AD back up

8/6/2019 AD back up

1/13

Active Directo ry 2003 Backup & Restore

Active Directory 2003 Backup and Restore

TECHNOLOGY INFRASTRUCTURE SERVICES

Author Selvakumar PalanivelDate of Creation 02 Dec 2005Email id [email protected]

Wipro Technologies TIS Page 1 of 13

8/6/2019 AD back up

2/13


Table of content

1. Introduction................................................................................................. 3

2. Overview of Active Directory 2003................................................................ 3

3. System Components of Active Directory ....................................................... 3

3.1 Domain Controllers (DCs)................................................................ 4

3.2 Global Catalogs (GCs) ...................................................................... 4

3.3 Operations Masters (OMs)................................................................ 4

4. Active Directory Backup............................................................................... 5

4.1 Contents............................................................................................. 5

4.2 Age .................................................................................................... 6

4.3 Type of Backup................................................................................. 6

4.4 To backup a domain controller using the W2K3 backup utility....... 7

5. Active Directory Restore.............................................................................. 7

5.1 Restore through re-installation Procedure ........................................ 7

5.2 Restore from Backup ........................................................................ 7

6. Steps to Recover Active Directory Forest ...................................................... 97. Post Recovery Steps Active Directory Forest Restore ............................... 11

Appendix A To clean up server metadata ............................................... 12

Appendix B To disable a Global Catalog................................................ 13

Appendix C To seize an Operation Master role ...................................... 13

Appendix D Useful Links........................................................................ 13


8/6/2019 AD back up

3/13


1. IntroductionThis document details best practices and procedures for recovering the Active Directory2003 after forest wide failure has caused all the Domain Controllers in the forest failed to

function normally.

2. Overview of Act ive Directory 2003

The Ac tive Direc to ry service is the d irec to ry service fo r Windows Server 2003. It is a core

component of the operating system and provides essential data to both the enterpriseand othe r com po nents within the OS.

Active Directory provides a central service for administrators to organize network

resources, manage users, computers, and applications.

3. System Components of Active DirectoryAlthough many components make up the Active Directory, this section focuses on the

system components that are relevant when considering the AD restoration plan.


8/6/2019 AD back up

4/13


3.1 Domain Controllers (DCs)

Windows 2003 requires domain controllers (DCs) to host a domain database and perform

authentication services. However, under Windows 2003, object changes can be made onany DC within the environment.

To ensure that all DCs in the environment host a current, synchronized and accurate

version of the directory, DCs are responsible for initiating and performing replicationoperations. In addition to this domain information, all of the domain controllers in aparticular forest host a copy of the forest configuration and schema containers.

3.2 Global Catalogs (GCs)

The global catalogs (GCs) primary function is to provide fast and efficient searches that

extend across the entire Active Directory forest. A GC holds a full read/write replica of

all objects within the domain for which it is a member, and a partial read-only replica (all

objects but only a partial attribute set) of every other domain within the forest.

3.3 Operations Masters (OMs)

Active Directory supports multi-master updates (each DC hosts a writeable version of itsdirectory partition), it must allow for the possibility of conflicting changes, that is,changes that are made simultaneously to the same object within the directory but from

different DCs. The conflicts are resolved eventually and all DCs update to the same

value.

However, in some cases it is better to prevent conflicts than to resolve them after theevent. Operations masters (OMs) in Active Directory prevent conflicts in cases where

conflict resolution is inappropriate.

Active Directory defines five Operations Master (OM) roles:

Per-Forest Roles: Schema master & Domain naming master

Per-Domain Roles: Relative IDentifier (RID) master, Primary DomainController (PDC) emulator and Infrastructure master

3.3.1 Schema Master

The DC that holds the schema master role is the only DC that can perform writeoperations to the directory schema. Those schema updates are replicated from the schema

master to all other domain controllers in the forest.

3.3.2 Domain Naming Master

The DC that houses the domain naming master role is the only DC that:

Adds new domains to the forest

Removes existing domains from the forest

Adds or removes cross-reference objects in external directories

3.3.3 Relative IDentifier (RID) Master

This operations master manages the allocation of RID pools to other DCs. Only one

server performs this task. When a security principle (for example, user, group, or


8/6/2019 AD back up

5/13


computer) is created, it requires that a RID be combined with a domain-wide identifier tocreate a unique Security IDentifier (SID).

Every Windows 2003 DC receives a pool of RIDs it can use to create objects. The RID

master ensures unique IDs on every DC by assigning different pools. All object moves

between domains of the same forest are accomplished using the RID master to avoid SID

duplication.

3.3.4 Primary Domain Controller (PDC) Emulator

The PDC emulator provides the following major functions:

Backward compatibility for clients and servers, allowing NT 4.0 BDCs toparticipate in the new Windows 2003 environment.

