Presentation on theme: "Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students."— Presentation transcript:
1 Course 6425AModule 9: Implementing an Active Directory Domain Services Maintenance PlanPresentation: 55 minutesLab: 75 minutesThis module helps students implement an Active Directory® Domain Services (AD DS) maintenance plan.After completing this module, students will be able to:Maintain the AD DS domain controllersBack up Active Directory Domain ServicesRestore Active Directory Domain ServicesRequired materialsTo teach this module, you need the Microsoft® Office PowerPoint® file 6425A_09.ppt.Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Complete the practices.This section contains information that will help you to teach this module.For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.Module 9: Implementing an Active DirectoryM Domain Services Maintenance Plan
2 Module Overview Maintaining the AD DS Domain Controllers Course 6425AModule OverviewModule 9: Implementing an Active Directory Domain Services Maintenance PlanMaintaining the AD DS Domain ControllersBacking Up Active Directory Domain ServicesRestoring Active Directory Domain Services
3 Lesson 1: Maintaining the AD DS Domain Controllers Course 6425ALesson 1: Maintaining the AD DS Domain ControllersModule 9: Implementing an Active Directory Domain Services Maintenance PlanThe Active Directory Domain Services Database and Log FilesHow the AD DS Database Is ModifiedManaging the Active Directory Database Using NTDSUtil ToolWhat Is an AD DS Database Defragmentation?What Are Restartable Active Directory Domain Services?Demonstration: Performing AD DS Database Maintenance TasksLocking Down Services on a AD DS Domain Controller
4 The Active Directory Domain Services Database and Log Files Course 6425AThe Active Directory Domain Services Database and Log FilesModule 9: Implementing an Active Directory Domain Services Maintenance PlanDescriptionNtds.ditEdb*.logEdb.chkFileIs the Active Directory database fileStores all Active Directory objects on the domain controllerUses the default location systemroot\NTDS folderIs a transaction log fileUses the default transaction log file Edb.logIs a checkpoint fileTracks data not yet written to Active Directory database fileebdres00001.jrs ebdres00002.jrsAre the reserved transaction log filesOpen Windows Explorer and browse to the c:\Windows\NTDS folder. Point out the files in the folder as you discuss each of the files. Stress that log files always will be exactly 10 megbytes (MB) in size.Discuss the role of the reserve log files. If students are familiar with previous Active Directory versions, mention that the edbres00001.jrs and edbres00002.jrs files were called res1.log and res2.log in previous versions.ReferenceHow the Data Store Works3fa9be mspx?mfr=true
5 How the AD DS Database Is Modified Course 6425AHow the AD DS Database Is ModifiedModule 9: Implementing an Active Directory Domain Services Maintenance PlanEdb.chkWrite RequestUpdate the checkpointDescribe how the files that the slide lists are used when data is committed to the database. The basic data modification process consists of six steps:• The write request initiates a transaction.• Active Directory writes the transaction to the transaction buffer in memory.• Active Directory secures the transaction in the transaction log.• Active Directory writes the transaction from the buffer to the database.• Active Directory compares the database and log files to ensure that the transaction was committed to the database.• Active Directory updates the checkpoint file.QuestionWhat other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services?Answer: Both Microsoft Exchange Server and Microsoft SQL Server™ use the transaction model. The model is very similar in all cases, although some details, such as the size of the transaction logs, varies. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size.ReferenceHow the Data store Works3fa9be mspx?mfr=trueCommit the transactionTransaction is initiatedWrite to the transaction bufferWrite to the database on diskWrite to the transaction log fileNtds.dit on DiskEDB.log
6 Managing the Active Directory Database Using NTDSUtil Tool Course 6425AManaging the Active Directory Database Using NTDSUtil ToolModule 9: Implementing an Active Directory Domain Services Maintenance PlanNtdsutil.exe is a command-line tool used to manage some Active Directory componentsUse Ntdsutil.exe to:Perform Active Directory database maintenanceüManage and control single master operationsMove the Active Directory database filesRemove metadata left behind by domain controllers that were removed from the network without being properly uninstalledDescribe what NTDSUtil is and describe some of the scenarios where you can use it. Consider opening a command prompt and starting the NTDSUtil tool. Show how to access help and how to move between different contexts within NTDSUtil.Review the NTDSUtil commands.QuestionYou have forgotten the directory services restore-mode password for your domain controller. How can you recover the password?Answer: You cannot recover the password, but by using the Set DSRM password command in NTDSUtil, you can configure a new password for this account.ReferenceNTDSUtil HelpData Store Tools and Settings 6aa0420dacb51033.mspx?mfr=trueType HELP at any NTDSUtil prompt for context-sensitive help
