Skip to main content

Articles in this section

See more
Print

Forest Recovery Settings

  • Updated

Forest Recovery Settings

This section allows administrators to configure critical parameters related to Domain Services Restore Mode (DSRM) behavior and certificate validation during forest recovery scenarios.
DSRM administrator can logon at any time (unsecure) - When this value is set, a DC can be logged in all cases.

Validate Guardian service certificate on the agent side

Enable this option to enforce certificate validation for secure communication between the Guardian service and its agents during the forest recovery process.

RECOMMENDED: This setting should remain enabled to ensure integrity and prevent tampering during recovery.

Configuring DSRM administrator logon behavior

To troubleshoot issues remotely with accessing recovered Domain Controllers, there is an option to log in to Domain Controllers with a Directory Services Restore Mode (DSRM) account when NT Directory Services (NTDS) or other related services are not functioning properly. It's impossible to log in remotely with Active Directory accounts.

In Forest Recovery Settings, the DSRM administrator logon behavior allows selecting DSRM account logging behavior on recovered domain controllers.

There are the following options:

  • DSRM administrator can logon in DSRM only - This is the default value. When this value is set, a DC can be logged in only when it operates in DSRM mode.
  • DSRM administrator can logon when the NTDS service is stopped - When this value is applied, a DC can be logged in when the NTDS service is stopped or when the DC operates in DSRM mode.

NOTE: The interactive RDP logon will not work on the Windows 2016 server for the last two options.

Native Windows RDP client may require entering DSRM credentials twice — the second time it should be entered when the remote login screen is displayed. It may also require an admin switch.

Automatically Boot in DSRM Mode on Failure

To improve recovery automation, you can configure the server to automatically boot into DSRM mode if a normal boot fails.

To set up this behavior:

  1. In Forest Recovery Settings, check Enable automatic start in DSRM mode if normal boot fails.

  2. Before rebooting, configure the Boot Configuration Data (BCD) for DSRM-mode recovery.

  3. If the first boot attempt fails, the system will boot into DSRM automatically on the next attempt.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.