Category: Active Directory


Behind this catchy title is a real need. As a system administrator, it may be worthwhile to audit all of your organization’s Active Directory accounts to assess the level of security for user accounts. Let’s see how we do it!

Web resources and Methods:

News from pentesters:

https://www.slideshare.net/ChrisThompson73/ms-just-gave-the-blue-team-tactical-nukes-and-how-red-teams-need-to-adapt-defcon-25

http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html?m=1

Latest version: 1.8 update 1

What’s new in ATA version 1.8

New & updated detections

  • NEW! Abnormal modification of sensitive groups – As part of the privilege escalation phase, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in an elevated group.
  • NEW! Suspicious authentication failures (Behavioral brute force) – Attackers attempt to brute force credentials to compromise accounts. ATA now raises an alert when an abnormal failed authentication behavior is detected.
  • NEW! Remote execution attempt – WMI exec – Attackers can attempt to control your network by running code remotely on your domain controller. ATA added detection for remote execution leveraging WMI methods to run code remotely.Reconnaissance using directory services queries– In ATA 1.8, a learning algorithm was added to this detection allowing ATA to detect reconnaissance attempts against a single sensitive entity and improve the results for generic reconnaissance.
  • Kerberos Golden Ticket activity ATA 1.8 includes an additional technique to detect golden ticket attacks, detecting time anomalies for Kerberos tickets.
  • Enhancements to some detections, to remove known false positives:
    • Privilege escalation detection (forged PAC)
    • Encryption downgrade activity (Skeleton Key)
    • Unusual protocol implementation
    • Broken trust

Triage

  • NEW! More actions can be made to suspicious activities during the triage process.
    • Exclude some entities from raising future suspicious activities. Prevent ATA from alerting when it detects benign true positives (i.e. an admin running remote code or using nslookup) or known false positives (don’t open a Pass-The-Ticket alert on a specific IP).
    • Suppress a reoccurring suspicious activity from alerting.
    • Delete suspicious activities from the timeline.
  • A more efficient triage – The suspicious activities time line has gone through a major process of re-design. In 1.8, a lot more suspicious activities will be visible at the same time, and will contain better information for triage and investigation purposes.

Investigate

  • NEW! Summary report. An option to see all the summarized data from ATA, including suspicious activities, health issues and more. It’s possible to define a reoccurring report.
  • NEW! Modification to sensitive groups report to see all the changes made in sensitive groups during a certain period.

Infrastructure

  • Lightweight Gateways can now read events locally, without configuring event forwarding
  • Feature flags were added for all detection, periodic tasks and monitoring alerts
  • Accessibility ramp up – ATA now stands with Microsoft in providing an accessible product, for everyone.
  • E-mail configuration for monitoring alerts and for suspicious activities are separated

Security

  • NEW! Single sign on for ATA management.
    • Gateway and Lightweight gateway silent installation scripts will use the logged on user’s context, without the need to provide credentials.
  • Local System privileges removed from Gateway process
    • You can now use virtual accounts (available on stand-alone GWs only), managed service accounts and group managed service accounts to run the ATA Gateway process.
  • Auditing logs for ATA Center and Gateways were added and all actions are now logged in the event viewer.Added support for KSP Certificates

 

Current version: 1.7

 

Reference articles:

ATA on Technet: https://technet.microsoft.com/en-us/library/dn707706.aspx

ATA events: https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats

 

ATA deployment demo: https://www.youtube.com/watch?v=xvWJssUpU6w

Blog: https://social.technet.microsoft.com/Forums/security/en-US/home?forum=mata

 

Additional resources:

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

 

As an Administrator, Renaming Domain Controller is not right way but in some cases it is required due to some previous wrong names.

Current Host name of the Domain Controller

1

 

Since the name assignment was wrongly provided, we cannot simeply rename as we do in work stations because this is domain controller. Hence we need to do it using NETDOM Command

Step 1: We need to add second name

Syntax:

netdom computername <CurrentComputerName FQDN> /add:<NewComputerName FQDN>

Step 2: make second name as primary name

netdom computername <CurrentComputerName FQDN> /makeprimary:<NewComputerName FQDN>

After Reboot, you could see that now domain controller name has been renamed

3

 

Step 3: Remove the Old name

netdom computername <NewComputerName> /remove:<OldComputerName FQDN>

4

 

Now run DCDIAG or REPADMIN command  to verify the Replication Status.