7 What Is an AD DS Database Defragmentation? Course 6425AWhat Is an AD DS Database Defragmentation?Module 9: Implementing an Active Directory Domain Services Maintenance PlanOffline defragmentation creates a new, compacted version of the database fileThe new file may be considerably smaller, depending on how fragmented the original database file wasüActive Directory performs online database defragmentation automatically every 12 hoursUse the NTDSUtil command-line tool to perform offline defragmentation on a dismounted databaseOnline defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database fileDescribe the difference between online and offline defragmentation. Highlight that online defragmentation happens automatically and does not disrupt normal access to Active Directory. Offline defragmentation requires that the administrator takes the database offline and runs the NTDSUtil tool.Mention that offline defragmentation does not need to be performed normally. The scenarios where students may choose to run an offline defragmentation include:After removing the global catalog from a serverAfter removing a large number of objects from the domainAfter converting from Active Directory-integrated Domain Name System (DNS) to standard DNSQuestionHow often will you need to perform an offline defragmentation of your AD DS databases in your environment?Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize the database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly.ReferenceData Store Tools and Settingsdca78c5471dd1033.mspx?mfr=true
8 What Are Restartable Active Directory Domain Services? Course 6425AWhat Are Restartable Active Directory Domain Services?Module 9: Implementing an Active Directory Domain Services Maintenance PlanRestartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any other servicesThere are three possible states for a domain controller running Windows Server® 2008:• AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server “Longhorn” domain controller running in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003.• AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in Directory Services Restore Mode and a domain-joined member server.As with Directory Services Restore Mode, the Active Directory database (Ntds.dit) is offline. Also, you can use the Directory Services Restore Mode password to log on locally if another domain controller cannot be contacted.As with a member server, the server is joined to the domain. Also, users can log on interactively or over the network by using another domain controller for domain logon. However, a domain controller should not remain in this state for an extended time because in this state, it cannot service logon requests or replicate with other domain controllers.• Directory Services Restore Mode. This mode (or state) is unchanged from Windows Server 2003.ReferenceWindows Server 2008 Technical Library139e8bcc mspx?mfr=trueUse restartable AD DS services when:Applying updates that modify Active Directory service files on a domain controllerPerforming tasks such as offline defragmentation of the Active Directory databaseDirectory Services Restore Mode must be used to restore Active Directory database
9 Demonstration: Performing AD DS Database Maintenance Tasks Course 6425ADemonstration: Performing AD DS Database Maintenance TasksModule 9: Implementing an Active Directory Domain Services Maintenance PlanIn this demonstration, you will see how to:Start and stop AD DS ServicesMove AD Database to a different drive using NTDSUtilUse NTDSUtil and AD DS Stopped mode for Offline DefragTo complete this demonstration, you must have the NYC-DC1 virtual machine running.Demonstration steps:To stop or start the AD DS Service:Click Start, click Admin Tools, and then click Services.Right-click Active Directory Domain Services and then select Stop from the context menu.In the Also stop the following Services dialogue, click Yes.To perform an Offline Defrag of the AD Database while in an AD DS Stopped state:Click Start, click Run, type CMD and then press ENTER.In the command window that appears, type ntdsutil and then press ENTER.At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER.At the ntdsutil: prompt, type files and then press ENTER.At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer) and then press ENTER.Once complete, copy the ntds.dit file in the compact directory to C:\Windows\NTDS\ntds.dit and delete the old log files by typing del C:\Windows\NTDS\*.log in a command window.In the File Maintenance command window, type integrity to check the integrity of the new compacted database.Once complete, if you want to specify a new location in which to store the database, such as a different spindle:In the File Maintenance command window, type move db to pathname and press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly.In the services mmc, right-click Active Directory Domain Services and then click Start.Questions:Why is it necessary to stop the AD DS before defragmenting?Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, preventing file modification.Why is it necessary to compact the database to a temporary directory first?Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original.Referencedca78c5471dd1033.mspx?mfr=true
10 Locking Down Services on AD DS Domain Controllers Course 6425ALocking Down Services on AD DS Domain ControllersModule 9: Implementing an Active Directory Domain Services Maintenance PlanServices required for AD DS to function correctly:Distributed File SystemDNS ServerFile Replication ServiceKerberos Key Distribution CenterIntersite MessagingRemote Procedure Call (RPC) LocatorStress that one of the critical components when securing domain controllers is to minimize the number of services and applications running on the domain controller. One option for ensuring that only the required services are running is to use the Security Configuration Wizard (SCW). If students are not familiar with the SCW, spend some time explaining how it works. Consider starting the wizard and showing the Security Configuration Wizard configuration database, pointing out the services that the Active Directory Domain Services role requires.ReferenceMS HELP: Security Configuration DatabaseMinimize the number of server roles and applications installed on domain controllersüUse the Security Configuration Wizard to lock down the services on a domain controllerü
