AD back up
-
Upload
mayank-raj -
Category
Documents
-
view
223 -
download
0
Transcript of AD back up
-
8/6/2019 AD back up
1/13
Active Directo ry 2003 Backup & Restore
Active Directory 2003 Backup and Restore
TECHNOLOGY INFRASTRUCTURE SERVICES
Author Selvakumar PalanivelDate of Creation 02 Dec 2005Email id [email protected]
Wipro Technologies TIS Page 1 of 13
-
8/6/2019 AD back up
2/13
Active Directo ry 2003 Backup & Restore
Table of content
1. Introduction................................................................................................. 3
2. Overview of Active Directory 2003................................................................ 3
3. System Components of Active Directory ....................................................... 3
3.1 Domain Controllers (DCs)................................................................ 4
3.2 Global Catalogs (GCs) ...................................................................... 4
3.3 Operations Masters (OMs)................................................................ 4
4. Active Directory Backup............................................................................... 5
4.1 Contents............................................................................................. 5
4.2 Age .................................................................................................... 6
4.3 Type of Backup................................................................................. 6
4.4 To backup a domain controller using the W2K3 backup utility....... 7
5. Active Directory Restore.............................................................................. 7
5.1 Restore through re-installation Procedure ........................................ 7
5.2 Restore from Backup ........................................................................ 7
6. Steps to Recover Active Directory Forest ...................................................... 97. Post Recovery Steps Active Directory Forest Restore ............................... 11
Appendix A To clean up server metadata ............................................... 12
Appendix B To disable a Global Catalog................................................ 13
Appendix C To seize an Operation Master role ...................................... 13
Appendix D Useful Links........................................................................ 13
Wipro Technologies TIS Page 2 of 13
-
8/6/2019 AD back up
3/13
Active Directo ry 2003 Backup & Restore
1. IntroductionThis document details best practices and procedures for recovering the Active Directory2003 after forest wide failure has caused all the Domain Controllers in the forest failed to
function normally.
2. Overview of Act ive Directory 2003
The Ac tive Direc to ry service is the d irec to ry service fo r Windows Server 2003. It is a core
component of the operating system and provides essential data to both the enterpriseand othe r com po nents within the OS.
Active Directory provides a central service for administrators to organize network
resources, manage users, computers, and applications.
3. System Components of Active DirectoryAlthough many components make up the Active Directory, this section focuses on the
system components that are relevant when considering the AD restoration plan.
Wipro Technologies TIS Page 3 of 13
-
8/6/2019 AD back up
4/13
Active Directo ry 2003 Backup & Restore
3.1 Domain Controllers (DCs)
Windows 2003 requires domain controllers (DCs) to host a domain database and perform
authentication services. However, under Windows 2003, object changes can be made onany DC within the environment.
To ensure that all DCs in the environment host a current, synchronized and accurate
version of the directory, DCs are responsible for initiating and performing replicationoperations. In addition to this domain information, all of the domain controllers in aparticular forest host a copy of the forest configuration and schema containers.
3.2 Global Catalogs (GCs)
The global catalogs (GCs) primary function is to provide fast and efficient searches that
extend across the entire Active Directory forest. A GC holds a full read/write replica of
all objects within the domain for which it is a member, and a partial read-only replica (all
objects but only a partial attribute set) of every other domain within the forest.
3.3 Operations Masters (OMs)
Active Directory supports multi-master updates (each DC hosts a writeable version of itsdirectory partition), it must allow for the possibility of conflicting changes, that is,changes that are made simultaneously to the same object within the directory but from
different DCs. The conflicts are resolved eventually and all DCs update to the same
value.
However, in some cases it is better to prevent conflicts than to resolve them after theevent. Operations masters (OMs) in Active Directory prevent conflicts in cases where
conflict resolution is inappropriate.
