Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students implement an Active Directory® Domain Services (AD DS) maintenance plan. After completing this module, students will be able to: Maintain the AD DS domain controllers. Back up AD DS. Restore AD DS. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_09.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices. This section contains information that will help you to teach this module. For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD. Module 9: Implementing an Active Directory® Domain Services Maintenance Plan

Module Overview Maintaining the AD DS Domain Controllers Course 6425A Module Overview Module 9: Implementing an Active Directory Domain Services Maintenance Plan Maintaining the AD DS Domain Controllers Backing Up Active Directory Domain Services Restoring AD DS

Lesson 1: Maintaining the AD DS Domain Controllers Course 6425A Lesson 1: Maintaining the AD DS Domain Controllers Module 9: Implementing an Active Directory Domain Services Maintenance Plan AD DS Database and Log Files How the AD DS Database Is Modified Managing the Active Directory Database Using NTDSUtil Tool What Is an AD DS Database Defragmentation? What Are Restartable Active Directory Domain Services? Demonstration: Performing AD DS Database Maintenance Tasks Locking Down Services on AD DS Domain Controllers

AD DS Database and Log Files Course 6425A AD DS Database and Log Files Module 9: Implementing an Active Directory Domain Services Maintenance Plan Description Ntds.dit Edb*.log Edb.chk File Is the AD DS database file Stores all AD DS objects on the domain controller Uses the default location systemroot\NTDS folder Is a transaction log file Uses the default transaction log file Edb.log Is a checkpoint file Tracks data not yet written to the AD DS database file ebdres00001.jrs ebdres00002.jrs Are the reserved transaction log files Open Windows Explorer and browse to the c:\Windows\NTDS folder. Point out the files in the folder as you discuss each of the files. Stress that log files always will be exactly 10 megabytes (MB) in size. Discuss the role of the reserve log files. If students are familiar with previous AD DS versions, mention that the edbres00001.jrs and edbres00002.jrs files were called res1.log and res2.log in previous versions. Reference How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=101077

How the AD DS Database Is Modified Course 6425A How the AD DS Database Is Modified Module 9: Implementing an Active Directory Domain Services Maintenance Plan Edb.chk Write Request Update the checkpoint Describe how the files that the slide lists are used when data is committed to the database. The basic data modification process consists of six steps: The write request initiates a transaction. AD DS writes the transaction to the memory transaction buffer. AD DS secures the transaction in the transaction log. AD DS writes the transaction from the buffer to the database. AD DS compares the database and log files to ensure that the transaction was committed to the database. AD DS updates the checkpoint file. Question: What other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services? Answer: Both Microsoft Exchange Server and Microsoft SQL Server™ use the transaction model. The model is very similar in all cases, although some details, such as the size of the transaction logs, varies. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size. Reference How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=101077 Commit the transaction Transaction is initiated Write to the transaction buffer Write to the database on disk Write to the transaction log file Ntds.dit on Disk EDB.log

Managing the Active Directory Database Using NTDSUtil Tool Course 6425A Managing the Active Directory Database Using NTDSUtil Tool Module 9: Implementing an Active Directory Domain Services Maintenance Plan Ntdsutil.exe is a command-line tool used to manage some AD DS components Perform AD DS database maintenance ü Manage and control single master operations Move the AD DS database files Remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled Use Ntdsutil.exe to: Describe what NTDSUtil is, and then describe some of the scenarios where you can use it. Consider opening a command prompt and starting the NTDSUtil tool. Show how to access help, and how to move between different contexts within NTDSUtil. Review the NTDSUtil commands. Question: You have forgotten the directory services restore-mode password for your domain controller. How can you recover the password? Answer: You cannot recover the password, but by using the Set DSRM password command in NTDSUtil, you can configure a new password for this account. References NTDSUtil Help Data Store Tools and Settings http://go.microsoft.com/fwlink/?LinkId=101078 Type HELP at any NTDSUtil prompt for context-sensitive help

What Is an AD DS Database Defragmentation? Course 6425A What Is an AD DS Database Defragmentation? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Offline defragmentation creates a new, compacted version of the database file The new file may be considerably smaller, depending on how fragmented the original database file was ü AD DS performs online database defragmentation automatically every 12 hours Use the NTDSUtil command-line tool to perform offline defragmentation on a dismounted database Online defragmentation optimizes data storage in the database, and reclaims space in the directory for new objects, but does not reduce the size of the database file Describe the difference between online and offline defragmentation. Highlight that online defragmentation happens automatically and does not disrupt normal access to AD DS. Offline defragmentation requires that the administrator takes the database offline, and runs the NTDSUtil tool. Mention that offline defragmentation does not need to be performed normally. The scenarios where students may choose to run an offline defragmentation include: After removing the global catalog from a server. After removing a large number of objects from the domain. After converting from AD DS-integrated Domain Name System (DNS) to standard DNS. Question: How often will you need to perform an offline defragmentation of your AD DS databases in your environment? Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize the database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly. Reference Data Store Tools and Settings http://go.microsoft.com/fwlink/?LinkId=101078

What Are Restartable Active Directory Domain Services? Course 6425A What Are Restartable Active Directory Domain Services? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Restartable AD DS allows administrators to stop the AD DS without stopping any other services There are three possible states for a domain controller running Windows Server®°2008: • AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server 2008 domain controller running in this state is the same as a domain controller running Windows®°2000 Server, or Windows Server®°2003. • AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in Directory Services Restore Mode, and a domain-joined member server. As with Directory Services Restore Mode, the AD DS database (Ntds.dit) is offline. Also, you can use the Directory Services Restore Mode password to log on locally if another domain controller cannot be contacted. As with a member server, the server is joined to the domain. Also, users can log on interactively or over the network by using another domain controller for domain logon. However, a domain controller should not remain in this state for an extended time, because in this state, it cannot service logon requests or replicate with other domain controllers • Directory Services Restore Mode. This mode (or state) is unchanged from Windows Server 2003. Reference Windows Server 2008 Technical Library http://go.microsoft.com/fwlink/?LinkId=101082 Use restartable AD DS services when: Applying updates that modify AD DS service files on a domain controller Performing tasks such as offline defragmentation of the AD DS database Directory Services Restore Mode must be used to restore AD DS database

Demonstration: Performing AD DS Database Maintenance Tasks Course 6425A Demonstration: Performing AD DS Database Maintenance Tasks Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to: Start and stop AD DS Services Move the AD DS Database to a different drive using NTDSUtil Use NTDSUtil and AD DS Stopped mode for Offline Defrag To complete this demonstration, you must have the NYC-DC1 virtual machine running. Demonstration steps: To stop or start the AD DS Service: Click Start, click Admin Tools, and then click Services. Right-click Active Directory Domain Services, and then select Stop from the Context menu. In the Also stop the following Services dialogue box, click Yes. To perform an Offline Defrag of the Advanced Directory Database while in an AD DS Stopped state: Click Start, click Run, type CMD, and then press ENTER. In the command window, type ntdsutil, and then press ENTER. At the ntdsutil: prompt, type Activate Instance NTDS, and then press ENTER. At the ntdsutil: prompt, type files, and then press ENTER. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer), and then press ENTER. Once complete, copy the ntds.dit file in the compact directory to C:\Windows\NTDS\ntds.dit, and delete the old log files by typing del C:\Windows\NTDS\*.log in a command window. In the File Maintenance command window, type integrity to check the integrity of the new compacted database. Once complete, if you want to specify a new location in which to store the database, such as a different spindle: In the File Maintenance command window, type move db to pathname, and then press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly. In the services mmc, right-click Active Directory Domain Services, and then click Start. Question: Why is it necessary to stop the AD DS before defragmenting? Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, and thus preventing file modification. Question: Why is it necessary to compact the database to a temporary directory first? Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original. Reference Compact the directory database file (offline defragmentation) http://go.microsoft.com/fwlink/?LinkId=101083

Locking Down Services on AD DS Domain Controllers Course 6425A Locking Down Services on AD DS Domain Controllers Module 9: Implementing an Active Directory Domain Services Maintenance Plan Services required for AD DS to function correctly: Active Directory Domain Services DNS Client Net Logon TCP/IP NetBIOS Helper Windows Time Workstation   Distributed File System DNS Server File Replication Service Kerberos Key Distribution Center Intersite Messaging Remote Procedure Call (RPC) Locator Stress that one of the critical components when securing domain controllers is to minimize the number of services and applications running on the domain controller. One option for ensuring that only the required services are running is to use the Security Configuration Wizard (SCW). If students are not familiar with the SCW, spend some time explaining how it works. Consider starting the wizard and showing the Security Configuration Wizard configuration database, pointing out the services that the AD DS Domain Services role requires. Reference MS HELP: Security Configuration Database Best practices: Minimize the number of server roles and applications installed on domain controllers ü Use the Security Configuration Wizard to lock down the services on a domain controller ü

