Overview of the Active Directory Domain Services Service
Every domain controller that has Windows Server 2008 installed includes a service called Active Directory Domain Services, which can be manipulated like any other service. This new service and functionality is enabled by default on all domain controllers that have Windows Server 2008 installed; there are no domain or forest functional-level requirements for this functionality.
With the Active Directory Domain Services running as a service on a domain controller, you can use familiar tools to manipulate the status of the service. For example, you can use the Services console or sc.exe to stop, start or restart the Active Directory Domain Services service.
The Active Directory Domain Services service has a number of other services that depend on it. As a result, when you change the status of the Active Directory Domain Services service, the dependent services will also be affected. These dependent services include the following:
- DFS Replication
- DNS Server
- Intersite Messaging
- Kerberos Key Distribution Center
It is common to have domain controllers run other services that do not depend on Active Directory Domain Services. The fact that Active Directory Domain Services runs as a true service, which can be manipulated independently from nondependent services, facilitates the ability for the nondependent services to continue to function when the Active Directory Domain Services service is stopped.
The Active Directory Domain Services service can be in one of two statuses: Started or Stopped. The tasks that can be performed on a domain controller differ based on the status of the service. Furthermore, the directory service functionality is also different depending on the status of the Active Directory Domain Services service.
Active Directory Domain Services Service -- Started
When the Active Directory Domain Services service is started, the domain controller functions just like any other domain controller. In this state, Active Directory Domain Services, and other dependent and nondependent services running on the domain controller, operate just as they do on a Windows Server 2003 or Windows 2000 Server domain controller. The domain controller will process authentication and authorization requests, for example, because the domain controller is online.
Active Directory Domain Services -- Stopped
When the Active Directory service is stopped, the domain controller is said to be offline and functions similar to a domain controller running in Directory Services Restore Mode. When the Active Directory Domain Services service is stopped, the Active Directory Domain Services database (NTDS.dit) is offline. As a result, changes cannot be made to the Active Directory Domain Services database, directly or by virtue of replication.
The fact that the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped provides the ability to perform offline maintenance tasks without restarting the domain controller into Directory Services Restore Mode. These tasks include performing an offline Active Directory Domain Services database defragmentation, marking an object or objects as authoritative, and forcefully removing Active Directory Domain Services from the domain controller.
Because the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped, the domain controller will not process authentication requests. In this case, authentication requests, and all other Active Directory Domain Services client and service requests, will be referred to an online domain controller. If no other domain controllers can be contacted to process the authentication request, you must logon to the domain controller using the Directory Services Restore Mode account.
Directory Services Restore Mode Account and the Active Directory Domain Services Service
By default, the Directory Services Restore Mode account can be used only when logging onto a domain controller in Directory Services Restore Mode. However, Windows Server 2008 provides the ability to enable the use of the Directory Services Restore Mode account when logging onto a domain controller when the Active Directory Domain Services service is stopped. This functionality is enabled by modifying HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior registry key. The table that follows lists the three options for the DSRMAdminLogonBehavior registry key:
| Value | Description |
| 0 (Default) | The DSRM account cannot be used for logon. |
| 1 | The DSRM Administrator account can be used to log on only when the AD DS service is stopped |
| 2 | The DSRM Administrator account can be used to log on at any time. |
Source: enterpriseitplanet.com/networking/features/article.php/3814246
No comments:
Post a Comment