Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS

Module Overview Monitoring AD DS Managing the AD DS Database AD DS Backup and Recovery Options for AD DS and Other Identity and Access Solutions

Lesson 1: Monitoring AD DS Understanding Performance and Bottlenecks Overview of Monitoring Tools Performance Monitor Data Collector Sets Demonstration: How to Monitor Performance

Understanding Performance and Bottlenecks Key system resources: CPU Disk Memory Network A bottleneck is a resource that is currently at peak utilization

Overview of Monitoring Tools Windows Server 2012 provides the following tools to help with monitoring performance issues: Task Manager Resource Monitor Event Viewer Performance Monitor

You can use Performance Monitor to view current performance statistics or historical data gathered by using data collector sets

Data Collector Sets You can use data collector sets to gather performance-related information Data collector sets can contain the following types of data collectors: Performance counters Event trace data System configuration information

Demonstration: How to Monitor Performance In this demonstration, you will see how to: Create a data collector set Create a disk load on the server Analyze the resulting data in a report

Lab A: Monitoring AD DS Exercise 1: Monitoring AD DS with Performance Monitor Logon Information Virtual machine:10969A-LON-DC1 User name:Adatum\Administrator Password:Pa$$w0rd Estimated Time: 40 minutes

Lab Scenario Last month, the only domain controller in the Cambridge branch office failed. You now are required to monitor AD DS to help identify problems before they become critical.

Lab Review When analyzing the performance of a domain controller, aside from the AD DS–specific counters in Performance Monitor, what other factors can influence domain controller performance?

Lesson 2: Managing the AD DS Database Overview of the AD DS Database Managing the Database with NtdsUtil.exe Restartable AD DS Demonstration: Performing Database Management Managing AD DS Snapshots

Overview of the AD DS Database The AD DS database holds all domain-based information in four or more partitions AD DS Database Domain Controller Schema Partition Application Partitions (optional) Configuration Partition Domain Partition

Managing the Database with NtdsUtil.exe Manage and control single master operations Perform AD DS database maintenance: Perform offline defragmentation Create and mount snapshots Move database files Clean domain controller metadata: Domain controller removal or demotion while not connected to domain Reset Directory Services Restore Mode: password set dsrm

Restartable AD DS Use the Services console to start or stop AD DS Three states of AD DS: AD DS Started AD DS Stopped Directory Services Restore Mode It is not possible to perform a system state restore while AD DS is in Stopped state

Demonstration: Performing Database Management In this demonstration, you will see how to: Stop AD DS Perform an offline defragmentation of the AD DS database Check the integrity of the AD DS database Start AD DS

Managing AD DS Snapshots Create a snapshot of AD DS with NTDSUtil Mount the snapshot with NTDSUtil Expose the snapshot: Right-click the root node of Active Directory Users and Computers, then and choose Connect to Domain Controller Enter serverFQDN:port View read-only snapshot: Cannot directly restore data from the snapshot Recover data: Connect to the mounted snapshot, and then export/reimport objects’ attributes with LDIFDE Restore a backup from the same date as the snapshot Manually reenter data

Lesson 3: AD DS Backup and Recovery Options for AD DS and Other Identity and Access Solutions Reanimating Deleted Objects Configuring the Active Directory Recycle Bin Demonstration: Implementing the Active Directory Recycle Bin Backup Technologies Backup and Recovery Tools AD DS Backup and Recovery Backup Options for AD CS Backup Options for AD RMS Backup Options for AD FS

Reanimating Deleted Objects Deleted objects are recovered through tombstone reanimation When an object is deleted, most of its attributes are cleared Authoritative restore requires AD DS downtime Live Tombstoned Physically Deleted Garbage Collection Delete Reanimate Tombstone/ Authoritative Restore

Configuring the Active Directory Recycle Bin Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime Uses Active Directory module for Windows PowerShell or the Active Directory Administrative Center to restore objects Live Deleted Garbage Collection Delete Undelete/ Authoritative Restore Recycled Recycle Physically Deleted Object Lifetime Recycled Object Lifetime

Demonstration: Implementing the Active Directory Recycle Bin In this demonstration, you will see how to: Enable the Active Directory Recycle Bin Create and then delete test accounts Restore deleted accounts

Backup Technologies The VSS backup technology solves data consistency issues by creating shadow copies You can use streaming backups for older applications that are not VSS-aware

Backup and Recovery Tools Windows Server Backup Windows Azure Online Backup Data Protection Manager

AD DS Backup and Recovery Nonauthoritative or normal restore: Restore domain controller to previously known good state Domain controller updates by using standard replication from partners Authoritative restore: Restore domain controller to previously known good state Mark objects that you want to be authoritative Domain controller updates from its up-to-date-partners Domain controller sends authoritative updates to its partners Full server restore: Typically performed in Windows Recovery Environment Alternate location restore

Backup Options for AD CS Windows Server Backup CA Certutil.exe Tool DPM C:/

Backup Options for AD RMS Back up private keys and certificates Ensure that the AD RMS database is backed up regularly Export templates to back them up Run AD RMS server as a virtual machine, and perform full server backup

Backup Options for AD FS %systemdrive%\ADFS System state Servers running AD FS components must be backed up based on the information in the following table: ComponentsFiles to back up Federation Service TrustPolicy.xml file Web.config and other files under %SystemRoot%\ADFS System state Custom transform module (.dll) and related files Applicationhost.config Web Application Proxy Web.config and other files under %SystemRoot%\ADFS System state Applicationhost.config AD FS Web Agent %SystemRoot%\ADFS System state

Lab B: Recovering Objects in AD DS Exercise 1: Backing up and Restoring AD DS Exercise 2: Recovering Objects in AD DS Logon Information Virtual machines: 10969A-LON-DC A-LON-DC2 User name:Adatum\Administrator Password:Pa$$w0rd Estimated Time: 60 minutes

Lab Scenario You were notified yesterday that one user account was deleted by accident. A few days ago, additional user accounts were deleted accidentally. You want to recover these accounts. It is your responsibility to ensure that the directory service is backed up. Today, you noticed that last night's backup did not run as scheduled. You therefore decided to perform an interactive backup. Shortly after the backup, a domain administrator accidentally deletes the IT OU. You must recover this OU.

Lab Review When you restore a deleted user, or an OU with user objects, by using authoritative restore, will the objects be exactly the same as before? Which attributes might not be the same? In the lab, would it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled?

Module Review and Takeaways Review Question