Docstoc

MCSE Stuffs

Document Sample
MCSE Stuffs Powered By Docstoc
					Maintaining Active Directory
How to Move the Active Directory Database and Log Files ?
If disk space is low on the partition that stores the database, log files, or both, you should move the database and log files to a new location.

Why use the Ntdsutil utility to move the database?
You use the Ntdsutil command-line utility in directory services restore mode to move the database from one location to another location on the disk. If the path to the database files changes after you move the files, you must always use the Ntdsutil utility to move the files, instead of simply copying them. By doing this, you ensure that the registry key is updated with the path to the new location, and Active Directory restarts from the new location. Procedure To move the Active Directory database, perform the following steps: 1. Back up Active Directory as a precautionary measure. You can back up Active Directory while online if, in the Backup Wizard, you select the option to back up everything on the computer or the option to back up only the system state data. 2. Restart the domain controller, press F8 to display the Windows Advanced Options menu, click Directory Services Restore Mode, and then press ENTER. 3. Log on by using the Administrator account and the password that is defined for the Local Administrator account in the Security Accounts Manager (SAM). 4. At the command prompt, type ntdsutil and then press ENTER. 5. Type files and then press ENTER. This step takes you to the files prompt where you manage the Ntds.dit database file. 6. After you determine a location that has enough drive space to store the database to be stored, type move DB to <drive>:\<directory> where <drive> and <directory> is the path on the local computer where you want to place the database, and then press ENTER. You must specify a directory path. If the path contains any spaces, the entire path must be surrounded by quotation marks, for example, .C:\New folder.. The database named Ntds.dit is moved to the location that you specified. 7. Type quit and then press ENTER. To return to the command prompt, type quit again. 8. Restart the domain controller as you normally would. You can also move the transaction log files to another location. The Move logs to <drive>:\<directory> command moves the transaction log files to the new directory that is specified by <drive>:\<directory> and updates the registry keys so that the directory service restarts from the new location. You should also perform a system state backup after you move the files to ensure that subsequent restores use the correct path.

Moving and Defragmenting the Active Directory Database
In this practice, you will move the database on the student’s domain controller to another location and then perform an offline defragmentation. You will also perform a database integrity check and a semantic database analysis on the defragmented database, reconfigure Active Directory to use this database file without deleting the original files, and then delete the old database files after the new database is online. You will work with a partner and be grouped according to the Active Directory domain in which your domain controller and your partner’s domain controller reside. Northwind Traders defined a maintenance schedule to take domain controllers offline and perform a hard disk upgrade. After the upgrade is complete, the Active Directory database will be moved to the new hard disk. Move and defragment the Active Directory database

1. Restart your domain controller in directory services restore mode. 2. At the command prompt, type ntdsutil and then press ENTER. 3. Specify the file maintenance mode for the Ntdsutil utility. • At the ntdsutil prompt, type files 4. Move the Active Directory Database to C:\moved-db. • At the ntdsutil prompt, type move db to c:\moved-db 5. Defragment the moved database. a. At the file maintenance prompt, type compact to c:\defrag b. Copy the defragmented database to the moved-db folder. c. Delete \Windows\NTDS\*.log. 6. Perform a database integrity check • At the file maintenance prompt, type integrity 7. Perform a semantic database analysis. a. At the ntdsutil prompt, type Semantic Database Analysis b. At the Semantic Database Analysis prompt, type Go 8. Restart the domain controller.

Backing Up Active Directory
Introduction
You back up the system state data of domain controllers frequently so that you have the most current data to restore. By establishing a regularly scheduled backup routine, you have a better chance of recovering data when necessary. To ensure a good backup, which includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days; any backup older than 60 days is not a good backup. You should plan to back up at least two domain controllers in each domain, one of which is an operations master role holder. For each domain, you should maintain at least one backup to enable authoritative restores of the data when necessary.

Components of the System State Data

The system state data on a domain controller includes the following components: 1. Active Directory (only on domain controllers). System state data does not contain Active Directory unless the server on which you are backing up the system state data is a domain controller. 2. The SYSVOL shared folder (only on domain controllers). The SYSVOL folder is a shared folder that contains Group Policy templates and logon scripts. 3. The registry. The registry is a database repository for information about the computer.s configuration. 4. System startup files. The system startup files are required during the initial startup phase of Windows Server 2003. These files include the boot and system files that are under Windows file protection and are used by Windows to load, configure, and run the operating system. 5. The COM+ Class Registration database. The class registration is a database of information about Component Services applications. 6. The Certificate Services database (if the server is operating as a certificate server). The Certificate Services database contains certificates that a server running Windows Server 2003 uses to authenticate users.

