Download presentation
Presentation is loading. Please wait.
Published byMaria Brown Modified over 11 years ago
1
Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students implement an Active Directory® Domain Services (AD DS) maintenance plan. After completing this module, students will be able to: Maintain the AD DS domain controllers Back up Active Directory Domain Services Restore Active Directory Domain Services Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_09.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices. This section contains information that will help you to teach this module. For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information. Module 9: Implementing an Active DirectoryM Domain Services Maintenance Plan
2
Module Overview Maintaining the AD DS Domain Controllers
Course 6425A Module Overview Module 9: Implementing an Active Directory Domain Services Maintenance Plan Maintaining the AD DS Domain Controllers Backing Up Active Directory Domain Services Restoring Active Directory Domain Services
3
Lesson 1: Maintaining the AD DS Domain Controllers
Course 6425A Lesson 1: Maintaining the AD DS Domain Controllers Module 9: Implementing an Active Directory Domain Services Maintenance Plan The Active Directory Domain Services Database and Log Files How the AD DS Database Is Modified Managing the Active Directory Database Using NTDSUtil Tool What Is an AD DS Database Defragmentation? What Are Restartable Active Directory Domain Services? Demonstration: Performing AD DS Database Maintenance Tasks Locking Down Services on a AD DS Domain Controller
4
The Active Directory Domain Services Database and Log Files
Course 6425A The Active Directory Domain Services Database and Log Files Module 9: Implementing an Active Directory Domain Services Maintenance Plan Description Ntds.dit Edb*.log Edb.chk File Is the Active Directory database file Stores all Active Directory objects on the domain controller Uses the default location systemroot\NTDS folder Is a transaction log file Uses the default transaction log file Edb.log Is a checkpoint file Tracks data not yet written to Active Directory database file ebdres00001.jrs ebdres00002.jrs Are the reserved transaction log files Open Windows Explorer and browse to the c:\Windows\NTDS folder. Point out the files in the folder as you discuss each of the files. Stress that log files always will be exactly 10 megbytes (MB) in size. Discuss the role of the reserve log files. If students are familiar with previous Active Directory versions, mention that the edbres00001.jrs and edbres00002.jrs files were called res1.log and res2.log in previous versions. Reference How the Data Store Works 3fa9be mspx?mfr=true
5
How the AD DS Database Is Modified
Course 6425A How the AD DS Database Is Modified Module 9: Implementing an Active Directory Domain Services Maintenance Plan Edb.chk Write Request Update the checkpoint Describe how the files that the slide lists are used when data is committed to the database. The basic data modification process consists of six steps: • The write request initiates a transaction. • Active Directory writes the transaction to the transaction buffer in memory. • Active Directory secures the transaction in the transaction log. • Active Directory writes the transaction from the buffer to the database. • Active Directory compares the database and log files to ensure that the transaction was committed to the database. • Active Directory updates the checkpoint file. Question What other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services? Answer: Both Microsoft Exchange Server and Microsoft SQL Server™ use the transaction model. The model is very similar in all cases, although some details, such as the size of the transaction logs, varies. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size. Reference How the Data store Works 3fa9be mspx?mfr=true Commit the transaction Transaction is initiated Write to the transaction buffer Write to the database on disk Write to the transaction log file Ntds.dit on Disk EDB.log
6
Managing the Active Directory Database Using NTDSUtil Tool
Course 6425A Managing the Active Directory Database Using NTDSUtil Tool Module 9: Implementing an Active Directory Domain Services Maintenance Plan Ntdsutil.exe is a command-line tool used to manage some Active Directory components Use Ntdsutil.exe to: Perform Active Directory database maintenance ü Manage and control single master operations Move the Active Directory database files Remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled Describe what NTDSUtil is and describe some of the scenarios where you can use it. Consider opening a command prompt and starting the NTDSUtil tool. Show how to access help and how to move between different contexts within NTDSUtil. Review the NTDSUtil commands. Question You have forgotten the directory services restore-mode password for your domain controller. How can you recover the password? Answer: You cannot recover the password, but by using the Set DSRM password command in NTDSUtil, you can configure a new password for this account. Reference NTDSUtil Help Data Store Tools and Settings 6aa0420dacb51033.mspx?mfr=true Type HELP at any NTDSUtil prompt for context-sensitive help
7
What Is an AD DS Database Defragmentation?
Course 6425A What Is an AD DS Database Defragmentation? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Offline defragmentation creates a new, compacted version of the database file The new file may be considerably smaller, depending on how fragmented the original database file was ü Active Directory performs online database defragmentation automatically every 12 hours Use the NTDSUtil command-line tool to perform offline defragmentation on a dismounted database Online defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database file Describe the difference between online and offline defragmentation. Highlight that online defragmentation happens automatically and does not disrupt normal access to Active Directory. Offline defragmentation requires that the administrator takes the database offline and runs the NTDSUtil tool. Mention that offline defragmentation does not need to be performed normally. The scenarios where students may choose to run an offline defragmentation include: After removing the global catalog from a server After removing a large number of objects from the domain After converting from Active Directory-integrated Domain Name System (DNS) to standard DNS Question How often will you need to perform an offline defragmentation of your AD DS databases in your environment? Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize the database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly. Reference Data Store Tools and Settings dca78c5471dd1033.mspx?mfr=true
8
What Are Restartable Active Directory Domain Services?
Course 6425A What Are Restartable Active Directory Domain Services? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Restartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any other services There are three possible states for a domain controller running Windows Server® 2008: • AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server “Longhorn” domain controller running in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003. • AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in Directory Services Restore Mode and a domain-joined member server. As with Directory Services Restore Mode, the Active Directory database (Ntds.dit) is offline. Also, you can use the Directory Services Restore Mode password to log on locally if another domain controller cannot be contacted. As with a member server, the server is joined to the domain. Also, users can log on interactively or over the network by using another domain controller for domain logon. However, a domain controller should not remain in this state for an extended time because in this state, it cannot service logon requests or replicate with other domain controllers. • Directory Services Restore Mode. This mode (or state) is unchanged from Windows Server 2003. Reference Windows Server 2008 Technical Library 139e8bcc mspx?mfr=true Use restartable AD DS services when: Applying updates that modify Active Directory service files on a domain controller Performing tasks such as offline defragmentation of the Active Directory database Directory Services Restore Mode must be used to restore Active Directory database
9
Demonstration: Performing AD DS Database Maintenance Tasks
Course 6425A Demonstration: Performing AD DS Database Maintenance Tasks Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to: Start and stop AD DS Services Move AD Database to a different drive using NTDSUtil Use NTDSUtil and AD DS Stopped mode for Offline Defrag To complete this demonstration, you must have the NYC-DC1 virtual machine running. Demonstration steps: To stop or start the AD DS Service: Click Start, click Admin Tools, and then click Services. Right-click Active Directory Domain Services and then select Stop from the context menu. In the Also stop the following Services dialogue, click Yes. To perform an Offline Defrag of the AD Database while in an AD DS Stopped state: Click Start, click Run, type CMD and then press ENTER. In the command window that appears, type ntdsutil and then press ENTER. At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER. At the ntdsutil: prompt, type files and then press ENTER. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer) and then press ENTER. Once complete, copy the ntds.dit file in the compact directory to C:\Windows\NTDS\ntds.dit and delete the old log files by typing del C:\Windows\NTDS\*.log in a command window. In the File Maintenance command window, type integrity to check the integrity of the new compacted database. Once complete, if you want to specify a new location in which to store the database, such as a different spindle: In the File Maintenance command window, type move db to pathname and press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly. In the services mmc, right-click Active Directory Domain Services and then click Start. Questions: Why is it necessary to stop the AD DS before defragmenting? Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, preventing file modification. Why is it necessary to compact the database to a temporary directory first? Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original. Reference dca78c5471dd1033.mspx?mfr=true
10
Locking Down Services on AD DS Domain Controllers
Course 6425A Locking Down Services on AD DS Domain Controllers Module 9: Implementing an Active Directory Domain Services Maintenance Plan Services required for AD DS to function correctly: Distributed File System DNS Server File Replication Service Kerberos Key Distribution Center Intersite Messaging Remote Procedure Call (RPC) Locator Stress that one of the critical components when securing domain controllers is to minimize the number of services and applications running on the domain controller. One option for ensuring that only the required services are running is to use the Security Configuration Wizard (SCW). If students are not familiar with the SCW, spend some time explaining how it works. Consider starting the wizard and showing the Security Configuration Wizard configuration database, pointing out the services that the Active Directory Domain Services role requires. Reference MS HELP: Security Configuration Database Minimize the number of server roles and applications installed on domain controllers ü Use the Security Configuration Wizard to lock down the services on a domain controller ü