Active Directory defines five Operations Master (OM) roles:
Per-Forest Roles: Schema master & Domain naming master
Per-Domain Roles: Relative IDentifier (RID) master, Primary DomainController (PDC) emulator and Infrastructure master
3.3.1 Schema Master
The DC that holds the schema master role is the only DC that can perform writeoperations to the directory schema. Those schema updates are replicated from the schema
master to all other domain controllers in the forest.
3.3.2 Domain Naming Master
The DC that houses the domain naming master role is the only DC that:
Adds new domains to the forest
Removes existing domains from the forest
Adds or removes cross-reference objects in external directories
3.3.3 Relative IDentifier (RID) Master
This operations master manages the allocation of RID pools to other DCs. Only one
server performs this task. When a security principle (for example, user, group, or
Wipro Technologies TIS Page 4 of 13
-
8/6/2019 AD back up
5/13
Active Directo ry 2003 Backup & Restore
computer) is created, it requires that a RID be combined with a domain-wide identifier tocreate a unique Security IDentifier (SID).
Every Windows 2003 DC receives a pool of RIDs it can use to create objects. The RID
master ensures unique IDs on every DC by assigning different pools. All object moves
between domains of the same forest are accomplished using the RID master to avoid SID
duplication.
3.3.4 Primary Domain Controller (PDC) Emulator
The PDC emulator provides the following major functions:
Backward compatibility for clients and servers, allowing NT 4.0 BDCs toparticipate in the new Windows 2003 environment.
Password management. Native Windows 2003 environments replicate passwordchanges to the PDC emulator first. When a DC fails to authenticate a password
(perhaps as a result of a change that has not yet been replicated to theauthenticating DC), it contacts the PDC emulator to see whether the password can
be authenticated there.
Time synchronization. The PDCs of the domains within the forest synchronizewith the PDC in the root domain of the forest to ensure accurate time
synchronization.
3.3.5 Infrastructure Master
The infrastructure master ensures the consistency of objects for all inter-domainoperations. When an object from another domain is referenced, the reference contains
the Globally Unique IDentifier (GUID), the Security IDentifier (SID) and the
Distinguished Name (DN) of that object. If the referenced object moves, the DC holdingthe infrastructure master role in a domain is responsible for updating the SIDs and DNs in
cross-domain object references.
4.Active Directory Backup
To ensure a successful restore from backup, it is important to know what defines a good
backup. For Active Directory, two things must be considered:
Contents
Age
4.1 Contents
The first important aspect of a backup is its contents. A good backup will include at least
the System State, the contents of the system disk, and the SYSVOL folder (if not locatedon the system disk).
System State Components
Wipro Technologies TIS Page 5 of 13
-
8/6/2019 AD back up
6/13
Active Directo ry 2003 Backup & Restore
On a Windows 2003 system acting only as a DC (running no services other than thoserequired for DC operation), system state data encompasses the:
System Start-up Files (boot files): These are the files required for WindowsServer 2003 to start.
System registry
Class registration database of Component Services: The Component ObjectModel (COM) is a binary standard for writing component software in a
distributed systems environment.
SYSVOL: The system volume provides a default Active Directory location forfiles that must be shared for common access throughout a domain. The SYSVOL
folder on a domain controller contains:
o NETLOGON shared folders: These usually host user logon scripts andGroup Policy Objects (GPOs).
o User logon scripts: for Windows 2000/XP based clients and clients thatare running Windows 95, Windows 98, or Windows NT 4.0.
o File system junctionso File Replication Service (FRS): staging directories and files that are
required to be available and synchronized between domain controllers.
Active Directory: Active Directory includes:o Ntds.dit: The Active Directory database.o Edb.chk: The checkpoint file.o Edb*.log: The transaction logs, each 10 megabytes (MB) in size.o Res1.log and Res2.log: Reserved transaction logs.
Note: Since Active Directory-integrated DNS is used, the DNS zone data is backed up as
part of the Active Directory database. Also, if Windows Clustering or Certificate Servicesare installed on the domain controller, they are also backed up as part of system state.
