Module 9: Implementing an Active DirectoryM Domain Services Maintenance Plan

1

• Module 9 Implementing an Active DirectoryM
  Domain Services Maintenance Plan

2
Module Overview

• Maintaining the AD DS Domain Controllers
• Backing Up Active Directory Domain Services
• Restoring Active Directory Domain Services

3
Lesson 1 Maintaining the AD DS Domain
Controllers

• The Active Directory Domain Services Database and
  Log Files
• How the AD DS Database Is Modified
• Managing the Active Directory Database Using
  NTDSUtil Tool
• What Is an AD DS Database Defragmentation?
• What Are Restartable Active Directory Domain
  Services?
• Demonstration Performing AD DS Database
  Maintenance Tasks
• Locking Down Services on a AD DS Domain
  Controller

4
The Active Directory Domain Services Database and
Log Files
5
How the AD DS Database Is Modified
Edb.chk
Update the checkpoint
Write Request
Commit the transaction
Write to the database on disk
Transaction is initiated
Write to the transaction buffer
Write to the transaction log file
Ntds.dit on Disk
EDB.log
6
Managing the Active Directory Database Using
NTDSUtil Tool
Ntdsutil.exe is a command-line tool used to
manage some Active Directory components
Type HELP at any NTDSUtil prompt for
context-sensitive help
7
What Is an AD DS Database Defragmentation?
Offline defragmentation creates a new, compacted
version of the database file
8
What Are Restartable Active Directory Domain
Services?

• Restartable AD DS services allows administrators
  to stop the Active Directory Domain Services
  without stopping any other services

• Use restartable AD DS services when

• Applying updates that modify Active Directory
  service files on a domain controller
• Performing tasks such as offline defragmentation
  of the Active Directory database

• Directory Services Restore Mode must be used to
  restore Active Directory database

9
Demonstration Performing AD DS Database
Maintenance Tasks

• In this demonstration, you will see how to
• Start and stop AD DS Services
• Move AD Database to a different drive using
  NTDSUtil
• Use NTDSUtil and AD DS Stopped mode for Offline
  Defrag

10
Locking Down Services on AD DS Domain
Controllers

• Services required for AD DS to function correctly

• Distributed File System
• DNS Server
• File Replication Service
• Kerberos Key Distribution Center
• Intersite Messaging
• Remote Procedure Call (RPC) Locator

Minimize the number of server roles and
applications installed on domain controllers
ü
Use the Security Configuration Wizard to lock
down the services on a domain controller
ü
11
Lesson 2 Backing Up Active Directory Domain
Services

• Introduction to Backing Up AD DS
• Windows Backup Features
• Demonstration Backing Up AD DS

12
Introduction to Backing Up AD DS
To back up Active Directory, you must back up all
critical volumes

• Critical volumes include

• The system volume the volume that hosts the boot
  files
• The boot volume the volume that hosts the
  Windows operating system and the Registry
• The volume that hosts the SYSVOL tree
• The volume that hosts the Active Directory
  database (Ntds.dit)
• The volume that hosts the Active Directory
  database log files

All of these files may be stored in a single
volume or distributed across multiple volumes
13
Windows Backup Features

• Windows Server Backup is a Windows Server 2008
  feature used to back up and recover the operating
  system and data

14
Demonstration Backing Up AD DS

• In this demonstration, you will see how to back
  up AD DS

15
Lesson 3 Restoring Active Directory Domain
Services

• Overview of Restoring AD DS
• What Is a Nonauthoritative AD DS Restore?
• What Is an Authoritative AD DS Restore?
• What Is the Database Mounting Tool?
• Demonstration Using the Database Mounting Tool
• Reanimating Tombstoned AD DS Objects

16
Overview of Restoring AD DS

• Options for restoring Active Directory Domain
  Services include

• Normal Restore
• Authoritative Restore
• Full Server Restore
• Alternate Location Restore

17
What Is a Nonauthoritative AD DS Restore?

• A nonauthoritative or normal AD DS restore
  returns the directory service to its state at the
  time that the backup was created

Press F8 when restarting the server and choose
Directory Services Restore Mode or type the
command bcdedit /set safeboot dsrepair and
restart the server
1
Provide the Directory Services Restore Mode
password
2
18
What Is an Authoritative AD DS Restore?

• Authoritative restore provides a method to
  recover objects and containers that have been
  deleted from AD DS

• To mark an object as authoritative, use a command
  like
• restore subtree OUMarketing,DCEMEA,DCWoodgrove
  Bank,DCcom

19
What Is the Database Mounting Tool?

• The Database Mounting Tool can be used to

Create and view snapshots of data that is
stored in AD DS
ü
Improve recovery processes for your
organizations by providing a means to compare
data as it exists in snapshots that are taken
at different times
ü
Eliminate the need to restore multiple backups
to compare the Active Directory data that they
contain
ü
View, but not restore, deleted objects and
containers
ü
20
Demonstration Using the Database Mounting Tool

• In this demonstration, you will see how to use
  the Database Mounting Tool to view deleted AD DS
  objects

21
Reanimating Tombstoned AD DS Objects

• You can reanimate deleted objects manually in AD
  DS when

• You do not have current AD DS backups in a domain
  where user accounts or security groups were
  deleted
• The deleted object has not yet been scavenged
  from the Active Directory database
• The deletion occurred in domains that contain
  only Windows Server 2003 or later domain
  controllers

• To reanimate tombstoned AD DS objects

• Use LDP.exe to locate the deleted object
• Modify the objects isDeleted attribute and
  provide a distinguished name
• Enable the object and reconfigure the object
  attributes

22
Lab Implementing an Active Directory Domain
Services Maintenance Plan

• Exercise 1 Maintaining AD DS Domain Controllers
• Exercise 2 Backing Up AD DS
• Exercise 3 Performing a Nonauthoritative Restore
  of the AD DS Database
• Exercise 4 Performing an Authoritative Restore
  of the AD DS Database
• Exercise 5 Restoring Data Using the AD DS Data
  Mining Tool

Logon information
Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2
User name Administrator
Password Paw0rd
Estimated time 75 minutes
23
Lab Review

• How could you apply the security policy you
  created in Exercise 1 to multiple domain
  controllers? What concerns would you have with
  doing this?
• Why is a Nonauthoritative AD DS restore
  overwritten by replication? How does an
  authoritative restore prevent this from
  happening?
• What is the difference between restoring an AD DS
  object by undeleting it and just recreating the
  object?

24
Module Review and Takeaways

• Review questions
• Considerations
• Tools

25
Beta Feedback Tool

• Beta feedback tool helps
• Collect student roster information, module
  feedback, and course evaluations.
• Identify and sort the changes that students
  request, thereby facilitating a quick team
  triage.
• Save data to a database in SQL Server that you
  can later query.
• Walkthrough of the tool

26
Beta Feedback

• Overall flow of module
• Which topics did you think flowed smoothly, from
  topic to topic?
• Was something taught out of order?
• Pacing
• Were you able to keep up? Are there any places
  where the pace felt too slow?
• Were you able to process what the instructor said
  before moving on to next topic?
• Did you have ample time to reflect on what you
  learned? Did you have time to formulate and ask
  questions?
• Learner activities
• Which demos helped you learn the most? Why do you
  think that is?
• Did the lab help you synthesize the content in
  the module? Did it help you to understand how you
  can use this knowledge in your work environment?
• Were there any discussion questions or reflection
  questions that really made you think? Were there
  questions you thought werent helpful?