Random Question About Stopping Directory Services

boss and i were discussing this.

If I have a small network with a single server acting as a domain controller and a file server, and I stop the active directory service, have I just locked myself out of the network?

Thanks!

John

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

dynamik

Cached credentials might carry you a little ways, but you're probably going to still run into a lot of problems, especially when those expire or when users who don't have any try to log on.

So was this really a discussion, or were you called into his office to explain what happened to the network?

cnfuzzd

dynamik wrote:

Cached credentials might carry you a little ways, but you're probably going to still run into a lot of problems, especially when those expire or when users who don't have any try to log on.

So was this really a discussion, or were you called into his office to explain what happened to the network?

lolz

that would be a pretty sweet conversation

as a side note:

if i only have one domain controller and i stop the ntds service, and lock myself out of the network, the service will restart if i reboot, right?

right?

.....

dynamik

Yea, as long as it's set to automatic. Just go into services and check what it's set to.

Just curious, how did this come up?

cnfuzzd

dynamik wrote:

Yea, as long as it's set to automatic. Just go into services and check what it's set to.

Just curious, how did this come up?

actually, we were just sitting around discussing the changes in 2008. i mentioned this one, and he was stunned. We then determined that most likely it would be of no use to us, since most of our clients have one domain controller. (i know, i know)

john

dynamik

Heh, you deal with a lot of small clients? I started doing some contract work for a guy who deals with a lot of small businesses, and I have recently been rebuilding a lot of domains from scratch because they're a single DC with no backup type of environment. How hard is it to back up the system state once in awhile? At least the machine he rebuilt has RAID this time around

jibbajabba

Even worse is actually how little small companies know about Active Directory ..

One day in my last job I was asked whether I installed a domain controller before (which meant they haven't read the CV in the first place) .. Anyway, someone deleted the usergroup from the support staff and apparently they always reinstalled the DC .. Well, since my manager wasn't there I had to help "reinstalling" it .. I just prefered an authoritative restore of the group and continue drinking my coffee ... Oh man I could tell you stories without an end

undomiel

Gomjaba, I know your pain, I know it very well.

Slowhand

I did a project recently, deploying a brand-spankin' new Active Domain in Windows Server 2008 native mode. When going over the changes, my counterpart asked me, "what happens if we disable the AD service on both domain controllers?" I told him, "Try it, it'll be funny."

Note: he hasn't tried it yet. . .

thesaintjim

If no other domain controller is available, you can log on to the domain controller where AD DS is stopped in Directory Services Restore Mode (DSRM) only by using the DSRM Administrator account and password by default, as in Windows 2000 Server Active Directory or Windows Server 2003 Active Directory.

You can change the default by modifying the DsrmAdminLogonBehavior registry entry. By modifying the value for that registry entry, you can log on using the DSRM Administrator account in normal startup mode to a domain controller that has AD DS stopped even if no other domain controller is available. You do not need to start the domain controller in DSRM. This can help prevent you from getting inadvertently locked out of a domain controller to which you have logged on locally and stopped the AD DS service.