Anda di halaman 1dari 25

Module 9:

Implementing an
Active Directory®
Domain Services
Maintenance Plan
Module Overview
• Maintaining the AD DS Domain Controllers

• Backing Up Active Directory Domain Services

• Restoring AD DS
Lesson 1: Maintaining the AD DS
Domain Controllers
• AD DS Database and Log Files

• How the AD DS Database Is Modified

• Managing the Active Directory Database Using NTDSUtil Tool

• What Is an AD DS Database Defragmentation?

• What Are Restartable Active Directory Domain Services?

• Demonstration: Performing AD DS Database


Maintenance Tasks
• Locking Down Services on AD DS Domain Controllers
AD DS Database and Log Files

File Description

• Is the AD DS database file


• Stores all AD DS objects on the domain controller
Ntds.dit • Uses the default location
systemroot\NTDS folder

• Is a transaction log file


Edb*.log • Uses the default transaction log file Edb.log

• Is a checkpoint file
Edb.chk • Tracks data not yet written to the AD DS
database file
• Are the reserved transaction log files
ebdres00001.jrs
ebdres00002.jrs
How the AD DS Database Is Modified

Edb.ch
Edb.ch
kk

Update the
Write
Write Request
Request checkpoint

Commit the
transaction

Transaction Write to the Write to the


is initiated transaction database on
buffer disk

Write to the
transaction
log file Ntds.dit
Ntds.dit on
Disk
Disk
EDB.lo
EDB.lo
g
Managing the Active Directory Database Using
NTDSUtil Tool
Ntdsutil.exe is a command-line tool used to manage some
AD DS components

Use Ntdsutil.exe
Perform to:
AD DS database maintenance

 Move the AD DS database files

 Manage and control single master operations

Remove metadata left behind by domain controllers that


 were removed from the network without being properly uninstalled

Type HELP at any NTDSUtil prompt for context-sensitive help


What Is an AD DS Database Defragmentation?

Offline defragmentation creates a new, compacted version


of the database file

The new file may be considerably smaller, depending on how


 fragmented the original database file was

Use the NTDSUtil command-line tool to perform offline


 defragmentation on a dismounted database

AD DS performs online database defragmentation


 automatically every 12 hours

Online defragmentation optimizes data storage in the database,


 and reclaims space in the directory for new objects, but does not
reduce the size of the database file
What Are Restartable Active Directory
Domain Services?

Restartable AD DS allows administrators to stop the AD DS


without stopping any other services

Use restartable AD DS services when:


• Applying updates that modify AD DS service
files on a domain controller
• Performing tasks such as offline defragmentation of the
AD DS database

Directory Services Restore Mode must be used to restore AD


DS database
Demonstration: Performing AD DS Database
Maintenance Tasks
In this demonstration, you will see how to:
• Start and stop AD DS Services

• Move the AD DS Database to a different drive using


NTDSUtil
• Use NTDSUtil and AD DS Stopped mode for Offline Defrag
Locking Down Services on AD DS
Domain Controllers

Services required for AD DS to function correctly:

• Active Directory • Distributed File System


Domain Services • DNS Server
• DNS Client • File Replication Service
• Net Logon • Kerberos Key Distribution Center
• TCP/IP NetBIOS Helper • Intersite Messaging
• Windows Time • Remote Procedure Call
• Workstation (RPC) Locator

Best practices:
Minimize the number of server roles and applications
 installed on domain controllers

Use the Security Configuration Wizard to lock down the


 services on a domain controller
Lesson 2: Backing Up Active Directory Domain
Services
• Introduction to Backing Up AD DS

• Windows Server Backup Features

• Demonstration: Backing Up AD DS
Introduction to Backing Up AD DS

To back up AD DS, you must back up all critical volumes

Critical volumes include:


• The system volume: the volume that hosts the boot files
• The boot volume: the volume that hosts the Windows
operating system and the Registry
• The volume that hosts the SYSVOL tree
• The volume that hosts the AD DS database
(Ntds.dit)
• The volume that hosts the AD DS database log files

All of these files may be stored in a single volume or distributed


across multiple volumes
Windows Server Backup Features
Windows Server Backup is a Windows Server 2008 feature used to
back up and recover the operating system and data

With Windows
Recover Server
the server Backup,
without you
using can:
third-party backup
 and recovery tools

Back up an entire server or selected volumes


 Perform manual or automatic backups

 Recover items or entire volumes

Windows Server Backup does not support backing up individual files or


 Use DVDs or
directories, CDsentire
only as backup media
volumes
Demonstration: Backing Up AD DS
In this demonstration, you will see how to back up AD DS
Lesson 3: Restoring AD DS
• Overview of Restoring AD DS

• What Is a Nonauthoritative AD DS Restore?

• What Is an Authoritative AD DS Restore?

• What Is the Database Mounting Tool?

• Demonstration: Using the Database Mounting Tool

• Reanimating Tombstoned AD DS Objects


Overview of Restoring AD DS

Options for restoring AD DS include:

• Normal Restore
• Authoritative Restore
• Full Server Restore
• Alternate Location Restore
What Is a Nonauthoritative AD DS Restore?

A nonauthoritative or normal AD DS restore returns the directory


service to its state at the time that the backup was created

AD DS replication updates the domain controller with changes that


 have occurred since the backup was created

 Restart the domain controller in Directory Services Restore Mode


to perform a non-authoritative restore

Steps to restart the server:

1 Press F8 when restarting the server, and choose Directory Services


Restore Mode, or type the command bcdedit /set safeboot dsrepair
and restart the server

2 Provide the Directory Services Restore Mode password


What Is an Authoritative AD DS Restore?

Authoritative restore is a method to recover objects and containers that


have been deleted from AD DS

Authoritative restore is a four-step process:

1 Start the domain controller in DSRM

2 Restore the desired backup, which is typically the most


recent backup

3 Use Ntdsutil.exe to mark desired objects, containers, or


partitions, as authoritative

4 Restart the domain in normal mode to replicate the changes

To mark an object as authoritative, use a command like:


restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com
What Is the Database Mounting Tool?

The Database Mounting Tool can be used to:

 Create and view snapshots of data that is stored in AD DS

Improve recovery processes for your organizations by


 providing a means to compare data as it exists in snapshots
that are taken at different times

Eliminate the need to restore multiple backups to compare


 the AD DS data that they contain

 View, but not restore, deleted objects and containers


Demonstration: Using the Database Mounting
Tool
In this demonstration, you will see how to use the Database
Mounting Tool to view deleted AD DS objects
Reanimating Tombstoned AD DS Objects
You can reanimate deleted objects manually in AD DS when:

• You do not have current AD DS backups in a domain where user


accounts or security groups were deleted
• The deleted object has not yet been scavenged from the
AD DS database
• The deletion occurred in domains that contain only
Windows Server 2003 or later domain controllers

To reanimate tombstoned AD DS objects:

• Use LDP.exe to locate the deleted object


• Modify the object’s isDeleted attribute, and provide a
distinguished name
• Enable the object, and then reconfigure the object attributes
Lab: Implementing an AD DS Maintenance Plan
• Exercise 1: Maintaining AD DS Domain Controllers

• Exercise 2: Backing Up AD DS

• Exercise 3: Performing an Authoritative Restore of the AD


DS Database
• Exercise 4: Restoring Data Using the AD DS Data
Mining Tool (optional)

Logon information
Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2

User name Administrator


Password Pa$$w0rd

Estimated time: 75 minutes


Lab Review
• How could you apply the security policy you created in
Exercise 1 to multiple domain controllers? What concerns
would you have with doing this?
• Why is a non-authoritative AD DS restore overwritten by
replication? How does an authoritative restore prevent this
from happening?
• What is the difference between restoring an AD DS object
by undeleting it, and just recreating the object?
Module Review and Takeaways
• Review questions

• Considerations

• Tools