If you backup and restore a Domain Controller (at least with Veeam Agent). Then It can get quite tricky when it comes to restore. If you restore a DC and try and login with a domain account, you might be faced with ‘There are no login servers available to service the login request’.

So why does this happen?

In the case of Veeam (and I assume other backup products), A Domain Controller backup automatically brings the server backup in DSRM mode.

Directory Services Restore Mode (DSRM) is a Safe Mode boot option for Domain Controllers. DSRM enables an administrator to repair, recover or restore an Active Directory database. Restarting a domain controller in DSRM takes it offline so it functions only as a regular server.

This can be a good thing, becasue if you have multiple domain controllers, you don’t want then to come up out of sync. In cases where there are other domain controllers available, then a server comes up in DSRM mode, netlogins are services by other DC’s, and the whole thing recovers.

But what happens when this is the only domain controller? or there are other issues preventing e.g network starting. If this happens – you can’t login 🙁

Veeam has a nice KB article. This tells you how to disable safeboot and restart. But what happens when you can’t login to run this?

When you create a Domain Controller, by default all local administrator accounts are removed and disabled. You may not have (or have forgotten the creds) for a DSRM recovery user. Now what – you are locked out and can’t access the machine.

Now it’s time for the Utilman hack. Utilman is nice accessability icon on the login screen that lets you change magnification, narration etc.

This basically runs pre-login. What we are going to do, is replace Utilman with a cmd shell. That will allow us to run some commands without needing to login. This works as long as you have physical access to a machine (or console access on a VM etc.)

Boot Server from and Installation DVD. It doesn’t have to match exactly the version of windows you are trying to recover, but I always try and use the same version. This example using Windows 2012. It’s always old installations that are broken or forgotten about.

Select ‘Repair your computer’, and through to advanced options and select command prompt

From here you should be able to find your main Windows installtion drive. it is usually D:, but in some cases where the server has multiple drives it could be on a different letter.

Go to Windows\System32.  Rename utilman, and copy cmd.exe in over the top. Apologies for the ‘cp’ error – I’m largely a unix person

Reboot (command: wpeutil reboot), Do normal boot, don’t boot off CD/DVD again. Get to login screen, and press the Accessibility Icon….

and you are presented with a cmd prompt. Cunningly named Utilman.exe

You now have unauthenticated admin access to the server. and you can issue the command to turn DSRM off.

bcdedit /deletevalue safeboot

shutdown -t 01 -r

After you reboot, the server will come back up with safeboot disabled, netlogin service should start as normal, and you shoudl be able to login with normal domain accounts.

IMPORTANT: Remember to boot back on Install DVD/CD and put the original Utilman.exe back. Having an unauthenticated admin cmd shell on your console is a massive security hole.

Restoring Domain Controllers, DSRM and Utilman hack.
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *