09-Implementing an Active DirectoryM Domain Services Maintenance Plan

Restart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restore. [r]

Module 9: Implementing an Active DirectoryM

Domain Services Maintenance Plan

Module Overview

• Maintaining the AD DS Domain Controllers

• Backing Up Active Directory Domain Services

• Restoring Active Directory Domain Services

Lesson 1: Maintaining the AD DS

Domain Controllers

• The Active Directory Domain Services Database and

Log Files

• How the AD DS Database Is Modified

• Managing the Active Directory Database Using

NTDSUtil Tool

• What Is an AD DS Database Defragmentation?

• What Are Restartable Active Directory Domain Services?

• Demonstration: Performing AD DS Database

Maintenance Tasks

• Locking Down Services on a AD DS Domain Controller

The Active Directory Domain Services Database and Log Files

• Is the Active Directory database file

• Stores all Active Directory objects on the domain controller

• Uses the default location

systemroot\NTDS folder

• Is a transaction log file

• Uses the default transaction log file Edb.log

How the AD DS Database Is Modified

Write Request

Transaction

is initiated

Write to the transaction buffer

Write to the database

on disk

Ntds.dit on Disk EDB.log

Write to the transaction log file

Commit the transaction

Update the checkpoint Edb.chk

Managing the Active Directory Database Using

NTDSUtil Tool

Ntdsutil.exe is a command-line tool used to manage some

Active Directory components

Use Ntdsutil.exe to:

Perform Active Directory database maintenance

Remove metadata left behind by domain controllers that

were removed from the network without being properly uninstalled



Type HELP at any NTDSUtil prompt for context-sensitive help

What Is an AD DS Database Defragmentation?

The new file may be considerably smaller, depending on how

fragmented the original database file was



Active Directory performs online database defragmentation

automatically every 12 hours



Use the NTDSUtil command-line tool to perform offline

defragmentation on a dismounted database



Online defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database file



Offline defragmentation creates a new, compacted version

of the database file

What Are Restartable Active Directory

Domain Services?

Restartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any

other services

Use restartable AD DS services when:

files on a domain controller

Active Directory database

Directory Services Restore Mode must be used to restore Active Directory database

Demonstration: Performing AD DS Database

Maintenance Tasks

In this demonstration, you will see how to:

• Start and stop AD DS Services

• Move AD Database to a different drive using NTDSUtil

• Use NTDSUtil and AD DS Stopped mode for Offline Defrag

Locking Down Services on AD DS

Domain Controllers

Services required for AD DS to function correctly:

Minimize the number of server roles and applications installed on domain controllers



Use the Security Configuration Wizard to lock down the services on a domain controller



Lesson 2: Backing Up Active Directory Domain Services

• Introduction to Backing Up AD DS

• Windows Backup Features

• Demonstration: Backing Up AD DS

Introduction to Backing Up AD DS

To back up Active Directory, you must back up all critical volumes

Critical volumes include:

operating system and the Registry

(Ntds.dit)

across multiple volumes

Windows Backup Features

Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data

With Windows Server Backup, you can:

Recover the server without using third-party backup

and recovery tools

Demonstration: Backing Up AD DS

In this demonstration, you will see how to back up AD DS

Lesson 3: Restoring Active Directory

Domain Services

• Overview of Restoring AD DS

• What Is a Nonauthoritative AD DS Restore?

• What Is an Authoritative AD DS Restore?

• What Is the Database Mounting Tool?

• Demonstration: Using the Database Mounting Tool

• Reanimating Tombstoned AD DS Objects

Overview of Restoring AD DS

Options for restoring Active Directory Domain Services include:

What Is a Nonauthoritative AD DS Restore?

A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created

AD DS replication updates the domain controller with changes that have occurred since the backup was created



Restart the domain controller in Directory Services Restore Mode

to perform a nonauthoritative restore



Press F8 when restarting the server and choose Directory Services

Restore Mode or type the command bcdedit /set safeboot dsrepair

and restart the server

1

Provide the Directory Services Restore Mode password

2

What Is an Authoritative AD DS Restore?

Authoritative restore is a four-step process:

Start the domain controller in DSRM

To mark an object as authoritative, use a command like:

restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com

What Is the Database Mounting Tool?

The Database Mounting Tool can be used to:



providing a means to compare data as it exists in snapshots that are taken at different times



the Active Directory data that they contain





Demonstration: Using the Database Mounting

Tool

In this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objects

Reanimating Tombstoned AD DS Objects

You can reanimate deleted objects manually in AD DS when:

• You do not have current AD DS backups in a domain where user accounts or security groups were deleted

• The deleted object has not yet been scavenged from the

Active Directory database

• The deletion occurred in domains that contain only

Windows Server 2003 or later domain controllers

To reanimate tombstoned AD DS objects :

• Use LDP.exe to locate the deleted object

• Modify the object’s isDeleted attribute and provide a

distinguished name

 Enable the object and reconfigure the object attributes

Lab: Implementing an Active Directory Domain Services Maintenance Plan

• Exercise 1: Maintaining AD DS Domain Controllers

Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2

User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes

Lab Review

• How could you apply the security policy you created in

Exercise 1 to multiple domain controllers? What concerns would you have with doing this?

• Why is a Nonauthoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening?

• What is the difference between restoring an AD DS object

by undeleting it and just recreating the object?

Module Review and Takeaways

• Review questions

• Considerations

• Tools

Beta Feedback Tool

• Beta feedback tool helps:

 Collect student roster information, module feedback, and course evaluations

 Identify and sort the changes that students request, thereby facilitating a quick team triage

 Save data to a database in SQL Server that you can later query

• Walkthrough of the tool

Beta Feedback

• Overall flow of module:

 Which topics did you think flowed smoothly, from topic to topic?

 Was something taught out of order?

• Pacing:

 Were you able to keep up? Are there any places where the pace felt too slow?

 Were you able to process what the instructor said before

moving on to next topic?

 Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?

knowledge in your work environment?

 Were there any discussion questions or reflection questions that really made you think? Were there questions you

thought weren’t helpful?