8.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

8.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 8: Backing Up and Restoring Active Directory

Goals Use the Backup Wizard to troubleshoot Active Directory

Schedule Active Directory backups

Examine Active Directory restores

Execute a nonauthoritative restore

Execute an authoritative restore




Active Directory is a transaction log-based database service that depends on files such as ntds.dit and a number of log files in order to function

To prepare for disaster recovery, you must use the Backup Wizard to back up Active Directory

The wizard creates an archive with a .bkf extension, which contains the files that were selected for backup

To back up Active Directory, you must be a member of either the Backup Operators or Administrators group

(Skill 1)

Using the Backup Wizard to Back Up Active Directory




Figure 8-1 The Backup Utility Advanced Mode window

(Skill 1)




An Active Directory backup includes the Active Directory database file, ntds.dit, and the shared system volume (SYSVOL) folder

SYSVOL is a shared folder created when Active Directory is installed

It contains all publicly available files for domains, such as scripts and Group Policy Objects, which users and other domain controllers need for domain access

Using the Backup Wizard to Back Up Active Directory (2)

(Skill 1)




To back up Active Directory, you back up the System State data on a domain controller

In addition to the Active Directory database file and the SYSVOL folder, System State data has other components

Registry: Database that stores the configuration of a computer, including user profiles and folder settings

COM+ Class Registration database: Database that stores entries for dynamic link library (.dll) and executable (.exe) files on a computer


(Skill 1)




In addition to the Active Directory database file and the SYSVOL folder, System State data has other components

System boot files: Files used to load and configure the Windows Server 2003 operating system

Windows File Protection system files: All files under Windows File Protection


(Skill 1)




Tasks to perform before you start any backup operation

Choose the scope for the backup, based on your requirements

Back up the entire contents of a computer

Select only particular files, drives, or network data

Back up only the System State data


(Skill 1)





Choose the type of backup media

You can use Zip or Jaz drives, tape, or the hard drive on a remote file server

A backup to a file on the file server can be backed up to a Zip, Jaz, or tape drive

Magnetic tape is the most widely used backup medium

Inexpensive

Stores large amounts of data


(Skill 1)





Choose the type of backup

There are five backup types from which you can choose

To choose one of these types, you must first understand the archive attribute or archive bit and how each backup type handles it


(Skill 1)






Archive attribute

A property for files and folders that is used to identify them when they have changed

When a file has changed, the archive attribute, which is actually an attribute of the file header, is automatically selected


(Skill 1)






Archive attribute

Some backup types

Remove the archive attribute to mark files as having been backed up, while others do not

Some backup types use the archive attribute to determine which files to back up

Others back up all files regardless of the status of the archive attribute


(Skill 1)






Archive attribute

Organizations use a blend of the different backup types

This optimizes the time spent on both the backup and the restore processes


(Skill 1)





Notify users about the backup operation

Through e-mail or administrative messages

During the backup operation, users who are connected over the Internet will have their sessions terminated and may lose any unsaved data


(Skill 1)





Make sure that the media device you have selected for storing the backup is listed in the Windows Server Catalog

The catalog contains a list of devices tested by Windows Hardware Testing Labs

These devices are supported by Windows Server 2003


(Skill 1)





Make sure the backup media device is attached to the computer and the device is switched on

Make sure the backup media is loaded in the media device


(Skill 1)




Figure 8-2 The Backup or Restore Wizard

(Skill 1)




Figure 8-3 The Backup or Restore screen

(Skill 1)




Figure 8-4 The What to Back Up screen

(Skill 1)




The default settings in the Backup Wizard work well in most cases

Additional advanced settings

Specify a backup type other than Normal

Verify data after the backup operation to ensure its success


(Skill 1)




Additional advanced settings

Append the backup data to an existing archive or create a new archive

Set a job name to identify the backup job

Schedule the backup process to occur at specified intervals


(Skill 1)




Figure 8-5 The Items to Back Up screen

(Skill 1)




Figure 8-6 The Backup Type, Destination, and Name screen

(Skill 1)




Figure 8-7 The Completing the Backup or Restore Wizard screen

(Skill 1)




To be prepared to recover from a hardware failure, system or disk failure, or a virus attack, it is best back up Active Directory daily, preferably after office hours

A typical schedule

Perform a Normal backup once a week

Perform an Incremental backup on each other day of the week

This method ensures the backup file occupies less disk space and that you have the most recent data in the event of a disaster

Scheduling Active Directory Backups

(Skill 2)




Most production networks have ample backup capacity to perform a full Normal backup daily

Backing up servers can become time-consumingTo ease the burden, use the Backup utility to schedule

backups to run at specified dates and times

Ntbackup then uses the Task Scheduler to schedule the backup

Scheduling Active Directory Backups (2)

(Skill 2)




Task Scheduler

Runs the Backup Wizard to carry out the backup operation at the scheduled date and time

This is also known as an unattended backup

Two ways to schedule an unattended backup

Use the Advanced settings on the Completing the Backup Wizard screen

Use the Schedule Jobs tab in the Backup Utility to schedule unattended backups


(Skill 2)