When to back up the system state data
You can back up: 1. The system state data by itself. 2. The system state data as part of your regular backup procedures. 3. The system state data while the domain controller is online.

How to Back Up Active Directory
You can only back up the system state data on a local computer. You cannot back up the system state data on a remote computer. To back up the system state data, perform the following steps: 1. On the Start menu, point to Programs, point to Accessories, point to System Tools, and then click Backup. 2. On the Welcome to the Backup Wizard page, click Next. 3. You back up the system state data on a local computer by using one of the following three methods: • In the Backup Wizard, on the What to Back Up page, click Only back up the System State data. • In the Backup Wizard, on the Items to Back Up page, expand My Computer, and then select the System State check box. • In the Backup dialog box, on the Backup tab, expand My Computer, and then select the System State Check box.

Restoring Active Directory
You can restore replicated data on a domain controller in several ways. You can reinstall the domain controller, and then let the normal replication process repopulate the new domain controller with data from its replicas, or you can use the Backup Utility Wizard to restore replicated data from backup media without reinstalling the operating system or reconfiguring the domain controller. There are three methods for restoring Active Directory from backup media: the primary restore method, the normal (nonauthoritative) restore method, and the authoritative restore method. 1.Backup and Restore

• When you back up a domain controller, you back up all of the Active Directory data on that server in addition to system components, such as the SYSVOL directory and the registry. • When you restore Active Directory, you restore all of the backed-up data. This rollback to a previous state can affect Group Policy settings and the trust relationships between domains. Primary restore • A primary restore rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. • A primary restore should only be performed when all the domain controllers in the domain are lost, and you are trying to rebuild the domain from the backup. Normal (nonauthoritative) restore • A nonauthoritative restore reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. • A normal restore should only be performed when you want to restore a single domain controller to a previously known good state. Authoritative restore • An authoritative restore is performed in tandem with a normal restore. • An authoritative restore marks specific data as current and prevents that data from being overwritten by replication. The authoritative data is then replicated throughout the domain. • Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. • When you perform an authoritative restore, all changes to the restore object that occurred after the backup are lost.

How to Perform a Primary Restore
Introduction
To perform a primary restore, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Procedure
To set the advanced restore options for a primary restore of Active Directory, perform the following steps: 1. Open the Backup Utility Wizard. The Backup or Restore Wizard starts by default, unless it is disabled. 2. On the Welcome to the Backup or Restore Wizard page, click Advanced Mode. 3. On the Welcome to Backup Utility Advanced Mode page, click Restore and Manage Media, and then select the files to restore. 4. Click Start Restore, and then in the Confirm Restore dialog box, click Advanced.

5. Select When restoring replicated data sets, mark the restored data as the primary data for all replicas, and then click OK. Selecting this option ensures that the File Replication service (FRS) data is replicated to the other server s. Select this option only when restoring the first replica set to the network

How to Perform a Normal Restore (Non-Authoritative Restore)
Introduction
You can restore Active Directory non-authoritatively when you replace a failed domain controller and when you repair a damaged Active Directory database.

Procedure
To perform a normal restore of Active Directory, perform the following steps: 1. Restart the domain controller, and then press F8 to display the advanced startup options. If the operating system on a domain controller is functioning normally, but the Active Directory database is damaged, you must restart the computer, select the Directory Services Restore Mode advanced startup option, and then use the Backup Utility Wizard to restore the latest system state data. 2. Select Directory Services Restore Mode to start Windows Server 2003. This selection does not start Active Directory. Because Active Directory is part of the system state data on a domain controller, by restoring the system state data, you will also restore the Active Directory database. Backup cannot replace Active Directory files while Active Directory is running. Therefore, you must start the operating system by using the Directory Services Restore Mode advanced startup option. 3. Log on to Windows Server 2003 by using the Administrator account that resides in the local user ccount database on the domain controller. 4. Use Backup to restore the latest system state data. 5. Restart the domain controller as you normally would. After the computer restarts, Windows Server 2003 performs consistency checks, initializes (re-indexes) the Active Directory database, and updates Active Directory information and FRS data from the computer.s replication partners.

How to Perform an Authoritative Restore
Introduction
Unlike a normal restore, an authoritative restore requires the use of a separate tool, the Ntdsutil utility. No backup utilities, including the Windows Server 2003 system utilities, can perform an authoritative restore.

Ntdsutil
The Ntdsutil command-line utility (Ntdsutil.exe) enables you to mark Active Directory objects as authoritative so that they receive a higher version number than the version number of the current object. This marking of objects ensures that recently changed data on other domain controllers does not overwrite system state data during replication. To perform an authoritative restore, perform the following steps: 1. Start the domain controller, press F8, and then, on the Advanced Startup Options menu, click Directory Services Restore Mode. Select this mode because Active Directory cannot be running during this process. Log on by using the Administrator account that resides in the local user account database on the domain controller. 2. Restore Active Directory to its original location. Also, restore Active Directory to an alternate location if you need to perform an authoritative restore on SYSVOL. Use Backup to restore the system state data, but do not restart the computer when prompted after the restore. 3. Open a command-prompt window, and run Ntdsutil.exe.

4. At the ntdsutil prompt, type authoritative restore At the authoritative restore prompt, type restore subtree distinguished_name_of_object where distinguished_name_of_object is the distinguished name, or path, to the object. For example, if you want to restore an organizational unit called Sales, which existed directly below the domain called contoso.msft, type restore subtree OU=Sales,DC=contoso,DC=msft 5. Type quit and then press ENTER. Type quit again, and then press ENTER to exit ntdsutil. Restart the domain controller as you normally would. 6. After the SYSVOL folder is published by FRS, copy the SYSVOL folder, and copy only those Group Policy folders that correspond to the restored Group Policy objects from the alternate location to the existing locations. You can verify that the copy operation was successful by examining the contents of the SYSVOL\domain folder (where domain is the name of the domain).

Exercise:I. Backing Up Active Directory

:-Task 1 Browse to domain.nwtraders.msft and then create an organizational Unit
1. 2. 3. 4. 5. 6. Log on as servernameadmin (where servername is the name of your computer. Click Start, click Administrative Tools, and then right-click Active Directory Users and Computers. Select Run as, and then, in the Run as dialog box, click The following user:. In the User name box, type domain\administrator (where domain is your assigned domain name). In the Password box, type P@ssw0rd and then click OK. In Active Directory Users and Computers, right-click domain.nwtraders.msft, click New, and then click Organizational Unit. 7. In the New Object - Organizational Unit dialog box, in the Name box, type SIERRA_servername (where servername is the name of your server), and then click OK.
1

:- Task 2 Create the following users in the newly created organizational unit
1. In the console tree, expand your domain, right-click the newly created organizational unit, IERRA_servername, click New, and then click User. 2. In the New Object . User dialog box, specify the information given in the lab instructions for each user, and then click Next. 3. In the Password and Confirm Password boxes, type the initial password. 4. Select the Account is Disabled checkbox, click Next, and then click Finish.

:- Task3 Initiate replication with your partner.s domain controller
1. On the Administrative Tools menu, open Active Directory Sites and Services. 2. Expand Sites, expand Default-First-Site-Name, expand Servers, expand servername, and then click NTDS Settings. 3. Right-click the connection object from your partner.s server, click Replicate Now, and then click OK to close the message indicating that replication was successful. 4. In Active Directory Users and Computers, click domain.nwtraders.msft, and press F5 to refresh the display. 5. Verify that both of the organizational units appear. 6. Close Active Directory Sites and Services.

:- Task 4 Back up your domain controller.s system state data
Make sure that you set the backup to use detailed logging. 1. 2. 3. 4. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup. In the Backup or Restore Wizard window, click Advanced Mode. In the Backup Utility . [Untitled] window, click Tools, click Options, and then click the Backup Log tab. Click Detailed, click OK to set detailed level logging, and then click Backup Wizard. 5. In the Welcome to the Backup Wizard window, click Next. 6. In the What to Backup window, click Only Backup the System State Data, and then click Next. 7. In the Backup Type, Destination, and Name window, in the Choose a place to save your backup box, browse to C:\MOC\2279\. In the Type a Name for this Backup box, accept the default setting, and then click Next. 8. In the Completing the Backup Wizard window, click Finish.

