Safe Mode

Windows 2000 includes an option called Safe Mode . This is a recovery tool that was carried over from the Windows 9x product line that allows you to start your system with a minimal set of device drivers and services loaded.

Safe Mode is useful for those situations in which you load a new driver or software program or make a configuration change that results in an inability to start your system. You can use Safe Mode to start your system and remove the driver or software that is causing the problem.

To get into Safe Mode, restart your server and press F8 on the boot menu screen when you see the prompt, "Please Select The Operating System To Start." The following options are available on the Windows 2000 Advanced Options menu (as shown in Figure 5.15):

• Safe Mode This option starts Windows 2000 with the basic drivers for the mouse, video, monitor, mass storage, and keyboard.

• Safe Mode with Networking This option starts Windows 2000 with the basic drivers, plus the network drivers.

• Safe Mode with Command Prompt This option starts Windows 2000 with the basic drivers and opens a command window instead of the desktop.

• Enable Boot Logging This option starts Windows 2000 normally, but logs a list of all device drivers, services, and their status that the system attempts to load to %systemroot%\ntblog.txt. This is a good option to select to diagnose system startup problems.

• Enable VGA Mode This option starts Windows 2000 normally, but forces it to load the basic VGA driver. This option is useful for recovering from the installation of a bad video driver.

• Last Known Good Configuration The option starts Windows 2000 with the contents of the Registry from the last time that the user logged on to the system. This is helpful when recovering from a configuration error. When this option is selected, any configuration changes made after the last logon will be lost.

• Directory Services Restore Mode This option is used to restore the Active Directory database and SYSVOL on a domain controller. It will only be listed on a domain controller.

• Debugging Mode This options starts Windows 2000 normally, but sends debugging information over a serial cable to another computer. This option is for software developers.

• Boot Normally This option bypasses the menu options and starts Windows 2000 without any modifications.

If your startup problem does not appear when you start the system in Safe Mode, you can eliminate the default settings and minimum device drivers as problems. Using Safe Mode, you can diagnose the problem and remove the faulty driver, or restore the proper configuration.

If your server will not start properly using Safe Mode, you might have to boot to the Recovery Console, or restore your system files using the Emergency Repair Disk (ERD).

Recover System State Data by Using Directory Services Restore Mode

On a domain controller, the Active Directory files are restored as part of the System State. The System State on a domain controller consists of

• Active Directory (NTDS)

• The boot files

• The COM+ Class Registration database

• The Registry

• The system volume (SYSVOL)

The individual components cannot be backed up or restored separately; they can only be handled as a unit.

When a single domain controller fails, and the other domain controllers are still operational, it can be repaired and the data restored using a current backup tape. After Active Directory is restored, the domain controller will replicate with the other domain controllers to synchronize any changes that were made on the other domain controllers since the backup tape was created. This process is called a non- authoritative restore .

Windows 2000 assigns an Update Sequence Number (USN) to each object created in Active Directory. This allows Active Directory to track updates and prevents it from replicating objects that have not changed. When you perform a normal file restore of the Active Directory, all the data that is restored is considered "old" data and will not be replicated to the other domain controllers. This data is considered to be non-authoritative because it is considered to be old and out of date because the objects have lower USNs. All of the objects contained in the other copies of Active Directory on the other domain controllers that have higher USNs than the objects in the restored data will be replicated to the restored domain controller so that all copies of Active Directory will be consistent. A non-authoritative restore is the default restore mode for Active Directory and is used most often.

However, in specific circumstances, it will be necessary to perform an authoritative restore. When performing an authoritative restore, the USNs on the objects in the copy of the Active Directory database that is restored to the domain controller are reset to a number higher than the current USNs so that all of the data that is restored is no longer considered old data. This allows the objects in the restore job to overwrite newer objects on the other domain controllers.

When Active Directory is in a corrupted state on all of the domain controllers, it will be necessary to restore AD from tape and force the replication of the restored data to all of the other domain controllers. This type of operation is called an authoritative restore . An authoritative restore will cause the data that is restored from tape to overwrite the corrupted data that is stored on all of the domain controllers. This is accomplished by changing the USNs on all of the objects in the AD database to a higher number so that they are considered to be authoritative, and will overwrite the lower numbered objects.

