The Best Damn Windows Server 2003 Book Period- P67 doc

Ensuring Active Directory Availability In this chapter: Understanding Active Directory Availability Issues Performing Active Directory Maintenance Tasks Backing Up and Restoring Activ

Ensuring Active Directory Availability

In this chapter:

 Understanding Active Directory Availability Issues

 Performing Active Directory Maintenance Tasks

 Backing Up and Restoring Active Directory

 Troubleshooting Active Directory Availability

Introduction

In earlier chapters, we looked at the Active Directory (AD) infrastructure, as well as var-ious interacting elements, such as forest, sites, domains, and trusts We also examined the Global Catalog, Schema, and Group Policy in order to fully understand AD in a

Windows Server 2003 environment Now that we’ve thoroughly reviewed this informa-tion, we can discuss how to ensure AD availability

This chapter deals with how to maintain high availability of your Active Directory services.You’ll learn about the Active Directory database, and the importance of system state data to Active Directory availability We’ll discuss fault tolerance plans as well as Active Directory performance issues.You’ll find out how to perform necessary mainte-nance tasks, such as defragging the database, and you’ll learn how to monitor or move the database

Next, we’ll address backup and restoration of the Active Directory, and show you the different restoration methods that you can use and when each is appropriate We’ll walk you through the steps of performing both an authoritative and a normal restore Finally, you’ll learn how to troubleshoot Active Directory availability problems

Chapter 19

627

Understanding Active

Directory Availability Issues

In this section, we look at the core components of the Windows Server 2003 Active Directory ser-vice First, we discuss the structure and type of database, including its files and related components You’ll also learn how updates are written to the Active Directory database, and how it recovers in the event of a failure during the update process We will review the key system configuration com-ponents that comprise the system state data, and look at fault tolerance and performance issues involving Active Directory

The Active Directory Database

The Active Directory service is based on a transactional database system.The word transactional refers

to the transaction logs that enable the system to have robust recovery and data tracking in the event

of unscheduled hardware outages, data corruption, and other problems that can arise in a complex network operating system environment.The heart of the Active Directory service is the database and its related transactional log files, which include the following:

■ Ntds.dit This file is the primary Active Directory database file (sometimes referred to as

the data store) that resides on each domain controller (DC) It stores all of the objects,

attributes, and properties for the local domain, as well as the configuration and schema portions of the database By default, this file is installed into the

%SYSTEMROOT%\NTDS folder Although not required, it is recommended that you store this file on an NTFS partition for security purposes

■ Edb*.log This file format identifies transaction logs.Transaction log names can take one

of several forms, including edb.log, edb00001.log, edb00002.log, and so forth Each log file

is a fixed 10MB in size, regardless of the amount of actual data stored in it.The current log file that is receiving updates to Active Directory is named edb.log When this file is full, it

is renamed to edb00001.log (or whatever the next number is in the sequence, if 00001 is taken), and a new empty edb.log is created However, these logs don’t keep piling up for-ever; they are regularly purged through a process called garbage collection, discussed later

in the chapter

■ Res1.log and Res2.log These files are known as the reserved (Res) log files.Their

pri-mary purpose is to ensure that Active Directory does not run out of disk space to use when logging transactions If there is not enough free space to create a new transaction log, the reserved log is used Because of this role, these log files are often referred to as

placeholders Like the edb.log files mentioned previously , these files are 10MB each.

■ Edb.chk The “checkpoint” file is used to track the updates that have been written to the Active Directory database.You can think of this file as a list that is checked off as updates are flushed to disk from the Active Directory log files If you shut down the system before all transactions have been written to the database, the checkpoint file will be consulted when you reboot the system so that any remaining transactions can be written to Active Directory

628 Chapter 19 • Ensuring Active Directory Availability

Microsoft recommends that you place the database and the log files on different physical disks, for performance purposes Now, let’s take a deeper look at how Active Directory works, and the roles these files play in the process of updating and storing data

Data Modification to the Active Directory Database

The Extensible Storage Engine (ESE) lies at the heart of the Active Directory database system

Changes to the Active Directory database on a DC occur through two primary means:

■ An administrator creates, deletes, or updates objects in the database

■ Replication information, which contains new objects, deletion requests, or changes to existing objects is received from other DCs

When changes to the database occur, the ESE captures each change as a single unit known as a

transaction A transaction contains the changed data and a set of metadata.This metadata can include

the Globally Unique Identifier (GUID) assigned to the object, a timestamp, version, and other infor-mation It’s important to note that this update procedure applies to all changes in Active Directory, including objects, properties, and attributes

A write request occurs when a change is made to the Active Directory.This initiates a transac-tion that consists of the changes, as well as the metadata described previously ESE writes the trans-action to the transtrans-action buffer in memory, and then writes the transtrans-action to the Edb.log file After

it has been successfully written in the log file, it is written to the Active Directory database file

