Module 9: Implementing an Active Directory®

Domain Services Maintenance Plan

Module Overview

• Maintaining the AD DS Domain Controllers

• Backing Up Active Directory Domain Services

• Restoring AD DS

Lesson 1: Maintaining the AD DS Domain Controllers

• AD DS Database and Log Files

• How the AD DS Database Is Modified

• Managing the Active Directory Database Using NTDSUtil Tool

• What Is an AD DS Database Defragmentation?

• What Are Restartable Active Directory Domain Services?

• Demonstration: Performing AD DS Database Maintenance Tasks

• Locking Down Services on AD DS Domain Controllers

AD DS Database and Log Files

Description

Ntds.dit

Edb*.log

Edb.chk

File

• Is the AD DS database file• Stores all AD DS objects on the domain

controller • Uses the default location systemroot\NTDS folder

• Is a transaction log file• Uses the default transaction log file

Edb.log

• Is a checkpoint file• Tracks data not yet written to the AD DS

database file

ebdres00001.jrs ebdres00002.jrs

• Are the reserved transaction log files

How the AD DS Database Is Modified

Write RequestWrite Request

Transaction is initiated

Write to the transaction

buffer

Write to the database on disk

Ntds.dit on DiskNtds.dit on Disk

EDB.logEDB.log

Write to the transaction

log file

Commit the transaction

Update the checkpoint

Edb.chkEdb.chk

Use Ntdsutil.exe to:

Managing the Active Directory Database Using NTDSUtil Tool

Ntdsutil.exe is a command-line tool used to manage some AD DS components

Perform AD DS database maintenance

Manage and control single master operations

Move the AD DS database files

Remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled

Type HELP at any NTDSUtil prompt for context-sensitive help

What Is an AD DS Database Defragmentation?

The new file may be considerably smaller, depending on how fragmented the original database file was

AD DS performs online database defragmentation automatically every 12 hours

Use the NTDSUtil command-line tool to perform offline defragmentation on a dismounted database

Online defragmentation optimizes data storage in the database, and reclaims space in the directory for new objects, but does not reduce the size of the database file

Offline defragmentation creates a new, compacted version of the database file

What Are Restartable Active Directory Domain Services?

Restartable AD DS allows administrators to stop the AD DS without stopping any other services

Use restartable AD DS services when:

• Applying updates that modify AD DS service files on a domain controller

• Performing tasks such as offline defragmentation of the AD DS database

Directory Services Restore Mode must be used to restore AD DS database

Demonstration: Performing AD DS Database Maintenance Tasks

In this demonstration, you will see how to:

• Start and stop AD DS Services

• Move the AD DS Database to a different drive using NTDSUtil

• Use NTDSUtil and AD DS Stopped mode for Offline Defrag

Best practices:

Locking Down Services on AD DS Domain Controllers

Services required for AD DS to function correctly:

• Distributed File System

• DNS Server

• File Replication Service

• Kerberos Key Distribution Center

• Intersite Messaging

• Remote Procedure Call (RPC) Locator

Minimize the number of server roles and applications installed on domain controllers

Use the Security Configuration Wizard to lock down the services on a domain controller

• Active Directory Domain Services

• DNS Client

• Net Logon

• TCP/IP NetBIOS Helper

• Windows Time

• Workstation 

Lesson 2: Backing Up Active Directory Domain Services

• Introduction to Backing Up AD DS

• Windows Server Backup Features

• Demonstration: Backing Up AD DS

Introduction to Backing Up AD DS

To back up AD DS, you must back up all critical volumes

Critical volumes include:

• The system volume: the volume that hosts the boot files

• The boot volume: the volume that hosts the Windows operating system and the Registry

• The volume that hosts the SYSVOL tree

• The volume that hosts the AD DS database (Ntds.dit)

• The volume that hosts the AD DS database log files

All of these files may be stored in a single volume or distributed across multiple volumes

With Windows Server Backup, you can:

Windows Server Backup Features

Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data

Recover the server without using third-party backup and recovery tools

Perform manual or automatic backups

Back up an entire server or selected volumes

Recover items or entire volumes

Use DVDs or CDs as backup mediaWindows Server Backup does not support backing up individual files or directories, only entire volumes

Demonstration: Backing Up AD DS

In this demonstration, you will see how to back up AD DS

Lesson 3: Restoring AD DS

• Overview of Restoring AD DS

• What Is a Nonauthoritative AD DS Restore?

• What Is an Authoritative AD DS Restore?

• What Is the Database Mounting Tool?

• Demonstration: Using the Database Mounting Tool

• Reanimating Tombstoned AD DS Objects

Overview of Restoring AD DS

Options for restoring AD DS include:

• Normal Restore

• Authoritative Restore

• Full Server Restore

• Alternate Location Restore

What Is a Nonauthoritative AD DS Restore?

A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created

AD DS replication updates the domain controller with changes that have occurred since the backup was created

Restart the domain controller in Directory Services Restore Mode to perform a non-authoritative restore

Steps to restart the server:

Press F8 when restarting the server, and choose Directory Services Restore Mode, or type the command bcdedit /set safeboot dsrepair and restart the server

11

Provide the Directory Services Restore Mode password22

What Is an Authoritative AD DS Restore?

Authoritative restore is a four-step process:

Start the domain controller in DSRM 11

Use Ntdsutil.exe to mark desired objects, containers, or partitions, as authoritative 33

Restart the domain in normal mode to replicate the changes 44

Restore the desired backup, which is typically the most recent backup

22

Authoritative restore is a method to recover objects and containers that have been deleted from AD DS

To mark an object as authoritative, use a command like:restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com

What Is the Database Mounting Tool?

The Database Mounting Tool can be used to:

Create and view snapshots of data that is stored in AD DS

Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different times

Eliminate the need to restore multiple backups to compare the AD DS data that they contain

View, but not restore, deleted objects and containers

Demonstration: Using the Database Mounting Tool

In this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objects

Reanimating Tombstoned AD DS Objects

You can reanimate deleted objects manually in AD DS when:

• You do not have current AD DS backups in a domain where user accounts or security groups were deleted

• The deleted object has not yet been scavenged from the AD DS database

• The deletion occurred in domains that contain only Windows Server 2003 or later domain controllers

To reanimate tombstoned AD DS objects:

• Use LDP.exe to locate the deleted object

• Modify the object’s isDeleted attribute, and provide a distinguished name

Enable the object, and then reconfigure the object attributes

Lab: Implementing an AD DS Maintenance Plan

• Exercise 1: Maintaining AD DS Domain Controllers

• Exercise 2: Backing Up AD DS

• Exercise 3: Performing an Authoritative Restore of the AD DS Database

• Exercise 4: Restoring Data Using the AD DS Data Mining Tool (optional)

Logon information

Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2

User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes

Lab Review

• How could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this?

• Why is a non-authoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening?

• What is the difference between restoring an AD DS object by undeleting it, and just recreating the object?

Module Review and Takeaways

• Review questions

• Considerations

• Tools