Active Directory Cookbook for windows server 2003- P50 pps

• Boot files • Registry • COM+ class registration database • Active Directory files • System Volume SYSVOL • Certificates database if running Certificate Server 16.1.4 See Also Re

Trang 1

Recipe 16.1 Backing Up Active Directory

16.1.1 Problem

You want to back up Active Directory to tape or disk

16.1.2 Solution

Back up the System State, which includes the Active Directory-related files on the domain

controller Here are the directions for backing up the System State using the NtBackup utility that comes installed on Windows 2000 and Windows Server 2003 computers:

16.1.2.1 Using a graphical user interface

1 Go to Start All Programs (or Programs for Windows 2000) Accessories

System Tools Backup

2 Click the Advanced Mode link

3 Click the Backup tab

4 Check the box beside System State

5 Check the box beside any other files, directories, or drives you would also like to back up

6 For Backup destination, select either File or Tape depending on where you want to back

up the data to

7 For Backup media or file name, type either the name of a file or select the tape to save the backup to

8 Click the Start Backup button twice

16.1.2.2 Using a command-line interface

The NtBackup utility supports several command-line parameters that you can use to initiate backups without ever bringing up the GUI

For the complete list of supported commands on Windows 2000, see MS KB 300439 (How to Use Command Line Parameters With the "Ntbackup" Command)

For the complete list of supported commands on Windows Server 2003, see MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003)

16.1.3 Discussion

Fortunately, domain controllers can be backed up while online Having the ability to do live backups makes the process very easy And since Active Directory is included as part of the

System State on domain controllers, you are required to back up only the System State, although you can back up other folders and drives as necessary On a domain controller, the System State includes the following:

Trang 2

• Boot files

• Registry

• COM+ class registration database

• Active Directory files

• System Volume (SYSVOL)

• Certificates database (if running Certificate Server)

16.1.4 See Also

Recipe 16.18 for modifying the tombstone lifetime, MS KB 216993 (Backup of the Active Directory Has 60-Day Useful Life), MS KB 240363 (HOW TO: Use the Backup Program to Back Up and Restore the System State in Windows 2000), MS KB 300439 (How to Use

Command Line Parameters With the "Ntbackup" Command), MS KB 326216 (HOW TO: Use the Backup Feature to Back Up and Restore Data in Windows Server 2003), and MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003)

Recipe 16.2 Restarting a Domain Controller in

Directory Services Restore Mode

16.2.1 Problem

You want to restart a domain controller in DS Restore Mode

16.2.2 Solution

To enter DS Restore Mode, you must reboot the server at the console Press F8 after the

power-on self test (POST), which will bring up a menu, as shown in Figure 16-1 From the menu, select Directory Services Restore Mode

Figure 16-1 Boot options

Trang 3

The Active Directory database is live and locked by the system when a domain controller is booted into normal mode If you want to perform integrity checks, manipulate the Active

Directory database in some way or restore part of the database, you have to reboot into DS

Restore Mode In this mode, Active Directory does not start up and the database files (ntds.dit)

are not locked

It is not always practical to be logged into the console of the server when you need to reboot it

into DS Restore Mode You can work around this by modifying the boot.ini file for the server to

automatically boot into DS Restore Mode after reboot You can then use Terminal Services to log on to the machine remotely while it is in that mode See MS KB 256588 for more

information on how to enable this capability Be careful if you try to access DS Restore Mode via Terminal Services Unless you have configured everything properly, you may end up with the domain controller booted into DS Restore Mode and not be able to access it via Terminal Services

16.2.4 See Also

MS KB 256588 (Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode)

Recipe 16.3 Resetting the Directory Service Restore Mode Administrator Password

16.3.1 Problem

You want to reset the DS Restore Mode administrator password This password is set

individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain

16.3.2 Solution

1 For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information)

2 Go to Start Run

3 Type compmgmt.msc and press Enter

4 In the left pane, expand System Tools Local Users and Computers

5 Click on the Users folder

6 In the right pane, right-click on the Administrator user and select Set Password

7 Enter the new password and confirm, then click OK

Trang 4

With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode

administrator password of a domain controller while it is live (i.e., not in DS Restore Mode) Another benefit of this new option is that you can run it against a remote domain controller Here

is the sample output when run against domain controller DC1

> ntdsutil "set dsrm password" "reset password on server DC1"

ntdsutil: set dsrm password

Reset DSRM Administrator Password: reset password on server DC1

Please type password for DS Restore Mode Administrator Account: ********** Please confirm new password: **********

