How does Ntdsutil.exe know it’s in Directory Restore mode?
NTDSUTIL is a tool used for many Active Directory database maintenance tasks, such as defragmenting the DB, moving the DB and/or log files to a different place, cleaning the DB and more.
NTDSUTIL will allow you to perform many of it’s functions while the DC is up and running. However some of the maintenance tasks (such as performing an offline defragmentation of the DB and moving the files to a different location, along with the Authoritive restore commands) require that you start the DC in Directory Restore mode, found when you access the boot menu by pressing F8 before the server starts it’s startup sequence.
When you start the domain controller in Directory Restore mode, the DC sets the environment variable safeboot_option to “dsrepair.”
If, for some reason, you want to access the “protected” features of NTDSUTIL while it is NOT in the Directory Restore mode, you will receive an error similar to this:
*** Error: Operation only allowed when booted in DS restore mode
"set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!
If you want to check something in NTDSUTIL that is allowed only in Directory Restore mode, you can “trick” the program by typing the following statement at a command prompt:
Lamer Note: Type the above command into a different CMD window, NOT the one that NTDSUTIL is running in.
Don’t use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn’t in Directory Restore mode.