Lesson 2: Backing Up Active Directory Domain Services Course 6425A Lesson 2: Backing Up Active Directory Domain Services Module 9: Implementing an Active Directory Domain Services Maintenance Plan Introduction to Backing Up AD DS Windows Server Backup Features Demonstration: Backing Up AD DS

Introduction to Backing Up AD DS Course 6425A Introduction to Backing Up AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan To back up AD DS, you must back up all critical volumes Critical volumes include: Mention that backing up AD DS in Windows Server 2008 is different than it was in previous AD DS versions, in which you could back up just the system state information. In Windows Server 2008, you must back up all of the files on the critical volumes. In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer, and which volumes host the critical files that the operating system and the installed roles use. System state data includes at least the following, plus additional data depending on the server roles that are installed: Registry COM+ Class Registration database Boot files, as described earlier in this topic AD DS Certificate Services database AD DS Domain Services database SYSVOL directory Cluster service information Microsoft Internet Information Services (IIS) metadirectory System files that are under Windows Resource Protection Mention that because you have to back up entire volumes to back up AD DS, it is a best practice to dedicate disk volumes to the critical volumes. For example, data should not be stored on the system volume as this will increase the backup’s size, and increase the time it takes to restore the server. Question: What other process could you use to back up the system state data on a domain controller? Answer: You could do a full server backup. References Active Directory Domain Services Help: Help prepare for disaster recovery by performing routine backups of the Active Directory database Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery http://go.microsoft.com/fwlink/?LinkId=101087 The system volume: the volume that hosts the boot files The boot volume: the volume that hosts the Windows operating system and the Registry The volume that hosts the SYSVOL tree The volume that hosts the AD DS database (Ntds.dit) The volume that hosts the AD DS database log files All of these files may be stored in a single volume or distributed across multiple volumes

Windows Server Backup Features Course 6425A Windows Server Backup Features Module 9: Implementing an Active Directory Domain Services Maintenance Plan Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data Recover the server without using third-party backup and recovery tools ü Perform manual or automatic backups Back up an entire server or selected volumes Recover items or entire volumes Use DVDs or CDs as backup media With Windows Server Backup, you can: Mention that Windows Server Backup is not installed by default. You must install it by using Add Features in Server Manager, before you can use the Wbadmin.exe command-line tool or Backup in Administrative Tools. Windows Server 2008 supports the following backup types: • Manual backup. A member of the Administrators group or the Backup Operators group can initiate a manual backup at any time. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive. • Scheduled backup. A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command-line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes. Because scheduled backups reformat the target drive that hosts the backup files, you should have a dedicated backup volume. Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic tape cartridges, or a a dynamic volume as a backup target. Reference Windows Server 2008 Technical Library http://go.microsoft.com/fwlink/?LinkId=101086 Windows Server Backup does not support backing up individual files or directories, only entire volumes

Demonstration: Backing Up AD DS Course 6425A Demonstration: Backing Up AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to back up AD DS To complete this demonstration, you must have the NYC-DC1 virtual machine running. You must also install the Windows Server Backup feature on the domain controller. Demonstration steps: From the Start menu, point to Administrative Tools, and then click Windows Server Backup. In the Window Server Backup console, in the Actions pane, click Backup Schedule to create a scheduled backup. Follow the wizards prompts to specify the backup type: Full or Custom: by default the system volume is always backed up with scheduled backups. Backup time: once per day or multiple times per day Target disk View summary Confirm. The Backup Once option in the Actions pane offers manual backup capabilities. You can deselect the system volume from the Backup Items, or specify that you want to be able to perform a system recovery using this backup. The location type screen shows that you can select local disks, DVD, or a remote shared folder (network backup). Select the location for backup, view the summary, and proceed with the backup. Question: Why should backups be scheduled? Answer: To help automate tasks as much as possible. Question: How often should a full backup be performed? How often should an incremental or differential backup be performed? Answer: Answers will vary. It depends on how much work an organization can afford to lose, though this must be balanced against the practical limits of trying to back up too often. Many organizations perform a full backup once a week, with either incremental or differential backups daily. Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery http://go.microsoft.com/fwlink/?LinkId=101087

Lesson 3: Restoring AD DS Course 6425A Lesson 3: Restoring AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan Overview of Restoring AD DS What Is a Nonauthoritative AD DS Restore? What Is an Authoritative AD DS Restore? What Is the Database Mounting Tool? Demonstration: Using the Database Mounting Tool Reanimating Tombstoned AD DS Objects

Overview of Restoring AD DS Course 6425A Overview of Restoring AD DS Module 9: Implementing an Active Directory Domain Services Maintenance Plan Options for restoring AD DS include: Normal Restore Authoritative Restore Full Server Restore Alternate Location Restore Discuss the following options for restoring AD DS: Normal restore. Use this method to reinstate the AD DS data to the state before the backup, and then update the data through the normal replication process. Perform a normal restore only when you want to restore a single domain controller to a previously known good state. Authoritative restore. Use this method in conjunction with a normal restore. An authoritative restore marks specific data as current, and prevents the replication from overwriting that data. The authoritative data then is replicated throughout the domain. Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Full Server Restore: Use this method to restore a failed domain controller. Full server restore performs a bare metal restoration of the system and data volumes, back to a point in time prior to failure. A full server recovery recovers every server volume. Backup reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware, or if all other attempts to recover the server on the existing hardware have failed. Alternative Location Restore: Use this method to install new domain controllers. For more information about Alternate Location Restore, see 6425A: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services, Module 1: Installing Active Directory® Domain Services. Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery http://go.microsoft.com/fwlink/?LinkId=101087

What Is a Nonauthoritative AD DS Restore? Course 6425A What Is a Nonauthoritative AD DS Restore? Module 9: Implementing an Active Directory Domain Services Maintenance Plan A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created Stress that the non-authoritative restore does not restore deleted AD DS information unless the domain controller is the one in the domain. When performing a non-authoritative restore, AD DS replication replicates changes (including the deletion,) to the domain controller, when it reboots after the restore is complete. To restart the domain controller in disaster-recovery mode, you can: After the boot option menu appears, press F8, and then select the option for Directory Services Restore Mode (DSRM). Or, Open a command prompt, type the following command, and then press ENTER: bcdedit /set safeboot dsrepair Type the following command, and then press ENTER: shutdown -t 0 -r To restart the server normally after you perform the restore operation, type the following command, and then press ENTER: bcdedit /deletevalue safeboot dsrepair Administrative credentials - You can log on to the domain controller that you are restoring by using the DSRM password, either locally or remotely. You specify the DSRM password when you install AD DS. Question: What would happen if you did not enter the second bcdedit command after restoring the AD DS database? Answer: The domain controller would restart in DSRM again. You must remove this switch in order to boot into normal mode. Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery http://go.microsoft.com/fwlink/?LinkId=101087 AD DS replication updates the domain controller with changes that have occurred since the backup was created ü Restart the domain controller in Directory Services Restore Mode to perform a non-authoritative restore Steps to restart the server: Press F8 when restarting the server, and choose Directory Services Restore Mode, or type the command bcdedit /set safeboot dsrepair and restart the server 1 Provide the Directory Services Restore Mode password 2

What Is an Authoritative AD DS Restore? Course 6425A What Is an Authoritative AD DS Restore? Module 9: Implementing an Active Directory Domain Services Maintenance Plan Authoritative restore is a method to recover objects and containers that have been deleted from AD DS Authoritative restore is a four-step process: Start the domain controller in DSRM 1 Use Ntdsutil.exe to mark desired objects, containers, or partitions, as authoritative 3 Restart the domain in normal mode to replicate the changes 4 Restore the desired backup, which is typically the most recent backup 2 To perform an authoritative restore of AD DS objects, you must first perform a non-authoritative restore. However, you must not restart the domain controller normally following the non-authoritative restore procedure. When an object is marked for authoritative restore, its version number is changed so that it is higher than the (deleted) object’s existing version number in the AD DS replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest. To mark a subtree or individual object authoritative: 1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER. 2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER. 3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER: To restore a subtree (for example, an organizational unit and all child objects), type: restore subtree DistinguishedName To restore a single object, type: restore object DistinguishedName 4. Click Yes in the message box to confirm the command. For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com” (Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.) Reference Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery http://go.microsoft.com/fwlink/?LinkId=101087 Performing an Authoritative Restore of Active Directory Objects http://go.microsoft.com/fwlink/?LinkId=101088 To mark an object as authoritative, use a command like: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com