Figure 8-8 Running Ntbackup from the Run dialog box

(Skill 2)




Figure 8-9 Scheduling a System State Backup

(Skill 2)




Figure 8-10 The How to Back Up screen

(Skill 2)




Figure 8-11 The Backup Options screen

(Skill 2)




Task Scheduler

On the Schedule Jobs tab in the Backup window

Click the icon for a scheduled job to open the Scheduled Job Options dialog box

You can change the job name on the Schedule data tab

You can view the job details on the Backup details tab


(Skill 2)




Task Scheduler

On the Schedule Jobs tab in the Backup window

View details about the backup in the Job summary section

Displays the backup type

Displays the properties set for the backup job

Whether Verify data has been set

Whether hardware compression is to be used

Whether access is restricted to the owner or administrator

The media name used for the job and the set description


(Skill 2)




Using Ntbackup

You cannot back up individual components of the System State data because of the dependencies between components

Third-party utilities such as Veritas Backup Exec can back up individual components

You can use Ntbackup to restore System State data to an alternate location


(Skill 2)




When you restore the System State to an alternate location, certain components are restoredSYSVOL directory

Cluster database data

System boot files

When you restore the System State to an alternate location, certain components are not restoredActive Directory database

Certificate Services database

COM+ Class Registration database

Schedule Active Directory Backups (7)

(Skill 2)




Figure 8-12 The Schedule Job dialog box

(Skill 2)




Figure 8-13 The Advanced Schedule Options dialog box

(Skill 2)




Figure 8-14 The Set Account Information dialog box

(Skill 2)




Figure 8-15 Scheduled jobs on the calendar on the Schedule Jobs tab

(Skill 2)




Active Directory stores information about all of the objects in a domain

If the files that make up Active Directory become corrupt, users and applications cannot access Active Directory objects

In disaster recovery situations, you must restore the latest System State backup data to restore Active Directory objects

Examining Active Directory Restores

(Skill 3)




Methods of restoring System State data

Nonauthoritative restore (Normal)

Authoritative restore

Primary restore

Examining Active Directory Restores (2)

(Skill 3)





When to use this method

You need to recover a domain controller from hardware failure or replacement

You are sure the data on the other domain controllers in the forest is correct

All you must do is restore the most recent System State backup of the domain controller

Restored data, including Active Directory objects, will have the USN they had when the System State backup was created


(Skill 3)





Update sequence numbers (USNs)

Used to detect and propagate Active Directory changes among the servers on the network

Make multi-master replication possible

Used to track changes made to the database just like a version number in DNS

When you create an object, Active Directory assigns a unique USN to the object

When you make changes to the object, Active Directory increments the USN for the object by one


(Skill 3)





Update sequence numbers (USNs)

The copy of the object that has the highest USN is considered to be the most up-to-date, and is replicated to the other domain controllers

Because the USNs in the System State backup will be lower than more recent versions of Active Directory objects, the Active Directory replication system views data that is restored non-authoritatively as old data

If more recent data is available on other servers, the Active Directory replication system uses it to update the restored data


(Skill 3)




Nonauthoritative restore (Normal)After the nonauthoritative restore

Active Directory replication begins Changes that occurred on the other domain controllers are

automatically propagated to the domain controller that has come back online

You must use an authoritative restore to replicate restored data to other servers


(Skill 3)





Unless you only have one domain controller, or are at an isolated remote location, a nonauthoritative restore is not very useful

This is because in order to perform a nonauthoritative restore on a failed domain controller, you must first reinstall Windows Server 2003 and promote the server to a domain controller

As part of this process, the Active Directory database is copied from the other servers onto your failed server, fully restoring Active Directory


(Skill 3)





Used when an Active Directory object, or group of objects, has been accidentally deleted

When an object is deleted in Active Directory, it is not truly deleted; it is tombstoned

Tombstoning essentially marks the object “dead,” which makes it unusable, and updates the USN for the object

This is done so that the “deletion” is properly replicated to all domain controllers


(Skill 3)





Once every night, a process known as Garbage Collection runs on all domain controllers

Any object that has been tombstoned for more than 60 days (by default) is actually deleted during this process

Because of the tombstoning process, to effectively restore a deleted object

You must increment the USN of that object subsequent to the actual restore process

This makes the restored copy the more up-to-date version


(Skill 3)





During an authoritative restore, the USN of the deleted object is increased by 100,000 for each day since the backup was performed so that it is higher than the USNs of the existing objects

You perform an authoritative restore by executing the Ntdsutil command on a domain controller


(Skill 3)





Using Ntdsutil

Ntdsutil is a command-line utility, which is stored in %Systemroot%\System32

It supplies a number of other directory management features not found in any of the graphical tools

You mark Active Directory objects for authoritative restore

This modifies the USN making it higher than any other update sequence number in the Active Directory replication system

Objects restored using this command are considered to be the most current copy of those objects, and are properly replicated to the other servers on the network


(Skill 3)




Figure 8-16 Authoritative Restore

(Skill 3)