If a failure occurs, when Active Directory recovers, it examines the Edb.chk file to determine which transactions have not been written to the database.Transactions are not marked as written in this file until they have been fully committed to the database.This ensures that a failure that occurs partially through the process of writing data will not be marked as completed and leave inconsistent data in the Active Directory database When a transaction has been committed, Active Directory compares the information written to the database with the information contained in the log file(s)

When the two have been verified as identical, the Edb.chk file is updated and the transaction is marked as committed to the database

Windows Server 2003 uses circular transaction logging.This means that, with the exception of

the Edb.log, Res1.log, and Res2.log files, the log files are deleted after all of the transactions they contain have been committed to the database Another important note about logging is that when you back up Active Directory by backing up the system state data (a process we discuss in the next section of this chapter), all events currently waiting to be written in your transaction logs are com-mitted.The logs are fully committed when you shut down or reboot your server Figure 19.1 illus-trates this process

The Tombstone and Garbage Collection Processes

The use of transaction logs is designed to ensure the integrity of data that changes on a single DC Other mechanisms assure the integrity of changed information in relation to the Active Directory

replication process One of these is the tombstone process, which is used to replicate deletions from

one DC to another

When an object is deleted within Active Directory, the ESE engine creates a transaction for it (as described in the previous section) and it is moved to the deleted object’s container within the database It is important to note that the object is not immediately purged from the database.There

is a delay between when the item is deleted and when it is finally removed from the database

alto-gether.This delay is known as the tombstone interval and is set at 60 days by default.The tombstone

process exists to support the multimaster replication strategy of Windows Server 2003’s Active Directory service Each DC holds the object in its deleted items container for the length of the tombstone interval.The default of 60 days allows for plenty of time to pass and ensures that all DCs

on the network have sufficient time to receive the delete request When this interval is reached, the

object is marked as expired.

You should ensure that backups are performed during the tombstone interval Restores of direc-tory service data older than the tombstone interval should not be performed to prevent the reintro-duction of objects that were deleted during this period but have since been purged from the database The garbage collection process works in conjunction with the tombstone process It runs every

12 hours on DCs by default, and one of its primary functions is to purge expired objects from the database After the expired objects are purged, any remaining unnecessary log files are deleted and an online defragmentation of the database occurs.This consolidates the free space that was generated by the deletions and increases the performance of the database

630 Chapter 19 • Ensuring Active Directory Availability

Figure 19.1 The Active Directory Data Commitment Process

Additions, Changes, and Deletions

Extensible Storage Engine (ESE) creates transaction

Transaction written to memory

Transaction written to log file (Edb.log)

Transaction committed to database

Check point file (Edb.chk) updated

System State Data

System state data is a term Microsoft uses to refer to a set of core configuration information in

Windows 2000, XP, and 2003.The actual information included in the system state depends on the underlying configuration of the operating system, and which components are installed

System state data is most commonly associated with backup and restore operations.The backup tool released with Windows 2000 (and all subsequent versions) included the option to back up all of these critical open resources by selecting the system state backup option

Fault Tolerance and Performance

You can take several key actions to ensure fault tolerance and maximize performance for the Active Directory database Maintaining proper backups is, by far, the most important action you can take to provide fault tolerance We discuss this in more detail later in the chapter Defragmentation of the Active Directory database is also is a key performance component, and we cover this later in the chapter as well

For performance reasons, Microsoft recommends that the Active Directory database and log files

be on separate physical disk drives attached to separate hard drive controllers or channels In other words, they recommend that each disk be in its own data path so that there is no contention between these components in the file system.This means that both drives can be read from and/or written to at the same time.This provides both fault tolerance and improved performance

Performing Active Directory Maintenance Tasks

In this section, we’ll look at some of the day-to-day and less routine tasks that you can expect to perform in the process of managing your Active Directory environment including offline and online

AD defragmentation, moving the database files and backing up and restoring AD

Defragmenting the Database

As mentioned previously, by default, Windows Server 2003 begins a maintenance cycle every 12 hours, known as the garbage collection process.The final portion of the Garbage Collection process

is the performance of an online defragmentation and re-index of the Active Directory database.This

is done to improve the performance of the database

The Offline Defragmentation Process

Although Windows Server 2003 runs an online defragmentation twice per day by default, there might be times when you need to actually recover available free space from the Active Directory

database file.This can only be done by performing an offline defragmentation.This type of

defragmen-tation process is much more invasive than its online counterpart, and should be done only when absolutely necessary For example, when the GC role is removed from a server, this information is deleted from its Active Directory database file, leaving a large amount of free space that can be recovered

As with many invasive Active Directory database operations, you must be booted into a special

mode known as the Directory Services Restore Mode to perform an offline defragmentation.The local

administrator account is used when performing database maintenance operations in Directory Services Restore Mode

You can access the Directory Services Restore Mode by booting or rebooting the computer,

pressing the F8 key when prompted, and selecting Directory Services Restore Mode from the

Windows Advanced Options menu.You will be prompted to log on, and you must use the adminis-trator account Note that this account is not the domain adminisadminis-trator account; it is a special local account.The password for this local account is set during the installation of directory services on the local computer

After you are authenticated by the local SAM, you can perform advanced directory services maintenance functions Many of these are performed with the Ntdsutil utility

To perform an offline defragmentation of the Active Directory database, use the following steps

Perform an Offline

Defragmentation of the Active Directory Database

1 Back up the system state data for fault tolerance purposes See the Backing Up Active

Directory section later in this chapter for more information.