Password management. Native Windows 2003 environments replicate passwordchanges to the PDC emulator first. When a DC fails to authenticate a password

(perhaps as a result of a change that has not yet been replicated to theauthenticating DC), it contacts the PDC emulator to see whether the password can

be authenticated there.

Time synchronization. The PDCs of the domains within the forest synchronizewith the PDC in the root domain of the forest to ensure accurate time

synchronization.

3.3.5 Infrastructure Master

The infrastructure master ensures the consistency of objects for all inter-domainoperations. When an object from another domain is referenced, the reference contains

the Globally Unique IDentifier (GUID), the Security IDentifier (SID) and the

Distinguished Name (DN) of that object. If the referenced object moves, the DC holdingthe infrastructure master role in a domain is responsible for updating the SIDs and DNs in

cross-domain object references.

4.Active Directory Backup

To ensure a successful restore from backup, it is important to know what defines a good

backup. For Active Directory, two things must be considered:

Contents

Age

4.1 Contents

The first important aspect of a backup is its contents. A good backup will include at least

the System State, the contents of the system disk, and the SYSVOL folder (if not locatedon the system disk).

System State Components


8/6/2019 AD back up

6/13


On a Windows 2003 system acting only as a DC (running no services other than thoserequired for DC operation), system state data encompasses the:

System Start-up Files (boot files): These are the files required for WindowsServer 2003 to start.

System registry

Class registration database of Component Services: The Component ObjectModel (COM) is a binary standard for writing component software in a

distributed systems environment.

SYSVOL: The system volume provides a default Active Directory location forfiles that must be shared for common access throughout a domain. The SYSVOL

folder on a domain controller contains:

o NETLOGON shared folders: These usually host user logon scripts andGroup Policy Objects (GPOs).

o User logon scripts: for Windows 2000/XP based clients and clients thatare running Windows 95, Windows 98, or Windows NT 4.0.

o File system junctionso File Replication Service (FRS): staging directories and files that are

required to be available and synchronized between domain controllers.

Active Directory: Active Directory includes:o Ntds.dit: The Active Directory database.o Edb.chk: The checkpoint file.o Edb*.log: The transaction logs, each 10 megabytes (MB) in size.o Res1.log and Res2.log: Reserved transaction logs.

Note: Since Active Directory-integrated DNS is used, the DNS zone data is backed up as

part of the Active Directory database. Also, if Windows Clustering or Certificate Servicesare installed on the domain controller, they are also backed up as part of system state.

4.2 Age

If the backup is older than the tombstone age set in Active Directory, then it is notconsidered to be a good backup. When an object is deleted in Windows Server 2003, the

DC from which the object was deleted informs the other DCs in the environment about

the deletion by replicating what is known as a tombstone.

A tombstone is a representation of an object that has been deleted but not fully removed

from the directory. The tombstone will eventually be removed based on the tombstonelifetime setting, which by default is set to 60 days.

4.3 Type of Backup

The only type of backup supported by Active Directory is normal. A normal backup

creates a backup of the entire system while the domain controller is online. When

backing up Active Directory using normal backup, the backup utility will automaticallyback up all of the system components and all of the distributed services upon which


8/6/2019 AD back up

7/13


Active Directory is dependent. This dependent data, which includes Active Directory, isknown collectively as the system state.

4.4 To backup a domain controller using the W2K3 backup utility

1. ClickStart, point to All Programs, point to Accessories, point to System Tools, andthen clickBackup to start the Backup Utility Wizard.

2. ClickAdvanced Mode in the Backup Utility Wizard.

3. On the Backup tab, select the check box for any drive, folder, or file that you want toback up.

4. Select the System State check box.

This will back up the System State data along with any other data you have selected

for the current backup operation.

5.Active Directory Restore

There are two primary methods for restoring a Windows Server 2003 DC:

Restore through re-installation.

Restore from backup.

5.1 Restore through re-installation Procedure

Re-installing a domain controller is equivalent to building a new domain controller. Thismethod is valid only a healthy domain controller exists in the same domain.

1. Clean up server metadata to remove the NTDS Settings object of the faileddomain controller. Metadata cleanup procedure is explained in Appendix A.

2. Install Windows 2003 Operating System3. Promote the server to domain controlled in the domain it exists by using

DCPROMO.4. Verify the active directory installation

5.2 Restore from Backup

When you restore Active Directory from backup, you have three further options:

Non-Authoritative Restore

Authoritative Restore

Primary Restore


8/6/2019 AD back up

8/13


Non-Authoritative Restore

What is it?

Restore to known good point using Ntbackup

Reboot into Active Directory mode to sync changes

When to use

Recover from hardware failure

Return to known good state on single domain controller

Options

Rebuild server from scratch. Re-run Dcpromo.