:-Task 5 View the log of the backup session upon completion of the Backup
Note the files that make up the system state data and their location. 1. In the Backup Progress dialog box, click Report to view the log. 2. Close the Backup utility.

:- Task 6
Delete the organizational units that you created earlier, confirm the deletion of both objects, and then force replication if necessary Each student will perform the following task. 1. On the Administrative Tools menu, open Active Directory User and Computers. 2. Expand the domain shared by the two domain controllers. 3. Right-click the organizational unit that you created earlier, click Delete, and, when prompted Are you sure you want to delete this object?, click Yes. 4. When prompted with another warning screen regarding the length of time that this operation can take if there a large number of objects in this object, click Yes to confirm that you want to delete this object. 5. If replication is required, see Task 3 above. 6. Close Active Directory Users and Computers.

II Restoring Active Directory
Task:- 1 Restart your domain controller in directory services restore mode
1. Click Start, then click Shutdown, and in the What do you want the computer to do box, ensure that Restart is selected. 2.Select Operating System: Reconfiguration (Planned), and then click OK. 3. When the Boot Loader menu appears, press F8 to view the advanced startup options. 4. In the Windows Advanced Options window, select Directory Services Restore Mode (Windows domain controllers only). 5. In the Please Select the Operating System to Start window, press ENTER to select Windows .NET Server, Enterprise. 6. Log on as Administrator with a password of P@ssw0rd and then click OK to close the message indicating Windows is running in safe mode.

Task :- 2

Restore the domain controller.s system state from the previous backup
1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup. 2. In the Backup or Restore Wizard window, click the Advanced Mode link. 3. In the Backup utility . [Untitled] window, select the Restore and Manage Media tab. 4. In the left pane, expand all items until you see the system state backup created in Exercise 1, select that backup for restore, and then click Start Restore. 5. In the Confirm Restore window, click OK to start the restore. 6. After the restore has completed, click Close, and then click No to the message asking you to restart your computer. 7.Close the Backup utility.

Task :-3 Mark the organizational unit you have restored as authoritative
1. Click Start, click Run, type CMD and then click OK. 2. At the command prompt, type ntdsutil and then press ENTER. 3. At the ntdsutil prompt, type authoritative restore and then press ENTER. 4. At the authoritative restore prompt, type restore subtree ou=SIERRA_servername,dc=domain,dc=nwtraders,dc=msft" and then click Yes to the confirming message. 5. At the authoritative restore prompt, type quit and then press ENTER. 6. At the ntdsutil prompt, type quit then press ENTER.

Task :-4

Restart the domain controller and log on as Administrator
1. Click Start, and then click Shutdown, and, in the What do you want the computer to do box, ensure that Restart is selected. 2. Select Operating System: Reconfiguration (Planned), and then click OK. 3. Log on as Administrator with a password of P@ssw0rd.

III - Verifying the Results of an Active Directory Restore Task – 1
Initiate replication with your partner.s domain controller
1. From the Administrative Tools menu, open Active Directory Sites and Services. 2. Expand Sites, expand Default-First-Site-Name, expand Servers, servername, and then click NTDS Settings. 3. Right-click the connection object from your partner.s server, click Replicate Now, and then click OK to close the message indicating that replication was successful. 4. Open Active Directory Users and Computers, click domain.nwtraders.msft, and then press F5 to refresh the display. 5. Verify that both organizational units appear. 6. Close Active Directory Sites and Services.

Task -2
Verify the existence of the restored organizational units
Each student will perform the following task. Each student should verify that the organizational unit that they created and deleted exists, as well as the one created and deleted by their partner. 1. From the Administrative Tools menu, open Active Directory User and Computers. 2. Expand the domain shared by the two domain controllers. 3. Verify the existence of the organizational units that you created earlier. Also verify the existence of the users that you created as part of the deleted organizational units. 4. Close Active Directory Users and Computers.


				
DOCUMENT INFO
Shared By:
Tags:
Stats:
views:113
posted:12/16/2009
language:English
pages:9