11 Lesson 2: Backing Up Active Directory Domain Services Course 6425ALesson 2: Backing Up Active Directory Domain ServicesModule 9: Implementing an Active Directory Domain Services Maintenance PlanIntroduction to Backing Up AD DSWindows Backup FeaturesDemonstration: Backing Up AD DS
12 Introduction to Backing Up AD DS Course 6425AIntroduction to Backing Up AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanTo back up Active Directory, you must back up all critical volumesCritical volumes include:Mention that backing up Active Directory Domain Services in Windows Server 2008 is different than it was in previous Active Directory version, in which you could backup just the system state information. In Windows Server 2008, you must backup all of the files on the critical volumes.In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer, and which volumes host the critical files that the operating system and the installed roles use. System state data includes at least the following, plus additional data depending on the server roles that are installed:RegistryCOM+ Class Registration databaseBoot files, as described earlier in this topicActive Directory Certificate Services databaseActive Directory Domain Services databaseSYSVOL directoryCluster service informationMicrosoft Internet Information Services (IIS) metadirectorySystem files that are under Windows Resource ProtectionMention that because you have to back up entire volumes to back up AD DS, it is a best practice to dedicate disk volumes to the critical volumes. For example, data should not be stored on the system volume as this will increase the backup’s size and increase the time it takes to restore the server.Question:What other process could you use to back up the system state data on a domain controller?Answer: You could do a full server backup.ReferenceActive Directory Domain Services Help: Help prepare for disaster recovery by performing routine backups of the Active Directory databaseStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=trueThe system volume: the volume that hosts the boot filesThe boot volume: the volume that hosts the Windows operating system and the RegistryThe volume that hosts the SYSVOL treeThe volume that hosts the Active Directory database (Ntds.dit)The volume that hosts the Active Directory database log filesAll of these files may be stored in a single volume or distributed across multiple volumes
13 Windows Backup Features Course 6425AWindows Backup FeaturesModule 9: Implementing an Active Directory Domain Services Maintenance PlanWindows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and dataWith Windows Server Backup, you can:Recover the server without using third-party backup and recovery toolsüPerform manual or automatic backupsBackup an entire server or selected volumesRecover items or entire volumesUse DVDs or CDs as backup mediaWindows Server Backup does not support backing up individual files or directories, only entire volumesMention that Windows Server Backup is not installed by default. You must install it by using Add Features in Server Manager before you can use the Wbadmin.exe command-line tool or Backup in Administrative Tools.Windows Server 2008 supports the following backup types:• Manual backup. A member of the Administrators group or the Backup Operators group can initiate a manual backup at any time. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive.• Scheduled backup. A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command-line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes. Because scheduled backups reformat the target drive that hosts the backup files, you should have a dedicated backup volume.Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic tape cartridges, nor a a dynamic volume as a backup target.ReferenceWindows Technical Library139e8bcc mspx?mfr=true
14 Demonstration: Backing Up AD DS Course 6425ADemonstration: Backing Up AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanIn this demonstration, you will see how to back up AD DSTo complete this demonstration, you must have the NYC-DC1 virtual machine running.Demonstration steps:From the Start menu, select Admin Tools, and then select Backup.In the Backup console, under the actions pane, click Backup Schedule to create a scheduled backup.Follow the wizards prompts to specify the type (Full or Custom – by default the system volume is always backed up with scheduled backups), backup time (once per day or multiple times per day), target disk, view summary, and confirm.The backup once option beneath the actions pane offers manual backup capabilities. You can deselect the system volume from the Backup Items or specify you want to be able to perform a system recovery using this backup. The location type screen shows you can select local disks, DVD, or a remote shared folder (network backup). Select the location for backup, view the summary, and proceed with the backup.QuestionsWhy should backups be scheduled?Answer: To help automate tasks as much as possible.How often should a full backup be performed? How often should an incremental or differential backup be performed?Answer: Answers will vary. It depends on how much work an organization can afford to lose, though this must be balanced against the practical limits of trying to back up too often. Many organizations perform a full backup once a week, with either incremental or differential backups daily.Reference:Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=true