11
Lesson 2: Backing Up Active Directory Domain Services
Course 6425A Lesson 2: Backing Up Active Directory Domain Services Module 9: Implementing an Active Directory Domain Services Maintenance Plan Introduction to Backing Up AD DS Windows Backup Features Demonstration: Backing Up AD DS
12
Introduction to Backing Up AD DS
Course 6425A Introduction to Backing Up AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan To back up Active Directory, you must back up all critical volumes Critical volumes include: Mention that backing up Active Directory Domain Services in Windows Server 2008 is different than it was in previous Active Directory version, in which you could backup just the system state information. In Windows Server 2008, you must backup all of the files on the critical volumes. In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer, and which volumes host the critical files that the operating system and the installed roles use. System state data includes at least the following, plus additional data depending on the server roles that are installed: Registry COM+ Class Registration database Boot files, as described earlier in this topic Active Directory Certificate Services database Active Directory Domain Services database SYSVOL directory Cluster service information Microsoft Internet Information Services (IIS) metadirectory System files that are under Windows Resource Protection Mention that because you have to back up entire volumes to back up AD DS, it is a best practice to dedicate disk volumes to the critical volumes. For example, data should not be stored on the system volume as this will increase the backup’s size and increase the time it takes to restore the server. Question: What other process could you use to back up the system state data on a domain controller? Answer: You could do a full server backup. Reference Active Directory Domain Services Help: Help prepare for disaster recovery by performing routine backups of the Active Directory database Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=true The system volume: the volume that hosts the boot files The boot volume: the volume that hosts the Windows operating system and the Registry The volume that hosts the SYSVOL tree The volume that hosts the Active Directory database (Ntds.dit) The volume that hosts the Active Directory database log files All of these files may be stored in a single volume or distributed across multiple volumes
13
Windows Backup Features
Course 6425A Windows Backup Features Module 9: Implementing an Active Directory Domain Services Maintenance Plan Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data With Windows Server Backup, you can: Recover the server without using third-party backup and recovery tools ü Perform manual or automatic backups Backup an entire server or selected volumes Recover items or entire volumes Use DVDs or CDs as backup media Windows Server Backup does not support backing up individual files or directories, only entire volumes Mention that Windows Server Backup is not installed by default. You must install it by using Add Features in Server Manager before you can use the Wbadmin.exe command-line tool or Backup in Administrative Tools. Windows Server 2008 supports the following backup types: • Manual backup. A member of the Administrators group or the Backup Operators group can initiate a manual backup at any time. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive. • Scheduled backup. A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command-line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes. Because scheduled backups reformat the target drive that hosts the backup files, you should have a dedicated backup volume. Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic tape cartridges, nor a a dynamic volume as a backup target. Reference Windows Technical Library 139e8bcc mspx?mfr=true
14
Demonstration: Backing Up AD DS
Course 6425A Demonstration: Backing Up AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to back up AD DS To complete this demonstration, you must have the NYC-DC1 virtual machine running. Demonstration steps: From the Start menu, select Admin Tools, and then select Backup. In the Backup console, under the actions pane, click Backup Schedule to create a scheduled backup. Follow the wizards prompts to specify the type (Full or Custom – by default the system volume is always backed up with scheduled backups), backup time (once per day or multiple times per day), target disk, view summary, and confirm. The backup once option beneath the actions pane offers manual backup capabilities. You can deselect the system volume from the Backup Items or specify you want to be able to perform a system recovery using this backup. The location type screen shows you can select local disks, DVD, or a remote shared folder (network backup). Select the location for backup, view the summary, and proceed with the backup. Questions Why should backups be scheduled? Answer: To help automate tasks as much as possible. How often should a full backup be performed? How often should an incremental or differential backup be performed? Answer: Answers will vary. It depends on how much work an organization can afford to lose, though this must be balanced against the practical limits of trying to back up too often. Many organizations perform a full backup once a week, with either incremental or differential backups daily. Reference: Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=true