4.2 Age
If the backup is older than the tombstone age set in Active Directory, then it is notconsidered to be a good backup. When an object is deleted in Windows Server 2003, the
DC from which the object was deleted informs the other DCs in the environment about
the deletion by replicating what is known as a tombstone.
A tombstone is a representation of an object that has been deleted but not fully removed
from the directory. The tombstone will eventually be removed based on the tombstonelifetime setting, which by default is set to 60 days.
4.3 Type of Backup
The only type of backup supported by Active Directory is normal. A normal backup
creates a backup of the entire system while the domain controller is online. When
backing up Active Directory using normal backup, the backup utility will automaticallyback up all of the system components and all of the distributed services upon which
Wipro Technologies TIS Page 6 of 13
-
8/6/2019 AD back up
7/13
Active Directo ry 2003 Backup & Restore
Active Directory is dependent. This dependent data, which includes Active Directory, isknown collectively as the system state.
4.4 To backup a domain controller using the W2K3 backup utility
1. ClickStart, point to All Programs, point to Accessories, point to System Tools, andthen clickBackup to start the Backup Utility Wizard.
2. ClickAdvanced Mode in the Backup Utility Wizard.
3. On the Backup tab, select the check box for any drive, folder, or file that you want toback up.
4. Select the System State check box.
This will back up the System State data along with any other data you have selected
for the current backup operation.
5.Active Directory Restore
There are two primary methods for restoring a Windows Server 2003 DC:
Restore through re-installation.
Restore from backup.
5.1 Restore through re-installation Procedure
Re-installing a domain controller is equivalent to building a new domain controller. Thismethod is valid only a healthy domain controller exists in the same domain.
1. Clean up server metadata to remove the NTDS Settings object of the faileddomain controller. Metadata cleanup procedure is explained in Appendix A.
2. Install Windows 2003 Operating System3. Promote the server to domain controlled in the domain it exists by using
DCPROMO.4. Verify the active directory installation
5.2 Restore from Backup
When you restore Active Directory from backup, you have three further options:
Non-Authoritative Restore
Authoritative Restore
Primary Restore
Wipro Technologies TIS Page 7 of 13
-
8/6/2019 AD back up
8/13
Active Directo ry 2003 Backup & Restore
Non-Authoritative Restore
What is it?
Restore to known good point using Ntbackup
Reboot into Active Directory mode to sync changes
When to use
Recover from hardware failure
Return to known good state on single domain controller
Options
Rebuild server from scratch. Re-run Dcpromo.
Restore machine to a known good point and sync deltas.
Authoritative Restore
What is it?
Restore to known good point using Ntbackup
Make objects on reference domain controller as master copy for ActiveDirectory
When to use
Accidental deletion or modification of objects or containers in the ActiveDirectory
Corruption of objects/attributes in the directoryOptions
Find a good domain controller that has the objects and make itauthoritative
Restore from a backup that contains the objects and make it authoritative
Primary Restore
What is it?
Restore to known good point using Ntbackup
Make objects on reference domain controller as master copy for ActiveDirectory
When to use
Restoring first of several domain controller
Restoring DC is the only DC in the DomainOptions
Mark the restored data as the primary data for all replicas
Wipro Technologies TIS Page 8 of 13
-
8/6/2019 AD back up
9/13
Active Directo ry 2003 Backup & Restore
6. Steps to Recover Active Directory Forest
It is assumed that all the Domain Controllers in the Active Directory forest is not
functional at this point.
1. Determine the roles of the domain controllers in the Domain and select a singledomain controller which has the latest backup.
2. Switch off all other domain controller or disconnect the connectivity to all otherdomain controller to avoid replications.
3. Install the operating system windows 20034. Reboot the server into Directory Service Mode by pressing the F8 key upon
system startup.
5. Log in as Administrator.6. Run the Windows 20003 backup utility and select the Restore Wizard button
7. Select the appropriate backup location and ensure that at least the system disk andsystem state are checked.
Wipro Technologies TIS Page 9 of 13
-
8/6/2019 AD back up
10/13
Active Directo ry 2003 Backup & Restore
8. Click the advanced button and make sure you are restoring junctions and mark therestored data as the primary data for all replica, because this is the first DC in the
Domain.