Description

Today AD FS is made highly available by setting up an AD FS farm. Some organizations would like a way to have a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing infrastructure, while still having some assurance that service can be restored quickly if there is a problem. The new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore of the operating system or system state. You can use the new tool to export AD FS configuration either to Azure or to an on-premises location. Then you can apply the exported data to a fresh AD FS installation, re-creating or duplicating the AD FS environment.

Scenarios

The AD FS Rapid Restore tool can be used in the following scenarios:
1.Quickly restore AD FS functionality after a problem•Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the online AD FS server

2.Deploy identical test and production environments•Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to quickly deploy a validated test configuration to production

What is backed up

The tool backs up the following AD FS configuration
•AD FS configuration database (SQL or WID)
•Configuration file (located in AD FS folder)
•Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
•SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
•A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

Download and usage

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool

 

Problem description, security issue?

When i log on to my Adfs link below https://sts.mydomain.com/adfs/ls/idpinitiatedsignon.aspx

It showing two of my replying parties asking me sign in.

I have up to 8 other applications i am federating but they are not showing up on this link.

Is this Normal? If its not, how can i remove it? Is this something my relying partner has to fix?

 

Solution:

Do not disable the /adfs/ls endpoint from ADFS management snap-in.

Ask to the application provider (SP) to use WS-Fed and not SAML; using WS-Fed (like MS online 365 RP) will not show the list of RP trusts.

As long as your Relying Party trust has a SAML Assertion Consumer Endpoint, it will show up in the list of RP available for IDP initiated logon.

You can check if you have such endpoints in the graphical interface, or in PowerShell:
(Get-AdfsRelyingPartyTrust -Identifier “<ID of your RP>”).SamlEndpoints

In Windows Server 2012 R2, you cannot not disclose the information. You can use a JavaScript to hide it from the users, but the info will still be available in the code (if the users are curious and look at the HTML source, they will see them). If this is acceptable for you, you can go ahead and create a custom JavaScript for that. I can provide a sample if you want to, but the info is essentially there: https://technet.microsoft.com/en-us/library/dn636121.aspx and on the Internet.

Note that ADFS on Windows Server 2016 changed that behavior and the IdpInitiatedSignon page is not enabled by default. Although once enabled, you still need the JavaScript to hide the list or a part of the list.

This is normal. The Relying Party Trusts showing up are the ones using the SAML Federation Protocol since that protocol has a ‘feature’ called IdP Initiated Sign On where the user can first be authenticated by your ADFS and then choose which of these Relying Party Trusts/Service Providers they want to access (by having ADFS issue them a SAML Token) and POST/Redirect the browser to that Relying Party Trust/Service Provider.

Do note that just because a Relying Party Trust/Service Provider is listed doesn’t automatically mean that they actually DO support IdP Initiated Sign In. Some Service Providers using the SAML Protocol might only accept Service Provider Initiated Sign In.

I’ve hidden this list on my ADFS 2.0 Proxies for un-authenticated users (but not on our ADFS 3.0 WAPs yet).

In ADFS 2.0 edit C:\inetpub\adfs\ls\IdpInitiatedSignOn by adding SetRpListState(null, null);

You can’t disable the page on Windows Server 2012 R2. You can hide the list in JavaScript onload.js:
var checkidp_OtherRpPanel = document.getElementById(‘idp_OtherRpPanel’) ;
if ( checkidp_OtherRpPanel ) {
checkidp_OtherRpPanel.style.display = ‘none’ ;
}

You’ll find the guidance on how to modify the default JavaScript of the page there:

Customizing the ADFS 3.0 Sign-in page:

Credit/Source:

https://social.technet.microsoft.com/Forums/windows/en-US/5f3787ec-a1a6-44de-93ca-12be341506db/relying-party-showing-up-in-idpinitiatedsignonaspx?forum=ADFS

AD 2016 what are the news?

https://adsecurity.org/?p=3646

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

 

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016

 

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 1

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 2

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 3 – Azure MFA Integration

 

ADFS 2016 operations

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-2016-operations

ADFS 2016 deployment

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment

ADFS 2016 design

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide

To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

Reference:

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

https://www.jpcert.or.jp/english/pub/sr/ir_research.html

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure  / Office 365:

