Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Active Directory

Active Directory Restore Mode Trick

How does Ntdsutil.exe know it’s in Directory Restore mode?

NTDSUTIL is a tool used for many Active Directory database maintenance tasks, such as defragmenting the DB, moving the DB and/or log files to a different place, cleaning the DB and more.

NTDSUTIL will allow you to perform many of it’s functions while the DC is up and running. However some of the maintenance tasks (such as performing an offline defragmentation of the DB and moving the files to a different location, along with the Authoritive restore commands) require that you start the DC in Directory Restore mode, found when you access the boot menu by pressing F8 before the server starts it’s startup sequence.

When you start the domain controller in Directory Restore mode, the DC sets the environment variable safeboot_option to “dsrepair.”

If, for some reason, you want to access the “protected” features of NTDSUTIL while it is NOT in the Directory Restore mode, you will receive an error similar to this:

ntdsutil: files
*** Error: Operation only allowed when booted in DS restore mode

If you want to check something in NTDSUTIL that is allowed only in Directory Restore mode, you can “trick” the program by typing the following statement at a command prompt:


Lamer Note: Type the above command into a different CMD window, NOT the one that NTDSUTIL is running in.

Don’t use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn’t in Directory Restore mode.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.