Restore machine to a known good point and sync deltas.

Authoritative Restore

What is it?


Make objects on reference domain controller as master copy for ActiveDirectory

When to use

Accidental deletion or modification of objects or containers in the ActiveDirectory

Corruption of objects/attributes in the directoryOptions

Find a good domain controller that has the objects and make itauthoritative

Restore from a backup that contains the objects and make it authoritative

Primary Restore

What is it?


Make objects on reference domain controller as master copy for ActiveDirectory

When to use

Restoring first of several domain controller

Restoring DC is the only DC in the DomainOptions

Mark the restored data as the primary data for all replicas


8/6/2019 AD back up

9/13


6. Steps to Recover Active Directory Forest

It is assumed that all the Domain Controllers in the Active Directory forest is not

functional at this point.

1. Determine the roles of the domain controllers in the Domain and select a singledomain controller which has the latest backup.

2. Switch off all other domain controller or disconnect the connectivity to all otherdomain controller to avoid replications.

3. Install the operating system windows 20034. Reboot the server into Directory Service Mode by pressing the F8 key upon

system startup.

5. Log in as Administrator.6. Run the Windows 20003 backup utility and select the Restore Wizard button

7. Select the appropriate backup location and ensure that at least the system disk andsystem state are checked.


8/6/2019 AD back up

10/13


8. Click the advanced button and make sure you are restoring junctions and mark therestored data as the primary data for all replica, because this is the first DC in the

Domain.


8/6/2019 AD back up

11/13


9. Click finish and once complete click NO to restart and close the backupapplication.

10.Open a command prompt and type ntdsutil, and press enter

11.At the next prompt, type authoritative restore and press enter

12.At the next prompt, type restore database

13.At the Authoritative Restore Confirmation Dialog box, click OK

14.Type Quit and restart the server.

7. Post Recovery Steps Active Directory Forest Restore

1. If the Active Directory has integrated DNS, local DNS service needs to beinstalled and running on the restored DC. Server should be configured with itsown IP address as preferred DNS server. This is the first DNS server in the forest.

2. If the restored DC is enabled as global catalog, then disable the global catalog

flag. It is explained in Appendix B.

3. Seize the domain level Operational Master Roles (FSMO) to the restored DC.

4. Starting with the forest root DC, introduce the restored DCs to the network.

5. Install Active Directory on the remaining DCs in the forest using the ActiveDirectory Installation Wizard.


8/6/2019 AD back up

12/13


Appendix A To clean up server metadata

Open a command prompt.

Type the following command, and then press ENTER:ntdsutil

At the ntdsutil: prompt, type: metadata cleanup

Perform metadata cleanup as follows:

1. At the metadata cleanup: prompt, type:connection

2. At the server connections: prompt, type:connect to serverServer

3. At the server connections: prompt, type:quit

4. At the metadata cleanup: prompt, type:select operation target

5. At the select operation target: prompt, type:list sites.

6. At the select operation target: prompt, type:select siteSiteNumber

7. At the select operation target: prompt, type:list domains in site

8. At the select operation target: prompt, type: select domainDomainNumber

9. At the select operation target: prompt, type:list servers in site

10. At the select operation target: prompt, type: select serverServerNumber

11. At the select operation target: prompt, type: quit

12. At the metadata cleanup: prompt, type: remove selected server

At this point, Active Directory confirms that the domain controller was removedsuccessfully. If you receive an error message that indicates that the object cannot be

found, Active Directory might have already removed the domain controller.

13. At the metadata cleanup: and ntdsutil: prompts, type quit.


8/6/2019 AD back up

13/13


Appendix B To disable a Global Catalog

1. ClickStart, clickControl Panel, double-clickAdministrative Tools, and thendouble-clickActive Directory Users and Computers.

2. In the console tree, double-click the DC where you want to enable or disable theglobal catalog.

3. Right-clickNTDS Settings and then clickProperties.

4. Clear the Global Catalog check box.

Appendix C To seize an Operation Master role

1. At a command prompt, type: ntdsutil

2. At the ntdsutil prompt, type: roles

3. At the FSMO maintenance prompt, type :connections

4. At the server connections prompt, type: connect to serverServerFQDN

5. At the server connections prompt, type: quit

6. At the fsmo maintenance prompt, type: seize OperationsMaster

Where OperationsMaster is the type of operations masters you want to seize, forexample: seize schema master

Appendix D Useful Links

1. http://support.microsoft.com/default.aspx?scid=kb;en-us;839879

2. http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.html

3. http://support.microsoft.com/?id=263532

http://support.microsoft.com/default.aspx?scid=kb;en-us;839879http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://support.microsoft.com/?id=263532http://support.microsoft.com/?id=263532http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://support.microsoft.com/default.aspx?scid=kb;en-us;839879

Documents

AD back up