What Is the Database Mounting Tool? Course 6425A What Is the Database Mounting Tool? Module 9: Implementing an Active Directory Domain Services Maintenance Plan The Database Mounting Tool can be used to: Create and view snapshots of data that is stored in AD DS ü regularly Describe a scenario where the Database Mounting Tool may be useful. For example, if a user account was deleted several weeks ago, but you are not sure which backup of AD DS has the most recent information about it, you can view the snapshots of AD DS to see when the account was last available in AD DS. Then you can restore the backup of AD DS from that date. In another example, if a Group Policy object is modified accidentally, you can use the Database Mounting Tool to examine the changes and help you better decide how to correct them, if necessary. The Database Mounting Tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step. You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008 to view the data that the snapshots expose. This data is read-only, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data. To create a snapshot, you must be a member of the Enterprise Admins group or the Domain Admins group, or you must have been delegated the appropriate permissions. Mention that, as a best practice, administrators should schedule a task that runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or AD LDS database. Reference AD DS: Database Mounting Tool http://go.microsoft.com/fwlink/?LinkId=101089 Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different times ü Eliminate the need to restore multiple backups to compare the AD DS data that they contain ü View, but not restore, deleted objects and containers ü

Demonstration: Using the Database Mounting Tool Course 6425A Demonstration: Using the Database Mounting Tool Module 9: Implementing an Active Directory Domain Services Maintenance Plan In this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objects To complete this demonstration, you must have the NYC-DC1 virtual machine running. Demonstration steps: Use the step-by-step guide in the resources to determine the individual procedures to create a snapshot, delete an object (a user perhaps), mount the snapshot with NTDSutil, and use LDP or ADSIedit to view the deleted object in the snapshot. Question: When would it be useful to mount multiple snapshots simultaneously? Answer: When an object is deleted from AD DS accidentally, and you are unsure which backup to restore. You can mount multiple snapshots and browse them simultaneously for the deleted object. Question: Why is it necessary to specify different LDAP, SSL, and global catalog ports for each mounted instance of the database? Answer: Because each snapshot will act as a separate LDAP server, the ports must be unique on the computer. For example, if an administrator mounts three snapshots, you must specify 12 unique ports (four for each instance).

Reanimating Tombstoned AD DS Objects Course 6425A Reanimating Tombstoned AD DS Objects Module 9: Implementing an Active Directory Domain Services Maintenance Plan You can reanimate deleted objects manually in AD DS when: You do not have current AD DS backups in a domain where user accounts or security groups were deleted The deleted object has not yet been scavenged from the AD DS database The deletion occurred in domains that contain only Windows Server 2003 or later domain controllers Describe the scenario where reanimating tombstoned objects will work. By default, AD DS objects are retained in the AD DS database in a deactivated state for 60 days after the object has been deleted. When an object is deactivated, most of the object’s attributes are deleted, and only a few critical attributes, (SID, ObjectGUID, LastKnownParent, and SAMAccountName,) are retained. When you reanimate the object, you are activating it, but you still must reconfigure all of the user settings. You may want to show the students how to reanimate the object that was deleted in a previous topic. The resource listed below provides the procedure. Reference How to restore deleted user accounts and their group memberships in Active Directory http://go.microsoft.com/fwlink/?LinkId=101092 To reanimate tombstoned AD DS objects: Use LDP.exe to locate the deleted object Modify the object’s isDeleted attribute, and provide a distinguished name Enable the object, and then reconfigure the object attributes