15 Lesson 3: Restoring Active Directory Domain Services Course 6425ALesson 3: Restoring Active Directory Domain ServicesModule 9: Implementing an Active Directory Domain Services Maintenance PlanOverview of Restoring AD DSWhat Is a Nonauthoritative AD DS Restore?What Is an Authoritative AD DS Restore?What Is the Database Mounting Tool?Demonstration: Using the Database Mounting ToolReanimating Tombstoned AD DS Objects
16 Overview of Restoring AD DS Course 6425AOverview of Restoring AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanOptions for restoring Active Directory Domain Services include:Normal RestoreAuthoritative RestoreFull Server RestoreAlternate Location RestoreDiscuss the following options for restoring AD DS:Normal restore. Use this method to reinstate the Active Directory data to the state before the backup and then updates the data through the normal replication process. Perform a normal restore only when you want to restore a single domain controller to a previously known good state.Authoritative restore. Use this method in conjunction with a normal restore. An authoritative restore marks specific data as current and prevent the replication from overwriting that data. The authoritative data then is replicated throughout the domain.Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup.Full Server Restore: Use this method to restore a failed domain controller. Full server restore performs a bare metal restoration of the system and data volumes to a point in time prior to failure. A full server recovery recovers every server volume. Backup reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware or if all other attempts to recover the server on the existing hardware have failed.Alternative Location Restore: Use this method to install new domain controllers. For more information about Alternate Location Restore, see 6429A: Configuring Windows Server 2008 Active Directory Domain Services, Module 1: Installing Active Directory® Domain Services.Reference:Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=true
17 What Is a Nonauthoritative AD DS Restore? Course 6425AWhat Is a Nonauthoritative AD DS Restore?Module 9: Implementing an Active Directory Domain Services Maintenance PlanA nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was createdStress that the nonauthoritative restore does not restore deleted Active Directory information unless the domain controller is the one in the domain. When performing a nonauthoritative restore, AD DS replication replicates changes (including the deletion) to the domain controller when it reboots after the restore is complete.To restart the domain controller in disaster-recovery mode, you can:1. After the boot option menu appears, press F8, and then select the option for DSRM.-or-2. Open command prompt and type the command, and press ENTER:bcdedit /set safeboot dsrepairThen, type the following command and press ENTER:shutdown -t 0 -rTo restart the server normally after you perform the restore operation, type the following command and then press ENTER:bcdedit /deletevalue safeboot dsrepairAdministrative credentialsYou can log on to the domain controller that you are restoring by using the DSRM password, either locally or remotely. You specify the DSRM password when you install AD DS.QuestionWhat would happen if you did not enter the second bcdedit command after restoring the AD DS database?Answer: The domain controller would restart in DSRM again. You must remove this switch in order to boot into normal mode.ReferenceStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=trueAD DS replication updates the domain controller with changes that have occurred since the backup was createdüRestart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restorePress F8 when restarting the server and choose Directory Services Restore Mode or type the command bcdedit /set safeboot dsrepair and restart the server1Provide the Directory Services Restore Mode password2
18 What Is an Authoritative AD DS Restore? Course 6425AWhat Is an Authoritative AD DS Restore?Module 9: Implementing an Active Directory Domain Services Maintenance PlanAuthoritative restore provides a method to recover objects and containers that have been deleted from AD DSAuthoritative restore is a four-step process:Start the domain controller in DSRM1Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative3Restart the domain in normal mode to replicate the changes4Restore the desired backup, which is typically the most recent backup2To perform an authoritative restore of Active Directory objects, you must first perform a Nonauthoritative restore. However, you must not restart the domain controller normally following the Nonauthoritative restore procedure.When an object is marked for authoritative restore, its version number is changed so that it is higher than the (deleted) object’s existing version number in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest.To mark a subtree or individual object authoritative:1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER.2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:To restore a subtree (for example, an organizational unit and all child objects):restore subtree DistinguishedNameTo restore a single object:restore object DistinguishedName4. Click Yes in the message box to confirm the command.For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com”(Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.)ReferenceStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=truePerforming an Authoritative Restore of Active Directory Objects 46f76c9c7c mspx?mfr=trueTo mark an object as authoritative, use a command like:restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com