An authoritative restore cannot be performed while a domain controller is onlinethe domain controller must be restarted into Directory Services Restore Mode, which is an option available in Safe Mode. To perform an authoritative restore, perform the following steps:

1. Reboot the server.

2. From the boot menu, when you see the message, "Please Select The Operating System To Start," press the F8 key.

3. From the Advanced Options menu, select Directory Services Restore Mode. Press Enter.

4. On the Windows 2000 Boot menu, select the operating system to start and press Enter.

5. The server will boot into Directory Services Repair Mode. From the Windows 2000 logon screen, log on using the Directory Services Administrator password. This is not the normal Administrator password. This is the password that was entered during the DCPROMO procedure.

6. Start the Windows 2000 Backup program by selecting Start, Programs, Accessories, System Tools, Backup.

7. Select the Restore tab.

8. Select the desired media.

9. Select the System State check box.

10. Click the Start Restore button.

11. When the Confirm Restore dialog box appears, click the Advanced button.

12. From the Advanced Restore Options dialog box shown in Figure 5.16, select the When Restoring Replicated Data Sets, Mark the Restored Data as the Primary Data for All Replicas check box, and click the OK button.

    Figure 5.16. Advanced Restore Options dialog box showing authoritative restore selection.

    

13. Click the OK button in the Confirm Restore dialog box.

14. After the restore completes, restart the server.

An authoritative restore is used most often in situations where an Active Directory object such as a user, group , or organizational unit (OU) has been accidentally deleted and needs to be restored.

If an Active Directory object is accidentally deleted, it is possible to restore the object from a backup tape by performing a partial authoritative restore. This is accomplished by restoring from the last backup before the object was deleted. The procedure to perform the restore is very similar to the full Active Directory authoritative restore that was shown in the previous section.

When performing a partial authoritative restore, it is very important to only restore the specific item that needs to be restored. If the entire Active Directory is restored, you could inadvertently overwrite newer objects. For example, the naming context of Active Directory contains the passwords for all of the computer accounts and trust relationships. These passwords are automatically changed approximately every seven days. If the existing values are overwritten by the restore, and the passwords have been renegotiated because that backup was created, the computer accounts will be locked out of the domain and the trust relationships will be dropped. For more information see article Q216243, "Impact of Authoritative Restore on Trusts and Computer Accounts" in the Microsoft Knowledge Base.

To restore a deleted Active Directory object:

1. Perform steps 1 through 10 of the previous procedure to restore the AD database from tape.

2. When the Confirm Restore dialog box appears, click OK.

3. After the restore has completed, reboot the domain controller. From the boot menu, when you see the message, "Please Select The Operating System To Start," press the F8 key.

4. From the Advanced Options menu, select Directory Services Restore Mode. Press Enter.

5. On the Windows 2000 Boot menu, select the operating system to start and press Enter.

6. The server will boot into Directory Services Repair Mode. From the Windows 2000 logon screen, log on using the Directory Services Administrator password. This is not the normal Administrator password. This is the password that was entered during the DCPROMO procedure.

7. Open a command window and type ntdsutil , then press Enter.

8. At the command prompt, type authoritative restore , then press Enter.

To restore an object, you will need to know its common name (CN), the organization unit (OU), and the domain (DC) that the object was located in. For example, to restore the ABC St. Louis User OU, in the abc.com domain, you would enter the following command:

 Restore Subtree "OU=ABC St. Louis User,DC=abc,DC=com" 

This command restores all of the objects that have been deleted in the ABC St. Louis User OU since the backup tape was created.

To restore a user, the command would be

 Restore Subtree "CN=JDoe,OU=ABC St. Louis User,DC=ABC,DC=com" 

To restore a printer, the command would be

 Restore Subtree"CN=DeskJet 3rdfloor,OU=ABC St. Louis User,DC=abc,DC=com" 

After the command has completed, enter quit and reboot the domain controller. The domain controller will now replicate the restored Active Directory object to the other domain controllers.

The following are the default Active Directory folders shown in the root of the Active Directory Users and Computers MMC: Users Builtin Computers These folders are actually containers and not Organizational Units. When referencing these containers, you have to use the CN= attribute and not the OU=.