Lab: Implementing an AD DS Maintenance Plan Course 6425A Lab: Implementing an AD DS Maintenance Plan Module 9: Implementing an Active Directory Domain Services Maintenance Plan Exercise 1: Maintaining AD DS Domain Controllers Exercise 2: Backing Up AD DS Exercise 3: Performing an Authoritative Restore of the AD DS Database Exercise 4: Restoring Data Using the AD DS Data Mining Tool (optional) Note: Because of the time it takes to restore the data in these exercises, the students may want to just do Exercise 3 or 4, but not both. Lab objectives: Maintain AD DS domain controllers. Backup AD DS. Restore AD DS. Scenario: Woodgrove Bank has completed its AD DS deployment. To ensure high availability and performance for the AD DS servers, the organization is implementing a maintenance plan that includes ongoing maintenance of the AD DS databases, and implementation of a disaster-recovery plan. The server administrator has prepared a backup plan that includes daily system volume of a domain controller in each domain. The server administrator has also prepared plans for recovering AD DS data in several scenarios. You need to implement these plans. This lab consists of five exercises. Exercise 1: Maintaining AD DS domain controllers The student will execute a plan for implementing AD DS domain controllers. Tasks include running the SCW to disable all services that are not required on the domain controllers, moving the AD DS databases to an alternate hard disk, and performing an offline defragmentation of the AD DS database. Exercise 2: Backing Up AD DS The student will schedule a backup of the system volume, and perform an on-demand backup of the system volume. Exercise 3: Performing a non-authoritative Restore of the AD DS Database Students will perform a non-authoritative restore of the AD DS database, using the on-demand backup that they performed in the previous module. Students will perform this backup in a domain that only has one domain controller. Exercise 4: Performing an Authoritative Restore of the AD DS Database Students will perform an authoritative restore of the AD DS database using the scheduled backup that they performed in the previous module. After completing the backup, students will delete an object in AD DS, then perform this backup in a domain that has multiple domain controllers, and verify that the deleted object has been restored. Continued on next page. Logon information Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2 User name Administrator Password Pa$$w0rd Estimated time: 75 minutes

Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Exercise 5: Restoring Data Using the AD DS Database Mounting Tool Students will use the AD DS Database Mounting Tool to restore data from a deleted AD DS object. Tasks include using NTDSUtil to create a snapshot of AD DS volume, deleting a user account from AD DS, using NTDSUtil to mount the snapshot, and using LDP to view information about the user account in the snapshot. Inputs: AD DS maintenance plan that the server administrator provides. Outputs: AD DS maintenance plan has been verified and all processes in the plan have been tested.

Course 6425A Lab Review Module 9: Implementing an Active Directory Domain Services Maintenance Plan How could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this? Why is a non-authoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening? What is the difference between restoring an AD DS object by undeleting it, and just recreating the object? Lab Review Questions and Answers: Question: How could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this? Answer: You could use the scwcmd tool to convert the security policy to a group policy object. You could then link the GPO to the Domain Controllers OU in AD DS. Before you do this, you should ensure that all of the domain controllers have a similar configuration. For example, if a domain controller has different applications or services installed, those applications or services may be disabled by a security policy created on another domain controller. Question: Why is a non-authoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening? Answer: The non-authoritative restore just restores the objects in AD DS without changing the object update sequence number (USN). However, the change to AD DS that deleted the AD DS object has a higher USN than the USN for the restored object. Therefore, replication from other domain controllers will overwrite the restore. The authoritative restore sets a higher USN for the restored object, so that the changes will be replicated from the server where the object is restored to other domain controllers. Question: What is the difference between restoring an AD DS object by undeleting it, and just recreating the object? Answer: When you restore an AD DS object by undeleting it, you restore the object with the same Security Identifier (SID). If you just recreate the object, the object may have the same name and attributes, but it will have a different SID.

Module Review and Takeaways Course 6425A Module Review and Takeaways Module 9: Implementing an Active Directory Domain Services Maintenance Plan Review questions Considerations Tools Question: One of your domain controllers is running out of hard-drive space. You modify the domain controller so that it is no longer a global catalog server, but notice that the size of the AD DS database does not decrease. What should you do to reclaim hard-drive space on the server? Answer: Perform an offline defragmentation. Question: You are concerned about the amount of disk space that the AD DS database and log files are using. How do you determine the size of the database and log files? Answer: Browse to the %systemroot%\NTDS folder, and add up the size of the NTDS.dit and the transaction log files. Question: You install Windows Server Backup on your domain controller. You only have two drives on the computer, and both are being used for data or system files. What types of backup should you use to back up your AD DS environment? Answer: You will have to use an on-demand backup. A scheduled backup must use a local drive, and will format the drive when performing the backup. Question: All of the domain controllers in your domain have failed. You are trying to rebuild the domain from the AD DS backup on one domain controller. Which type of restore must you use to rebuild the domain? Answer: You can use a normal restore, as no domain controller is available to replicate with the newly restored domain controller. Question: You accidentally deleted a user account in AD DS. What options do you have to make the account available again? Answer: You can perform an authoritative restore of the user account, reanimate the user account using LDP, or recreate the user account. If you recreate the user account, you must reassign the account to all groups and reassign permissions.