Wipro Technologies TIS Page 10 of 13
-
8/6/2019 AD back up
11/13
Active Directo ry 2003 Backup & Restore
9. Click finish and once complete click NO to restart and close the backupapplication.
10.Open a command prompt and type ntdsutil, and press enter
11.At the next prompt, type authoritative restore and press enter
12.At the next prompt, type restore database
13.At the Authoritative Restore Confirmation Dialog box, click OK
14.Type Quit and restart the server.
7. Post Recovery Steps Active Directory Forest Restore
1. If the Active Directory has integrated DNS, local DNS service needs to beinstalled and running on the restored DC. Server should be configured with itsown IP address as preferred DNS server. This is the first DNS server in the forest.
2. If the restored DC is enabled as global catalog, then disable the global catalog
flag. It is explained in Appendix B.
3. Seize the domain level Operational Master Roles (FSMO) to the restored DC.
4. Starting with the forest root DC, introduce the restored DCs to the network.
5. Install Active Directory on the remaining DCs in the forest using the ActiveDirectory Installation Wizard.
Wipro Technologies TIS Page 11 of 13
-
8/6/2019 AD back up
12/13
Active Directo ry 2003 Backup & Restore
Appendix A To clean up server metadata
Open a command prompt.
Type the following command, and then press ENTER:ntdsutil
At the ntdsutil: prompt, type: metadata cleanup
Perform metadata cleanup as follows:
1. At the metadata cleanup: prompt, type:connection
2. At the server connections: prompt, type:connect to serverServer
3. At the server connections: prompt, type:quit
4. At the metadata cleanup: prompt, type:select operation target
5. At the select operation target: prompt, type:list sites.
6. At the select operation target: prompt, type:select siteSiteNumber
7. At the select operation target: prompt, type:list domains in site
8. At the select operation target: prompt, type: select domainDomainNumber
9. At the select operation target: prompt, type:list servers in site
10. At the select operation target: prompt, type: select serverServerNumber
11. At the select operation target: prompt, type: quit
12. At the metadata cleanup: prompt, type: remove selected server
At this point, Active Directory confirms that the domain controller was removedsuccessfully. If you receive an error message that indicates that the object cannot be
found, Active Directory might have already removed the domain controller.
13. At the metadata cleanup: and ntdsutil: prompts, type quit.
Wipro Technologies TIS Page 12 of 13
-
8/6/2019 AD back up
13/13
Active Directo ry 2003 Backup & Restore
Appendix B To disable a Global Catalog
1. ClickStart, clickControl Panel, double-clickAdministrative Tools, and thendouble-clickActive Directory Users and Computers.
2. In the console tree, double-click the DC where you want to enable or disable theglobal catalog.
3. Right-clickNTDS Settings and then clickProperties.
4. Clear the Global Catalog check box.
Appendix C To seize an Operation Master role
1. At a command prompt, type: ntdsutil
2. At the ntdsutil prompt, type: roles
3. At the FSMO maintenance prompt, type :connections
4. At the server connections prompt, type: connect to serverServerFQDN
5. At the server connections prompt, type: quit
6. At the fsmo maintenance prompt, type: seize OperationsMaster
Where OperationsMaster is the type of operations masters you want to seize, forexample: seize schema master
Appendix D Useful Links
1. http://support.microsoft.com/default.aspx?scid=kb;en-us;839879
2. http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.html
3. http://support.microsoft.com/?id=263532
Wipro Technologies TIS Page 13 of 13
http://support.microsoft.com/default.aspx?scid=kb;en-us;839879http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://support.microsoft.com/?id=263532http://support.microsoft.com/?id=263532http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/ActiveDirectoryDisasterRecovery.htmlhttp://support.microsoft.com/default.aspx?scid=kb;en-us;839879