15
Lesson 3: Restoring Active Directory Domain Services
Course 6425A Lesson 3: Restoring Active Directory Domain Services Module 9: Implementing an Active Directory Domain Services Maintenance Plan Overview of Restoring AD DS What Is a Nonauthoritative AD DS Restore? What Is an Authoritative AD DS Restore? What Is the Database Mounting Tool? Demonstration: Using the Database Mounting Tool Reanimating Tombstoned AD DS Objects
16
Overview of Restoring AD DS
Course 6425A Overview of Restoring AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan Options for restoring Active Directory Domain Services include: Normal Restore Authoritative Restore Full Server Restore Alternate Location Restore Discuss the following options for restoring AD DS: Normal restore. Use this method to reinstate the Active Directory data to the state before the backup and then updates the data through the normal replication process. Perform a normal restore only when you want to restore a single domain controller to a previously known good state. Authoritative restore. Use this method in conjunction with a normal restore. An authoritative restore marks specific data as current and prevent the replication from overwriting that data. The authoritative data then is replicated throughout the domain. Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Full Server Restore: Use this method to restore a failed domain controller. Full server restore performs a bare metal restoration of the system and data volumes to a point in time prior to failure. A full server recovery recovers every server volume. Backup reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware or if all other attempts to recover the server on the existing hardware have failed. Alternative Location Restore: Use this method to install new domain controllers. For more information about Alternate Location Restore, see 6429A: Configuring Windows Server 2008 Active Directory Domain Services, Module 1: Installing Active Directory® Domain Services. Reference: Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=true
17
What Is a Nonauthoritative AD DS Restore?
Course 6425A What Is a Nonauthoritative AD DS Restore? Module 9: Implementing an Active Directory Domain Services Maintenance Plan A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created Stress that the nonauthoritative restore does not restore deleted Active Directory information unless the domain controller is the one in the domain. When performing a nonauthoritative restore, AD DS replication replicates changes (including the deletion) to the domain controller when it reboots after the restore is complete. To restart the domain controller in disaster-recovery mode, you can: 1. After the boot option menu appears, press F8, and then select the option for DSRM. -or- 2. Open command prompt and type the command, and press ENTER: bcdedit /set safeboot dsrepair Then, type the following command and press ENTER: shutdown -t 0 -r To restart the server normally after you perform the restore operation, type the following command and then press ENTER: bcdedit /deletevalue safeboot dsrepair Administrative credentials You can log on to the domain controller that you are restoring by using the DSRM password, either locally or remotely. You specify the DSRM password when you install AD DS. Question What would happen if you did not enter the second bcdedit command after restoring the AD DS database? Answer: The domain controller would restart in DSRM again. You must remove this switch in order to boot into normal mode. Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=true AD DS replication updates the domain controller with changes that have occurred since the backup was created ü Restart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restore Press F8 when restarting the server and choose Directory Services Restore Mode or type the command bcdedit /set safeboot dsrepair and restart the server 1 Provide the Directory Services Restore Mode password 2
18
What Is an Authoritative AD DS Restore?
Course 6425A What Is an Authoritative AD DS Restore? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Authoritative restore provides a method to recover objects and containers that have been deleted from AD DS Authoritative restore is a four-step process: Start the domain controller in DSRM 1 Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative 3 Restart the domain in normal mode to replicate the changes 4 Restore the desired backup, which is typically the most recent backup 2 To perform an authoritative restore of Active Directory objects, you must first perform a Nonauthoritative restore. However, you must not restart the domain controller normally following the Nonauthoritative restore procedure. When an object is marked for authoritative restore, its version number is changed so that it is higher than the (deleted) object’s existing version number in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest. To mark a subtree or individual object authoritative: 1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER. 2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER. 3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER: To restore a subtree (for example, an organizational unit and all child objects): restore subtree DistinguishedName To restore a single object: restore object DistinguishedName 4. Click Yes in the message box to confirm the command. For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com” (Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.) Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=true Performing an Authoritative Restore of Active Directory Objects 46f76c9c7c mspx?mfr=true To mark an object as authoritative, use a command like: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com
19
What Is the Database Mounting Tool?