Password has been set successfully

Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the

DS Restore Mode password while a domain controller is live It can also be used remotely

You may be thinking that having a separate DS Restore Mode administrator password can be quite a pain Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you'll see that it is quite necessary

Generally, you boot a domain controller into DS Restore Mode when you need to perform some type of maintenance on the Active Directory database To do this, the database needs to be offline If the database is offline, then there is no way to authenticate against it The system has

to use another user repository, so it reverts back to the legacy SAM database The DS Restore Mode administrator account and password are stored in the SAM database just like with

standalone Windows clients

16.3.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, MS KB 239803 (How to Change the Recovery Console Administrator Password on a Domain Controller), and MS KB 322672 (HOW TO: Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003)

Recipe 16.4 Performing a Nonauthoritative Restore

16.4.1 Problem

You want to perform a nonauthoritative restore of a domain controller This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem

16.4.2 Solution

Trang 5

1 You must first reboot into Directory Services Restore Mode (see Recipe 16.2 for more information)

2 Open the NT Backup utility; go to Start All Programs (or Programs for Windows 2000) Accessories System Tools Backup

3 Click the Advanced Mode link

4 Under the Welcome tab, click the Restore Wizard button and click Next

5 Check the box beside System State and any other drives you want to restore and click Next

6 Click the Advanced button

7 Select Original location for Restore files to

8 For the How to Restore option, select Replace existing files and click Next

9 For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points Then click Next

10 Click Finish

11 Restart the computer

If you encounter a failed domain controller that you cannot bring back up (e.g., multiple hard disks fail), you have two options for restoring it One option is to remove the domain controller completely from Active Directory (as outlined in Recipe 3.6) and then repromote it back in This

is known as the restore from replication method, because you are essentially bringing up a brand new domain controller and letting replication restore all the data on the server On Windows Server 2003 domain controllers, you can also use the Install From Media option described in Recipe 3.2 to expedite this process

The other option is described in the Solution section You can restore the domain controller from

a good backup This method involves getting into DS Restore Mode, restoring the system state and any necessary system drive(s) and then rebooting As long as the domain controller comes

up clean, it should start participating in Active Directory replication once again and sync any changes that have occurred since the backup was taken

For a detailed discussion of the advantages and disadvantages of each option, see Chapter 13 in

Active Directory, Second Edition (O'Reilly)

16.4.4 See Also

Recipe 16.2 for getting into Directory Services Restore Mode and MS KB 240363 (HOW TO: Use the Backup Program to Back Up and Restore the System State in Windows 2000)

Trang 6

Recipe 16.5 Performing an Authoritative Restore of an Object or Subtree

16.5.1 Problem

You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database

16.5.2 Solution

Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer

To restore a single object, run the following:

> ntdsutil "auth restore" "restore object

cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q

To restore an entire subtree, run the following:

> ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q

Restart the computer

There are some issues related to restoring user, group, computer, and trust objects that you

should be aware of See MS KB 216243 and MS KB 280079 for more information

If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore it Fortunately, the process isn't very painful The key is having a good backup that contains the objects you want to restore If you don't have a backup with the objects

in it, you are out of luck Well, that is not completely true with Windows Server 2003 See Recipe 16.17 for another option to restore deleted objects

To restore one or more objects, you need to follow the same steps as performing a

nonauthoritative restore The only difference is that after you do the restore, you need to use the

ntdsutil command to mark the objects in question as authoritative on the restored domain controller After you reboot the domain controller, it will replicate any changed objects since the backup that was restored on the machine, except for the objects or subtree that were marked as authoritative For those objects, Active Directory increments the USN in such a way that they will become authoritative and replicate out to the other domain controllers

You can also use ntdsutil without first doing a restore in situations where an object has been deleted accidentally, but the change has not yet replicated to all domain controllers The trick here is that you need to find a domain controller that has not had the deletion replicated yet and

Trang 7

either stop it from replicating or make the object authoritative before it receives the replication update

16.5.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.17 for restoring a deleted object, MS KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), and MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers)

Recipe 16.6 Performing a Complete Authoritative

Restore

16.6.1 Problem

You want to perform a complete authoritative restore of the Active Directory database because something very bad has happened