19 What Is the Database Mounting Tool? Course 6425AWhat Is the Database Mounting Tool?Module 9: Implementing an Active Directory Domain Services Maintenance PlanThe Database Mounting Tool can be used to:Create and view snapshots of data that is stored in AD DSüDescribe a scenario where the Database Mounting Tool may be useful. For example, if a user account was deleted several weeks ago, but you are not sure which backup of Active Directory has the most recent information about it, you can view the snapshots of Active Directory to see when the account was last available in Active Directory. Then you can restore the backup of Active Directory from that date.In another example, if a Group Policy object is modified accidentally, you can use the Database Mounting Tool to examine the changes and help you better decide how to correct them if necessary.The Database Mounting Tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step.You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008 to view the data that the snapshots expose. This data is read-only, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data.To create a snapshot, you must be a member of the Enterprise Admins groups or the Domain Admins group or you must have been delegated the appropriate permissions.Mention that, as a best practice, administrators should schedule a task that regularly runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or AD LDS database.ReferenceAD DS: Database Mounting Tool9b8c25d428e81033.mspx?mfr=trueStep-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3:Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different timesüEliminate the need to restore multiple backups to compare the Active Directory data that they containüView, but not restore, deleted objects and containersü
20 Demonstration: Using the Database Mounting Tool Course 6425ADemonstration: Using the Database Mounting ToolModule 9: Implementing an Active Directory Domain Services Maintenance PlanIn this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objectsTo complete this demonstration, you must have the NYC-DC1 virtual machine running.Demonstration stepsUse the step-by-step guide in the resources to determine the individual procedures to create a snapshot, delete an object (a user perhaps), mount the snapshot with NTDSutil, and use LDP or ADSIedit to view the deleted object in the snapshot.QuestionsWhen would it be useful to mount multiple snapshots simultaneously?Answer: When an object is deleted from Active Directory accidentally and you are unsure which backup to restore. You can mount multiple snapshots and browse them simultaneously for the deleted object.Why is it necessary to specify different LDAP, SSL, and global catalog ports for each mounted instance of the database?Answer: Because each snapshot will act as a separate LDAP server, the ports must be unique on the computer. For example, if an administrator mounts three snapshots, you must specify 12 unique ports (four for each instance).ReferenceStep-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 39b8c25d428e81033.mspx?mfr=true
21 Reanimating Tombstoned AD DS Objects Course 6425AReanimating Tombstoned AD DS ObjectsModule 9: Implementing an Active Directory Domain Services Maintenance PlanYou can reanimate deleted objects manually in AD DS when:You do not have current AD DS backups in a domain where user accounts or security groups were deletedThe deleted object has not yet been scavenged from the Active Directory databaseThe deletion occurred in domains that contain only Windows Server 2003 or later domain controllersDescribe the scenario where reanimating tombstoned objects will work. By default, Active Directory objects are retained in the Active Directory database in a deactivated state for 60 days after the object has been deleted. When an object is deactivated, most of the object’s attributes are deleted and only a few critical attributes (SID, ObjectGUID, LastKnownParent, and SAMAccountName) are retained. When you reanimate the object, you are deactivating it, but you still must reconfigure all of the user settings.You may want to show the students how to reanimate the object that was deleted in a previous topic. The resource listed below provides the procedure.ReferenceHow to restore deleted user accounts and their group memberships in Active DirectoryTo reanimate tombstoned AD DS objects:Use LDP.exe to locate the deleted objectModify the object’s isDeleted attribute and provide a distinguished nameEnable the object and reconfigure the object attributes
22 Lab: Implementing an Active Directory Domain Services Maintenance Plan Course 6425ALab: Implementing an Active Directory Domain Services Maintenance PlanModule 9: Implementing an Active Directory Domain Services Maintenance PlanExercise 1: Maintaining AD DS Domain ControllersExercise 2: Backing Up AD DSExercise 3: Performing a Nonauthoritative Restore of the AD DS DatabaseExercise 4: Performing an Authoritative Restore of the AD DS DatabaseExercise 5: Restoring Data Using the AD DS Data Mining ToolNote: Because of the time it takes to restore the data in these exercises, the students may want to do just Exercise 3 or 4 and not both.Lab Goal: Maintain the Active Directory database, and back up and restore the Active Directory Domain Service.Lab objectives:Maintain AD DS domain controllersBackup AD DSRestore AD DSScenario:Woodgrove Bank has completed its AD DS deployment. To