Course 6425A What Is the Database Mounting Tool? Module 9: Implementing an Active Directory Domain Services Maintenance Plan The Database Mounting Tool can be used to: Create and view snapshots of data that is stored in AD DS ü Describe a scenario where the Database Mounting Tool may be useful. For example, if a user account was deleted several weeks ago, but you are not sure which backup of Active Directory has the most recent information about it, you can view the snapshots of Active Directory to see when the account was last available in Active Directory. Then you can restore the backup of Active Directory from that date. In another example, if a Group Policy object is modified accidentally, you can use the Database Mounting Tool to examine the changes and help you better decide how to correct them if necessary. The Database Mounting Tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step. You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008 to view the data that the snapshots expose. This data is read-only, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data. To create a snapshot, you must be a member of the Enterprise Admins groups or the Domain Admins group or you must have been delegated the appropriate permissions. Mention that, as a best practice, administrators should schedule a task that regularly runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or AD LDS database. Reference AD DS: Database Mounting Tool 9b8c25d428e81033.mspx?mfr=true Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3: Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different times ü Eliminate the need to restore multiple backups to compare the Active Directory data that they contain ü View, but not restore, deleted objects and containers ü
20
Demonstration: Using the Database Mounting Tool
Course 6425A Demonstration: Using the Database Mounting Tool Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objects To complete this demonstration, you must have the NYC-DC1 virtual machine running. Demonstration steps Use the step-by-step guide in the resources to determine the individual procedures to create a snapshot, delete an object (a user perhaps), mount the snapshot with NTDSutil, and use LDP or ADSIedit to view the deleted object in the snapshot. Questions When would it be useful to mount multiple snapshots simultaneously? Answer: When an object is deleted from Active Directory accidentally and you are unsure which backup to restore. You can mount multiple snapshots and browse them simultaneously for the deleted object. Why is it necessary to specify different LDAP, SSL, and global catalog ports for each mounted instance of the database? Answer: Because each snapshot will act as a separate LDAP server, the ports must be unique on the computer. For example, if an administrator mounts three snapshots, you must specify 12 unique ports (four for each instance). Reference Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3 9b8c25d428e81033.mspx?mfr=true
21
Reanimating Tombstoned AD DS Objects
Course 6425A Reanimating Tombstoned AD DS Objects Module 9: Implementing an Active Directory Domain Services Maintenance Plan You can reanimate deleted objects manually in AD DS when: You do not have current AD DS backups in a domain where user accounts or security groups were deleted The deleted object has not yet been scavenged from the Active Directory database The deletion occurred in domains that contain only Windows Server 2003 or later domain controllers Describe the scenario where reanimating tombstoned objects will work. By default, Active Directory objects are retained in the Active Directory database in a deactivated state for 60 days after the object has been deleted. When an object is deactivated, most of the object’s attributes are deleted and only a few critical attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are retained. When you reanimate the object, you are deactivating it, but you still must reconfigure all of the user settings. You may want to show the students how to reanimate the object that was deleted in a previous topic. The resource listed below provides the procedure. Reference How to restore deleted user accounts and their group memberships in Active Directory To reanimate tombstoned AD DS objects: Use LDP.exe to locate the deleted object Modify the object’s isDeleted attribute and provide a distinguished name Enable the object and reconfigure the object attributes
22
Lab: Implementing an Active Directory Domain Services Maintenance Plan