16.6.2 Solution

Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer

Run the following command to restore the entire database:

> ntdsutil "auth restore" "restore database" q

Restart the computer

In a production environment, you should never have to perform a complete authoritative restore

It is a drastic measure and you will inevitably lose data as a result Before you even attempt such

a restore, you may want to contact Microsoft Support to make sure all options have been

exhausted That said, you should test the authoritative restore process in a lab environment, and make sure you have the steps properly documented in case you ever do need to use it

16.6.4 See Also

Recipe 16.2 for getting into Directory Services Restore Mode, MB KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), MS KB 241594 (HOW TO: Perform an Authoritative Restore to a Domain Controller in Windows 2000), and

MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership

Information Across Domain Controllers)

Trang 8

Recipe 16.7 Checking the DIT File's Integrity

16.7.1 Problem

You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries

16.7.2 Solution

First, reboot into Directory Services Restore Mode Then run the following commands:

> ntdsutil files integrity q q

> ntdsutil "semantic database analysis" "verbose on" go

The Active Directory DIT file (ntds.dit) is implemented as a transactional database Microsoft

uses the ESE database (formerly called Jet) for Active Directory, which has been used for years

in other products, such as Microsoft Exchange

Since the Active Directory DIT ultimately is a database, it can suffer from many of the same issues that traditional databases do The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state It reads every byte of the database and can take quite a while to complete

depending on how large your DIT file is The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour

Whereas the ntdsutil integrity command verifies the overall structure and health of the database, the ntdsutil semantics command looks at the contents of the database It will verify, among other things, reference counts, replication metadata, and security descriptors If any errors are reported back, you can run go fixup to attempt to correct them You should have a recent backup handy before doing this because in the worst case the corruption cannot be fixed or may become worse after the go fixup command completes

16.7.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode and MS KB 315136 (HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using

Ntdsutil.exe)

Trang 9

Recipe 16.8 Moving the DIT Files

16.8.1 Problem

You want to move the Active Directory DIT files to a new drive to improve performance or capacity

16.8.2 Solution

First, reboot into DS Restore Mode Then, run the following commands, in which

<DriveAndFolder> is the new location where you want to move the files (e.g., d:\NTDS):

> ntdsutil files "move db to <DriveAndFolder>" q q

> ntdsutil files "move logs to <DriveAndFolder>" q q

You can move the Active Directory database file (ntds.dit) independently of the log files The

first command in the solution moves the database and the second moves the logs You may also want to consider running an integrity check against the database after you've moved it to ensure everything checks out See Recipe 16.7 for more details

16.8.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking DIT file integrity, MS KB 257420 (HOW TO: Move the Ntds.dit File or Log Files), and MS KB 315131 (HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000)

Recipe 16.9 Repairing or Recovering the DIT

16.9.1 Problem

You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state

16.9.2 Solution

First, reboot into DS Restore Mode

Run the following command to perform a soft recovery of the transaction log files:

Trang 10

> ntdsutil files recover q q

If you continue to experience errors, you may need to run a repair, which does a low level repair

of the database, but can result in loss of data:

> ntdsutil files repair q q

If either the recover or repair are successful, you should then check the integrity (see Recipe 16.7)

You should (hopefully) never need to recover or repair your Active Directory database A

recovery may be needed after a domain controller unexpectedly shuts down, perhaps due to a power loss, and certain changes were never committed to the database When it boots back up, a soft recovery is automatically done in an attempt to reapply any changes contained in the

transaction log files Since Active Directory does this automatically, it is unlikely that running the ntdsutil recover command will be of much help The ntdsutil repair, on the other hand, can fix low-level problems, but it can also result in a loss of data, which cannot be predicted USE AT YOUR OWN PERIL!

I recommend you use extreme caution when performing a repair, and you may want to engage Microsoft Support first in case something really bad goes wrong If you try the repair and it makes things worse, you should consider rebuilding the domain controller from scratch See Recipe 3.6 for forcibly removing a domain controller

16.9.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking the integrity of the DIT, and MS KB 315131 (HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000)

Recipe 16.10 Performing an Online Defrag Manually

This recipe must be run against a Windows Server 2003 domain controller

16.10.1 Problem

You want to initiate an online defragmentation This can be useful if you want to expedite the defrag process after deleting a bunch of objects

16.10.2 Solution

Định dạng
Số trang	10
Dung lượng	54,43 KB