Title: Module 9: Implementing an Active DirectoryM Domain Services Maintenance Plan
1- Module 9 Implementing an Active DirectoryM
Domain Services Maintenance Plan
2Module Overview
- Maintaining the AD DS Domain Controllers
- Backing Up Active Directory Domain Services
- Restoring Active Directory Domain Services
3Lesson 1 Maintaining the AD DS Domain
Controllers
- The Active Directory Domain Services Database and
Log Files - How the AD DS Database Is Modified
- Managing the Active Directory Database Using
NTDSUtil Tool - What Is an AD DS Database Defragmentation?
- What Are Restartable Active Directory Domain
Services? - Demonstration Performing AD DS Database
Maintenance Tasks - Locking Down Services on a AD DS Domain
Controller
4The Active Directory Domain Services Database and
Log Files
5How the AD DS Database Is Modified
Edb.chk
Update the checkpoint
Write Request
Commit the transaction
Write to the database on disk
Transaction is initiated
Write to the transaction buffer
Write to the transaction log file
Ntds.dit on Disk
EDB.log
6Managing the Active Directory Database Using
NTDSUtil Tool
Ntdsutil.exe is a command-line tool used to
manage some Active Directory components
Type HELP at any NTDSUtil prompt for
context-sensitive help
7What Is an AD DS Database Defragmentation?
Offline defragmentation creates a new, compacted
version of the database file
8What Are Restartable Active Directory Domain
Services?
- Restartable AD DS services allows administrators
to stop the Active Directory Domain Services
without stopping any other services
- Use restartable AD DS services when
- Applying updates that modify Active Directory
service files on a domain controller - Performing tasks such as offline defragmentation
of the Active Directory database
- Directory Services Restore Mode must be used to
restore Active Directory database
9Demonstration Performing AD DS Database
Maintenance Tasks
- In this demonstration, you will see how to
- Start and stop AD DS Services
- Move AD Database to a different drive using
NTDSUtil - Use NTDSUtil and AD DS Stopped mode for Offline
Defrag
10Locking Down Services on AD DS Domain
Controllers
- Services required for AD DS to function correctly
- Distributed File System
- DNS Server
- File Replication Service
- Kerberos Key Distribution Center
- Intersite Messaging
- Remote Procedure Call (RPC) Locator
Minimize the number of server roles and
applications installed on domain controllers
ü
Use the Security Configuration Wizard to lock
down the services on a domain controller
ü
11Lesson 2 Backing Up Active Directory Domain
Services
- Introduction to Backing Up AD DS
- Windows Backup Features
- Demonstration Backing Up AD DS
12Introduction to Backing Up AD DS
To back up Active Directory, you must back up all
critical volumes
- The system volume the volume that hosts the boot
files - The boot volume the volume that hosts the
Windows operating system and the Registry - The volume that hosts the SYSVOL tree
- The volume that hosts the Active Directory
database (Ntds.dit) - The volume that hosts the Active Directory
database log files
All of these files may be stored in a single
volume or distributed across multiple volumes
13Windows Backup Features
- Windows Server Backup is a Windows Server 2008
feature used to back up and recover the operating
system and data
14Demonstration Backing Up AD DS
- In this demonstration, you will see how to back
up AD DS
15Lesson 3 Restoring Active Directory Domain
Services
- Overview of Restoring AD DS
- What Is a Nonauthoritative AD DS Restore?
- What Is an Authoritative AD DS Restore?
- What Is the Database Mounting Tool?
- Demonstration Using the Database Mounting Tool
- Reanimating Tombstoned AD DS Objects
16Overview of Restoring AD DS
- Options for restoring Active Directory Domain
Services include
- Normal Restore
- Authoritative Restore
- Full Server Restore
- Alternate Location Restore
17What Is a Nonauthoritative AD DS Restore?
- A nonauthoritative or normal AD DS restore
returns the directory service to its state at the
time that the backup was created
Press F8 when restarting the server and choose
Directory Services Restore Mode or type the
command bcdedit /set safeboot dsrepair and
restart the server
1
Provide the Directory Services Restore Mode
password
2
18What Is an Authoritative AD DS Restore?
- Authoritative restore provides a method to
recover objects and containers that have been
deleted from AD DS
- To mark an object as authoritative, use a command
like - restore subtree OUMarketing,DCEMEA,DCWoodgrove
Bank,DCcom
19What Is the Database Mounting Tool?
- The Database Mounting Tool can be used to
Create and view snapshots of data that is
stored in AD DS
ü
Improve recovery processes for your
organizations by providing a means to compare
data as it exists in snapshots that are taken
at different times
ü
Eliminate the need to restore multiple backups
to compare the Active Directory data that they
contain
ü
View, but not restore, deleted objects and
containers
ü
20Demonstration Using the Database Mounting Tool
- In this demonstration, you will see how to use
the Database Mounting Tool to view deleted AD DS
objects
21Reanimating Tombstoned AD DS Objects
- You can reanimate deleted objects manually in AD
DS when
- You do not have current AD DS backups in a domain
where user accounts or security groups were
deleted - The deleted object has not yet been scavenged
from the Active Directory database - The deletion occurred in domains that contain
only Windows Server 2003 or later domain
controllers
- To reanimate tombstoned AD DS objects
- Use LDP.exe to locate the deleted object
- Modify the objects isDeleted attribute and
provide a distinguished name - Enable the object and reconfigure the object
attributes
22Lab Implementing an Active Directory Domain
Services Maintenance Plan
- Exercise 1 Maintaining AD DS Domain Controllers
- Exercise 2 Backing Up AD DS
- Exercise 3 Performing a Nonauthoritative Restore
of the AD DS Database - Exercise 4 Performing an Authoritative Restore
of the AD DS Database - Exercise 5 Restoring Data Using the AD DS Data
Mining Tool
Logon information
Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2
User name Administrator
Password Paw0rd
Estimated time 75 minutes
23Lab Review
- How could you apply the security policy you
created in Exercise 1 to multiple domain
controllers? What concerns would you have with
doing this? - Why is a Nonauthoritative AD DS restore
overwritten by replication? How does an
authoritative restore prevent this from
happening? - What is the difference between restoring an AD DS
object by undeleting it and just recreating the
object?
24Module Review and Takeaways
- Review questions
- Considerations
- Tools
25Beta Feedback Tool
- Beta feedback tool helps
- Collect student roster information, module
feedback, and course evaluations. - Identify and sort the changes that students
request, thereby facilitating a quick team
triage. - Save data to a database in SQL Server that you
can later query. - Walkthrough of the tool
26Beta Feedback
- Overall flow of module
- Which topics did you think flowed smoothly, from
topic to topic? - Was something taught out of order?
- Pacing
- Were you able to keep up? Are there any places
where the pace felt too slow? - Were you able to process what the instructor said
before moving on to next topic? - Did you have ample time to reflect on what you
learned? Did you have time to formulate and ask
questions? - Learner activities
- Which demos helped you learn the most? Why do you
think that is? - Did the lab help you synthesize the content in
the module? Did it help you to understand how you
can use this knowledge in your work environment? - Were there any discussion questions or reflection
questions that really made you think? Were there
questions you thought werent helpful?