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Azure AD Blog: http://blogs.technet.com/b/ad/

Azure Powershell: https://azure.microsoft.com/en-us/blog/azps-1-0/?utm_content=buffer067b3&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Azure RMS blog: http://blogs.msdn.com/b/rms/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure training kit: http://www.microsoft.com/en-us/download/details.aspx?id=8396

FAQ and enhancement suggestions: http://www.mygreatwindowsazureidea.com/forums/34192-general-feedback

portal and management: https://manage.windowsazure.com

main: http://www.windowsazure.com     calculatrice: http://aka.ms/calculatrice      white papers: http://aka.ms/livresblancs     FR blog: http://aka.ms/AzurBlogFr

Security: http://aka.ms/trustcenter   http://aka.ms/px2ahn

To go deeper:  http://aka.ms/MsdnAzureFr     Forum: http://aka.ms/ForumSupport     channel9:  http://aka.ms/Channel9AzureFr     Dashboard/SLAB: http://aka.ms/AzureDashboard

Blogs: http://blog.jeanlucboucho.com

Prerequisites before using Azure:

Prepare your environment: http://msdn.microsoft.com/en-us/library/windowsazure/jj554332.aspx

Need certificates: http://msdn.microsoft.com/en-us/library/windowsazure/gg981929.aspx

How to use CSUpload?

How do you get CSUPLOAD?

CSUPLOAD is part of the Windows Azure SDK. After installing all components, it finds you csupload under the following path:
“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload.exe”
How does CSUPLOAD work?

CSUPLOAD is a command console program that the VHDs in the uploads BLOB storage account and authenticated to the azure cloud client certificates.
Overall it with Visual Studio is very simple and fast to create the appropriate certificates, and to distribute them to the appropriate locations through the function
“Publish to Azure” that requires requires developer know-how or you experience with the Visual Studio.

CSUpload syntax reference:
http://msdn.microsoft.com/en-us/library/gg466228.aspx

Managing disks and images:
http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx

How to:http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http://blogs.technet.com/b/patrick_heyde/archive/2012/07/12/windows-azure-csupload-setup-amp-how-to.aspx

the article above refers to: http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fblogs.msdn.com%2Fb%2Favkashchauhan%2Farchive%2F2011%2F09%2F21%2Fhow-to-generate-2048-bit-certificate-with-makecert-exe.aspx

Example:

CSUPLOAD how to?

# Create exportable certificate for Azure (use -pe to be exportable)
makecert -r -pe -n “CN=My Azure IaaS Cert2048” -a sha1 -ss My -len 2048 -sy 24 -b 07/08/2013 -e 07/08/2014

then open mmc,load certificates snap-in, My user, personal,
select the certificate, export
to D:\Contoso
MyAzureCertificate.cer

upload the certificate, from the Azure portal, settings, certificates management

get the thumbprint: 4D15540AFD7182964651826BE133FB3C868BA4D1

Now with csupload:

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” Set-Connection “SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net”

# just for fun

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-Connection
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
ConnectionString          : SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net/
SubscriptionId            : eaea9c22-cc5a-4da2-8dd2-d89837f042b7
CertificateSubjectName    : CN=Amadeus Azure IaaS Cert2048
CertificateThumbprint     : 4D15540AFD7182964651826BE133FB3C868BA4D1
ServiceManagementEndpoint : https://management.core.windows.net/

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-location
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Location : West US

Location : East US

Location : East Asia

Location : Southeast Asia

Location : North Europe

Location : West Europe

A total of 6 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-hostedservice
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name          : amazure
Label         : amazure
Location      : North Europe

A total of 1 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-disk
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name                : Contoso-Contoso-0-201308011545510947
Location            : North Europe
OS                  : Windows
LogicalDiskSizeInGB : 128
MediaLink           : http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/amazure-Contoso-2013-08-01.vhd
SourceImageName     : a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-Datacenter-201306.01-en.us-127GB.vhd

A total of 1 record(s) were found.

—————————————–
Upload a disk (vhd) to Azure:

You can use the Add-Disk parameter of the CSUpload Command-Line Tool to upload a .vhd file and register it in Windows Azure as either an operating system disk or a data disk.
An image is a VHD that has been generalized and is used to create an operating system disk. An operating system disk is a VHD that contains specific settings for a virtual machine.