Course 6425A Lab: Implementing an Active Directory Domain Services Maintenance Plan Module 9: Implementing an Active Directory Domain Services Maintenance Plan Exercise 1: Maintaining AD DS Domain Controllers Exercise 2: Backing Up AD DS Exercise 3: Performing a Nonauthoritative Restore of the AD DS Database Exercise 4: Performing an Authoritative Restore of the AD DS Database Exercise 5: Restoring Data Using the AD DS Data Mining Tool Note: Because of the time it takes to restore the data in these exercises, the students may want to do just Exercise 3 or 4 and not both. Lab Goal: Maintain the Active Directory database, and back up and restore the Active Directory Domain Service. Lab objectives: Maintain AD DS domain controllers Backup AD DS Restore AD DS Scenario: Woodgrove Bank has completed its AD DS deployment. To ensure high availability and performance for the AD DS servers, the organization is implementing a maintenance plan that includes ongoing maintenance of the AD DS databases and implementation of a disaster-recovery plan. The server administrator has prepared a backup plan that includes daily system volume of a domain controller in each domain. The server administrator also has prepared plans for recovering AD DS data in several scenarios. You need to implement these plans. This lab will consist of five exercises. Exercise 1: Maintaining AD DS domain controllers The student will implement a plan for implementing AD DS domain controllers. Tasks include running the SCW to disable all services that are not require on the domain controllers, moving the AD DS databases to an alternate hard disk, and performing an offline defragmentation of the AD DS database. Exercise 2: Backing Up AD DS The student will schedule a backup of the system volume and perform an on-demand backup of the system volume. Exercise 3: Performing a Nonauthoritative Restore of the AD DS Database The student will perform a Nonauthoritative restore of the AD DS database using the on-demand backup that they performed in the previous module. Perform this backup in a domain that only has one domain controller. Exercise 4: Performing an Authoritative Restore of the AD DS Database The student will perform an authoritative restore of the AD DS database using the scheduled backup that they performed in the previous module. After completing the backup, delete an object in Active Directory. Perform this backup in a domain that has multiple domain controllers and verify that the deleted object has been restored. Exercise 5: Restoring Data Using the AD DS Database Mounting Tool The student will use the AD DS Database Mounting Tool to restore data from a deleted AD DS object. Tasks include using NTDSUtil to create a snapshot of AD DS volume, deleting a user account from AD DS, using NTDSUtil to mount the snapshot, and using LDP to view information about the user account in the snapshot. Inputs: AD DS maintenance plan that the server administrator provides. Outputs: AD DS maintenance plan has been verified and all processes in the plan have been tested. Logon information Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2 User name Administrator Password Pa$$w0rd Estimated time: 75 minutes
23
Course 6425A Lab Review Module 9: Implementing an Active Directory Domain Services Maintenance Plan How could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this? Why is a Nonauthoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening? What is the difference between restoring an AD DS object by undeleting it and just recreating the object?
24
Module Review and Takeaways
Course 6425A Module Review and Takeaways Module 9: Implementing an Active Directory Domain Services Maintenance Plan Review questions Considerations Tools 1. One of your domain controllers is running out of hard-drive space. You modify the domain controller so that it is no longer a global catalog server, but notice that the size of the AD DS database does not decrease. What should you do to reclaim hard-drive space on the server? Answer: Perform an offline defragmentation. 2. You are concerned about the amount of disk space that the Active Directory database and log files are using. How do you determine the size of the database and log files? Answer: Browse to the %systemroot%\NTDS folder, and add up the size of the NTDS.dit and the transaction log files. 3. You install Windows Server Backup on your domain controller. You only have two drives on the computer and both are being used for data or system files. What types of backup should you use to back up your AD DS environment? Answer: You will have to use an on-demand backup. A scheduled backup must use a local drive and will format the drive when performing the backup. 4. All of the domain controllers in your domain have failed. You are trying to rebuild the domain from the Active Directory backup on one domain controller. Which type of restore must you use to rebuild the domain? Answer: You can use a normal restore, as no domain controller is available to replicate with the newly restored domain controller. 5. You accidentally deleted a user account in AD DS. What options do you have to make the account available again? Answer: You can perform an authoritative restore of the user account, reanimate the user account using LDP, or recreate the user account. If you recreate the user account, you must reassign the account to all groups and reassign.
25
Beta Feedback Tool Beta feedback tool helps: Walkthrough of the tool
Course 6425A Beta Feedback Tool Module 9: Implementing an Active Directory Domain Services Maintenance Plan Beta feedback tool helps: Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query. Walkthrough of the tool
26
Beta Feedback Overall flow of module: Pacing: Learner activities:
Course 6425A Beta Feedback Module 9: Implementing an Active Directory Domain Services Maintenance Plan Overall flow of module: Which topics did you think flowed smoothly, from topic to topic? Was something taught out of order? Pacing: Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Learner activities: Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.