be replicated properly.

17
00:00:59,340 --> 00:01:04,440
We also can do Active Directory de‑fragmentation and compaction.

18
00:01:04,440 --> 00:01:07,940
Those require that the database be offline.

19
00:01:07,940 --> 00:01:11,650
Now, what are some consequences of DSRM? Well, number one,

20
00:01:11,650 --> 00:01:15,640
it's going to take that domain controller offline, as long as

21
00:01:15,640 --> 00:01:18,320
you're doing the recovery and maintenance, and that could be a

22
00:01:18,320 --> 00:01:20,750
particular issue if, wait for it,

23
00:01:20,750 --> 00:01:23,980
you have a particular FISMO, or Flexible Single

24
00:01:23,980 --> 00:01:26,500
Master Operations role on that DC.

25
00:01:26,500 --> 00:01:31,990
So a good practice would be to transfer FISMO roles off of that domain

26
00:01:31,990 --> 00:01:36,720
controller first, reboot into Directory Services Restore Mode,

27
00:01:36,720 --> 00:01:40,180
do your work, and then restart again to come back and bring

28
00:01:40,180 --> 00:01:43,340
that domain controller back into the fold.

29
00:01:43,340 --> 00:01:50,030
We use the NTDSUtil command line tool once we've rebooted. It's not, the DSRM is

30
00:01:50,030 --> 00:01:54,060
a command line console; it is not a graphical environment.

31
00:01:54,060 --> 00:02:00,090
So you need to use NTDSUtil and its arcane syntax to do your work.

32
00:02:00,090 --> 00:02:03,800
DSRM isn't anywhere near as critical as it was in the very

33
00:02:03,800 --> 00:02:07,140
early days of Active Directory. For example, now we have what's

34
00:02:07,140 --> 00:02:09,310
called Restartable AD DS, and again,

35
00:02:09,310 --> 00:02:12,550
that's been around for years; it's not new in Windows Server

36
00:02:12,550 --> 00:02:18,240
2022, but this allows you to stop and start Active Directory

37
00:02:18,240 --> 00:02:25,000
while the domain controller is online. Now, let me go into more detail about that, actually, in the next slide.