ensure high availability and performance for the AD DS servers, the organization is implementing a maintenance plan that includes ongoing maintenance of the AD DS databases and implementation of a disaster-recovery plan. The server administrator has prepared a backup plan that includes daily system volume of a domain controller in each domain. The server administrator also has prepared plans for recovering AD DS data in several scenarios. You need to implement these plans.This lab will consist of five exercises.Exercise 1: Maintaining AD DS domain controllersThe student will implement a plan for implementing AD DS domain controllers. Tasks include running the SCW to disable all services that are not require on the domain controllers, moving the AD DS databases to an alternate hard disk, and performing an offline defragmentation of the AD DS database.Exercise 2: Backing Up AD DSThe student will schedule a backup of the system volume and perform an on-demand backup of the system volume.Exercise 3: Performing a Nonauthoritative Restore of the AD DS DatabaseThe student will perform a Nonauthoritative restore of the AD DS database using the on-demand backup that they performed in the previous module. Perform this backup in a domain that only has one domain controller.Exercise 4: Performing an Authoritative Restore of the AD DS DatabaseThe student will perform an authoritative restore of the AD DS database using the scheduled backup that they performed in the previous module. After completing the backup, delete an object in Active Directory. Perform this backup in a domain that has multiple domain controllers and verify that the deleted object has been restored.Exercise 5: Restoring Data Using the AD DS Database Mounting ToolThe student will use the AD DS Database Mounting Tool to restore data from a deleted AD DS object. Tasks include using NTDSUtil to create a snapshot of AD DS volume, deleting a user account from AD DS, using NTDSUtil to mount the snapshot, and using LDP to view information about the user account in the snapshot.Inputs: AD DS maintenance plan that the server administrator provides.Outputs: AD DS maintenance plan has been verified and all processes in the plan have been tested.Logon informationVirtual machine6425A-NYC-DC1, 6425A-NYC-DC2User nameAdministratorPasswordPa$$w0rdEstimated time: 75 minutes
23 Course 6425ALab ReviewModule 9: Implementing an Active Directory Domain Services Maintenance PlanHow could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this?Why is a Nonauthoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening?What is the difference between restoring an AD DS object by undeleting it and just recreating the object?
24 Module Review and Takeaways Course 6425AModule Review and TakeawaysModule 9: Implementing an Active Directory Domain Services Maintenance PlanReview questionsConsiderationsTools1. One of your domain controllers is running out of hard-drive space. You modify the domain controller so that it is no longer a global catalog server, but notice that the size of the AD DS database does not decrease. What should you do to reclaim hard-drive space on the server?Answer: Perform an offline defragmentation.2. You are concerned about the amount of disk space that the Active Directory database and log files are using. How do you determine the size of the database and log files?Answer: Browse to the %systemroot%\NTDS folder, and add up the size of the NTDS.dit and the transaction log files.3. You install Windows Server Backup on your domain controller. You only have two drives on the computer and both are being used for data or system files. What types of backup should you use to back up your AD DS environment?Answer: You will have to use an on-demand backup. A scheduled backup must use a local drive and will format the drive when performing the backup.4. All of the domain controllers in your domain have failed. You are trying to rebuild the domain from the Active Directory backup on one domain controller. Which type of restore must you use to rebuild the domain?Answer: You can use a normal restore, as no domain controller is available to replicate with the newly restored domain controller.5. You accidentally deleted a user account in AD DS. What options do you have to make the account available again?Answer: You can perform an authoritative restore of the user account, reanimate the user account using LDP, or recreate the user account. If you recreate the user account, you must reassign the account to all groups and reassign.
25 Beta Feedback Tool Beta feedback tool helps: Walkthrough of the tool Course 6425ABeta Feedback ToolModule 9: Implementing an Active Directory Domain Services Maintenance PlanBeta feedback tool helps:Collect student roster information, module feedback, and course evaluations.Identify and sort the changes that students request, thereby facilitating a quick team triage.Save data to a database in SQL Server that you can later query.Walkthrough of the tool
26 Beta Feedback Overall flow of module: Pacing: Learner activities: Course 6425ABeta FeedbackModule 9: Implementing an Active Directory Domain Services Maintenance PlanOverall flow of module:Which topics did you think flowed smoothly, from topic to topic?Was something taught out of order?Pacing:Were you able to keep up? Are there any places where the pace felt too slow?Were you able to process what the instructor said before moving on to next topic?Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?Learner activities:Which demos helped you learn the most? Why do you think that is?Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?
Your consent to our cookies if you continue to use this website.