Figure 8-17 First level of commands for ntdsutil

(Skill 3)




Primary restore

You do a primary restore when you must rebuild the domain from backup because all domain controllers in the domain have been lost

You perform a primary restore on the first domain controller and nonauthoritative restores on all of the other domain controllers

You only perform a primary restore when the server you are trying to restore is the only running server in a replicated data set


(Skill 3)




Active Directory actually performs attribute level replication in most cases

If you change a field in a user account, only the field is replicated, not the entire object

To provide full replication functionality, Active Directory actually assigns a USN

To the database

To each object in the database

To each attribute of each object


(Skill 3)




Nonauthoritative restore

Used to restore Active Directory in cases where no objects have been accidentally deleted and no other options are available

You use the backup of the System State data to restore Active Directory on a domain controller

To begin, start the computer in a special safe mode called Directory Services Restore Mode

Then use the Restore Wizard to restore Active Directory

Executing a Nonauthoritative Restore

(Skill 4)




Directory Services Restore Mode

This mode ensures the domain controller remains offline while you restore the Active Directory database and the SYSVOL folder

In this offline mode, Active Directory services on the domain controller are stopped so that a successful restoration can occur

The computer is not disconnected from the network, but all Active Directory services are halted

Executing a Nonauthoritative Restore (2)

(Skill 4)





After the Active Directory restoration process is complete and the server is restarted, the normal replication process updates the restored Active Directory database with the help of the replication partner domain controllers on the domain


(Skill 4)




Figure 8-18 The Desktop message box

(Skill 4)




Figure 8-19 Restoring the System State

(Skill 4)




Figure 8-20 The Warning dialog box

(Skill 4)





You can also use Ntdsutil to reset the Directory Services Restore Mode password

At the ntdsutil prompt, type Set DSRM and press [Enter]

At the Reset DSRM Administrator Password prompt, type Reset Password on server %s where %s is the name of the server

After you press [Enter], you are prompted to type the password and re-enter the password


(Skill 4)




Figure 8-21 The Restore Progress dialog box

(Skill 4)




Figure 8-22 The Backup Utility warning dialog box

(Skill 4)




You use an authoritative restore to recover selected Active Directory objects

Preliminary tasks

Copy the Policies folder in the SYSVOL folder to an alternate location

Copy the Policies folder from the alternate location back to its original location

After you perform an authoritative restore

After the SYSVOL share has been published

Executing an Authoritative Restore

(Skill 5)




Preliminary tasks

Perform a nonauthoritative restore of the System State dataYou can then use Ntdsutil to perform an authoritative

restore to recover the deleted object

Executing an Authoritative Restore (2)

(Skill 5)




Run the Ntdsutil command-line utility to perform an authoritative restore

Ntdsutil marks an object for authoritative restore by increasing the USN by 100,000 for each day since the backup was performed so that it is higher than the USNs of the existing object

To restore a deleted object, you must specify the distinguished name of the object


(Skill 5)




Distinguished name (DN)

Uniquely identifies an object on a network

It is an LDAP component that includes the name of the domain that holds the object and the complete path to the object through the container hierarchy

It identifies an object throughout the LDAP hierarchy because it refers to the relative distinguished name, domain name, and the container where the object is stored


(Skill 5)




Distinguished name (DN)

Can consist of the common name (cn), the organizational unit name (ou), and the domain component name (dc)

The common name for a user object is the full user name, not the logon name

For user names and OUs that contain spaces, the DN must be enclosed in quotation marks


(Skill 5)




To restore an OU and all objects in it, use the command Restore subtree %s, where %s represents the server name

To restore an object, use Restore object %s

To override the version (USN) increaseAdd the parameter verinc %d, where %d represents the

variable by which you want to increment the version number

Use this parameter only to authoritatively restore over an incorrect authoritative restore


(Skill 5)




Just like a nonauthoritative restore, an authoritative restore requires that the domain controller be running in Directory Services Restore Mode

Run the Ntdsutil command

After you have restored the System State data

Before you have restarted the server from Active Directory Restore mode

You cannot restart normally between the nonauthoritative restore and the authoritative restore


(Skill 5)




After the restoration is complete, the domain controller is brought back online by restarting the computer normally

If the Active Directory database has changed on the replication partner domain controllers, the replication process updates their databases using the restored Active Directory database

The replication process also distributes information about the restored object to other domain controllers


(Skill 5)




Figure 8-23 Copying the Policies folder to an alternate location

(Skill 5)




If you accidentally delete a large number of objects, manually recovering each object would be a cumbersome task

Instead you can authoritatively restore the entire database

To do this, type the restore database command at the authoritative restore prompt


(Skill 5)




Do not perform an authoritative restore of the entire database on servers holding the RID master or schema master FSMO roles

The schema cannot be authoritatively restored, and authoritatively restoring the RID master can lead to SID conflicts


(Skill 5)




Figure 8-24 Confirming an authoritative restore

(Skill 5)




Figure 8-25 Using Ntdsutil to recover a deleted object

(Skill 5)

Documents

8.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure