Restartable Active Directory Domain Services
Windows Server 2008 has introduced another new feature for this iteration of Active Directory, Restart-able Active Directory Domain Services. All DCs running Windows Server 2008 support restartable domain services.
Active Directory Domain Services will appear in the services applet on all Windows Server 2008 Domain Controllers in your Active Directory environment. The modes available for Active Directory Domain Services are:
- Active Directory Started – In this state, the Active Directory services are running and will function similarly to Domain Controllers in Windows 2000 Server and Windows Server 2003. When in the started state, a Windows Server 2008 Domain Controller can provide authentication services for a domain.
- Active Directory Stopped – In this state the Domain Controller cannot provide authentication and logon services for an Active Directory environment. While in a stopped state the Domain Controller behaves similarly to a Member Server or Server started in Directory Services Restore Mode (DSRM). The server will accept logins with cached credentials, smart cards, or biometrics like a member server, while also taking the its directory services database offline, like DSRM.
- Directory Services Restore Mode – In this state the Domain Controller is in restore mode and behaves much like a Windows Server 2003 Domain Controller in Restore Mode. The Directory Services database is offline and maintenance, including an authoritative restore can be performed.
Stopping the Active Directory Services will allow maintenance tasks to be performed that would previously require the server to be restarted. This can save a great deal of time for administrators and other users in your environment. Other domain controllers within an environment will handle logon requests and other resource needs while a server’s Active Directory services are stopped. If your environment has only one Domain Controller, and no other methods of authentication are supported, an administrator could still logon using the Active Directory Restore Mode user account and password.
Other methods of authentication which will work when AD Domain Services are stopped are:
- Cached Credentials
- Smart Cards
- Biometrics
Another thing to note, like any other Windows service, AD DS will stop dependent services when it is stopped. This includes the File Replication, Intersite Messaging, and Kerberos Key Distribution Center services. If these services are still running when Active Directory restarts, they will be restarted.
Note: When starting a Domain Controller, you cannot start Active Directory Domain Services in a stopped state. To stop this service, the Windows Server 2008 system must be started first ad then, using the services applet the AD DS service can be stopped.