2 Boot or reboot the computer

3 When prompted, press F8 during Windows Server 2003 startup.

4 Select Directory Services Restore Mode (Windows DCs only) on the Windows Advanced Options menu that appears, and press the Enter key.

5 Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key.

6 You will see a number of checks performed while the system is booting, and you eventu-ally will receive the Safe Mode logon prompt

7 Log on by providing the password for the local administrator account and clicking the OK

button

8 Click the OK button in the dialog box that notifies you that Windows is running in safe

mode

9 Open a command prompt

10 Type ntdsutil to enter the Ntdsutil utility Note that this is a command-line utility, so the

command prompt will change to ntdsutil:

11 Type files.The command prompt should change to display file maintenance.

12 Type compact to <drive>:\<directory> to create a defragmented and compacted copy of

the Active Directory database in the specified new location For example, compact to

C:\ADTemp creates a defragmented, re-indexed, and re-sized database file in the

C:\ADTemp directory, as shown in Figure 19.2.The location specified can be on a local disk

or on a mapped network drive If there are spaces in the path where the file needs to be

placed, it must be surrounded in quotes; for example, “compact to c:\ad\july defrag”.

632 Chapter 19 • Ensuring Active Directory Availability

13 Type quit to return to the ntdsutil: prompt.

14 Type quit again to exit the utility.

15 Open Windows Explorer and rename the previously used ntds.dit file to ntds.old.dit.

NOTE

Step 15 is not specified in Microsoft’s instructions, but we recommend it for fault tol-erance purposes As mentioned, an offline defragmentation is very invasive It is pos-sible that the compacted file will be corrupt and that Active Directory will not start after the procedure If you don’t take this step, you will be forced to do a system state restore to recover the previous database file By simply renaming the file, you can boot back into Directory Services Restore Mode, delete the corrupt file, and rename

ntds.old.dit back to ntds.dit to recover the system

16 In Windows Explorer, copy the new ntds.dit file from the location you specified, using the compact to command to specify the location of the primary ntds.dit file location.

17 In Windows Explorer, delete all files that end with the LOG extension in your Active Directory log files folder

18 Close the command prompt window and reboot the server normally

Moving the Database or Log Files

At some point, it might become necessary to move the Active Directory database or log files Most often, this occurs because you need to move the files to a new hard drive or array of hard drives

Performance might dictate this decision New faster drives and controllers can be used to replace slower ones as usage increases.The decision might also be dictated by a lack of free space as the Active Directory database and components grow

Figure 19.2 The Ntdsutil Compact To Command

Moving the database or log files is relatively simple It is done from the command line using the Ntdsutil utility Because the database and log files cannot be open when they are moved, the opera-tion must be carried out while in Directory Services Restore Mode.The following steps outline how to move the Active Directory database and log files

1 Back up the system state data for fault tolerance purposes See the Backing Up Active

Directory section later in this chapter for more information.

2 Boot or reboot the computer

3 When prompted, press F8 during Windows Server 2003 startup.

4 Select Directory Services Restore Mode (Windows DCs only) on the Windows Advanced Options menu that appears, and press the Enter key.

5 Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key.

6 You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt

7 Log on by providing the password for the local administrator account and clicking the OK

button

8 Click the OK button in the dialog box that notifies you that Windows is running in safe

mode

9 Open a command prompt

10 Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command

prompt will change to ntdsutil:

11 Type files.The command prompt should change to display file maintenance:.

12 Use one of the following commands to move the Active Directory database or log files, or update their paths

■ Type move DB to <drive>:\<directory> to move the ntds.dit database file to the

new location specified For example, move DB to C:\AD moves the database

file to the C:\AD directory and updates the Registry to point to this new location,

as shown in Figures 19.3 and 19.4

■ Type move logs to <drive>:\<directory> to move the Active Directory log files

to the new location specified For example, move logs to C:\AD moves the log

files to the C:\ADdirectory and updates the Registry to point to this new location

634 Chapter 19 • Ensuring Active Directory Availability

13 Ensure that the database (or log files) is now referenced in the proper location by typing

info

14 Type quit to return to the ntdsutil: prompt.

15 Type quit again to exit the utility.

16 Close the command prompt window and reboot the server normally

Figure 19.3 Moving the Active Directory Database with Ntdsutil, First Screen Portion

Figure 19.4 Moving the Active Directory Database with Ntdsutil, Second Portion

of the Screen