Specifies a VHD file to be uploaded as a disk. A VHD file that has been uploaded as a disk can be used to create a virtual machine if the file contains an operating system or it can be used to create a data disk that can be attached to a virtual machine.
•–Connection <string> – (Optional if the Set-Connection command has been run) Specifies the connection string that is used to connect to Windows Azure. The connection string contains the identifier of your Windows Azure subscription and the thumbprint of the management certificate that you created to enable API access to the subscription. The connection string is provided in the following format: “SubscriptionID=subscription-id;CertificateThumbprint=cert-thumbprint;ServiceManagementEndpoint=https://management.core.windows.net”. You can find the subscription identifier and certificate thumbprint in Management Portal.
•-Destination <string> – Specifies the blob storage account where the VHD file is stored. The destination includes the endpoint of the account, the container in the account where the file is stored, and the name of the VHD file. For example,”http://auxpreview146imagestore.blob.core.azure-preview.com/mydisks/mydisk.vhd&#8221;
•-Label <string> – Specifies the identifier that is used for the disk in the Management Portal.
•-LiteralPath <string> – Specifies the location and name of the VHD file to upload as a disk.
•-Name <string> – (Optional) Specifies the name to be used for the VHD file that is being uploaded.
•-OS <string> – (Optional) If the VHD file that is being uploaded contains an operating system to be used with a virtual machine, you must include this parameter with the value of Windows or Linux depending on the type of operating system that is installed.
•-Overwrite – (Optional) Indicates that you intend to overwrite an existing VHD file with a new file.

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/SP2010.vhd -label SP2010 -literalpath d:\contoso\contoso1.vhd -name contoso1.vhd -os Windows

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/EX2010.vhd -label EX2010 -literalpath d:\contoso\contoso2.vhd -name contoso2.vhd -os Windows

What is DSRM?

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Note: Do not confuse DSRM with Safe Mode. Active Directory will still attempt to start in Safe Mode and if it fails you will not be able to log on. Instead use DSRM.

You can log on to DSRM by using a special DSRM password that you set when you promoted the domain controller. Use the logon account name .\Administrator

Windows Server 2008-2016: DSRM is only needed when you are using remote desktop software, or when doing a domain-wide restore or a forest-wide restore, or when AD is so damaged that it will not boot.

How to Log on to DSRM

After booting DSRM (see below) click on Switch User -> Other User. When prompted for the logon account name type .\Administrator

The initial logon prompt will show the account name MyDomain\Administrator, where MyDomain is the name of the domain. This is incorrect and will not work. You must click on Switch User and manually type the name .\Administrator.

If you forgot the DSRM password, you can reset the password using ntdsutil. See Reset DSRM Password on Internet.

If you forgot the DSRM password and you also forgot your Active Directory password, see Changing a Lost Domain Administrator Password on Internet.
How to Boot DSRM: F8 Key

To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Do this immediately after BIOS POST screen, before the Windows logo appears. (Timing can be tricky; if the Windows logo appears you waited too long.) A text menu menu will appear. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

Windows 8 or later: The F8 key is disabled on desktop editions of Windows 8 or later. If you want to boot into Safe Mode, run msconfig and select Minimal. Then reboot.
How to Boot DSRM: msconfig.exe

You can configure Windows to boot DSRM using msconfig.exe:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” check the box Safe boot.
5.Select Active Directory repair and click OK.
6.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer into DSRM.

To boot normally, reverse the procedure:
1.Click on Start (or press WIN+X) -> Run.
2.In the Open box type msconfig and click OK. This will show the System Configuration dialog box.
3.Click on the tab Boot (top).
4.Under “Boot options” uncheck the box Safe boot and click OK.
5.Reboot the computer: Click on Start (or press WIN+X -> Shut down or sign out -> Restart.

This will boot the computer back into normal mode.
How to Boot DSRM: Bcdedit

On Windows Server 2008 or later you can run bcdedit inside of an administrative console:
1.To boot DSRM, type the command bcdedit /set safeboot dsrepair, then reboot: shutdown /r /f /t 5.
2.When you are ready to boot normally, type bcdedit /deletevalue safeboot, then reboot: shutdown /r /f /t 5.

You can use this procedure when a graphical user interface (GUI) is not available (e.g., on Server Core).