Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - DC (Domain Controller), AD Database - Part 2
Experience-Based/Practical Questions & Answers
How do we promote the server to DC?
You need to install “AD DS,” and then you can promote the server to DC.
What are the six ways to verify whether the AD installation was successful?
-
By checking the “System Properties” -> “Computer Name” window. Clicking on the Change button in that window will show a warning indicating that the server is a DC.
-
By navigating to “Computer Management” -> “Shared Folders” -> Share, you can confirm the existence of the following two folders:
-
NETLOGON
-
SYSVOL
-
-
Verify the presence of the following folders inside the SYSVOL folder:
-
Domain
-
Scripts
-
Sysvol
-
-
Check if folder
%systemroot%\NTDS
exists, and the following files are there:-
ntds.dit
-
tmp.edb
-
edb.log
-
-
Check if the netdom command is available.
-
If SRV (Service) records in DNS are registered. To check this, you can open the “Forward Lookup Zone” in the "DNS Manager" MMC snap-in and verify the presence of the following folders:
-
_msdcs
-
_sites
-
_tcp
-
_udp
-
Why do you need multiple DCs?
Multiple DCs are necessary in an AD environment for several reasons:
-
Redundancy and HA (High Availability).
-
Load distribution.
-
Fault tolerance.
-
Site resilience.
-
Faster logon times.
-
Flexibility and scalability.
Why do you need to install at least one DC on-site?
When a client requests a service from a DC, the request is directed to a DC in the same Site rather than in another site. It helps improve efficiency by reducing network latency and optimizing service delivery for clients within the same Site.
Which services are critical for the functionality of DC?
There are the following services:
-
AD DS
-
Netlogon
-
DNS Server
-
KDC
-
DFSR
-
RPC (Remote Procedure Call)
What is ntdsutil, and what can you do with it in AD?
-
The ntdsutil.exe is a utility used to manage and maintain the AD database.
-
It is primarily used for performing various database-related tasks and troubleshooting operations. It allows you, for example, to do the following:
-
Authoritative Restore
-
Database Maintenance
-
Metadata Cleanup
-
What are the steps to perform “Offline Defragmentation” in AD?
To perform “Offline Defragmentation,” you have to:
-
Start DC in DSRM.
-
Run the ntdsutil utility.
What must be checked before uninstalling DC?
-
Verify if the DC holds any FSMO (Flexible Single Master Operations) roles and transfer them to another DC if needed.
-
Ensure that a GC is configured on another DC.
How can a DC be uninstalled from a server?
Uninstall “Active Directory Domain Services”.
How can DC be forcibly removed?
When you get an error while uninstalling “AD DS” on DC, you can use the "Force the removal of this domain controller" option.
Do we need to do “Metadata Cleanup” after the uninstallation of DC?
If you did not encounter any issues on servers from which you uninstalled a DC, there is no need to perform a “Metadata Cleanup.”
In which cases do we need to do “Metadata Cleanup”?
There are two cases in which it is necessary to perform a “Metadata Cleanup” in AD:
-
If you forced the removal of a DC
-
If the DC was not online during the removal process
What should be used to do “Metadata Cleanup” of uninstalled or removed DC?
-
"Active Directory Sites and Services" MMC snap-in.
-
"Active Directory Users and Computers" MMC snap-in.
-
"ADSI Edit" MMC snap-in.
-
ntdsutil utility.
Do DCs need to be installed in a WSFC (Windows Server Failover Clustering) to achieve fault tolerance?
Setting up clustering of DCs is not necessary because AD inherently provides redundancy when there are two or more DCs.
In a virtualization environment, you can create a snapshot of the server. What is the suggestion for a DC snapshot?
-
Snapshots are not recommended when attempting to repair AD, and snapshots can introduce inconsistencies in the AD database.
-
Rolling back a snapshot of a DC can have severe consequences, and it can cause data inconsistencies and potentially cause issues with replication and other AD operations.
-
AD transactions are numbered; rolling back a DC can disrupt the numbering sequence, leading to synchronization issues between DCs and affecting the integrity of the AD database.
How do you configure RODC to speed up Users' login process?
-
You can do it using the “Password Replication Policy,” which configures which Users' credentials can be cached on a specific RODC.
-
This policy controls user credentials caching, ensuring that only particular users' passwords are replicated and stored on the RODC for authentication purposes.
How do you synchronize time between DCs?
net time command can be used to synchronize time between DCs.
Example - synchronize time from another DC:
net time \\DC4-2019 /set
What can be used on the client's computer to work remotely on AD?
RSAT (Remote Server Administration Tools) can be used on a client's computer to work remotely on AD.
What should be checked if you want to join a computer to the Domain and DC is on a different VLAN (Virtual Local Area Network)?
Make sure both VLANs are communicating.
What is the recommendation for using ADMT?
-
AD migration is a complex process that should be approached with caution.
-
It is recommended that administrators perform extensive pre-migration testing to identify and address any potential issues.
-
It can involve creating test Users, migrating them, and verifying their access to ensure a smooth migration process.
The User cannot log in to his computer, which is joined to a Domain. What are the troubleshooting steps that should be taken?
-
Attempt to log in to the User's workstation as another User.
-
If you can successfully log in, then check the User's AD settings. Verify that the User account is not locked out or disabled. Reset the User's password if necessary.
-
If you cannot log in, proceed to the next step.
-
-
Verify the stability of the network connection.
-
If there is an issue, check the network cables and switch ports to ensure a stable connection.
-
If the network connection is stable, proceed to the next step.
-
-
Test if the User can log in to another workstation in the same VLAN.
-
If the User encounters the same login issue on another workstation, check the network configuration in the office.
-
If the User can log in successfully on another workstation, consider reinstalling the OS on the problematic computer or troubleshoot and fix it.
-
-
Note: during troubleshooting, you can also restart the computer, which can resolve the issue.
One of the computers cannot join the Windows Domain. What are the steps of troubleshooting?
-
Check if the computer has the correct network configuration.
-
If there is an issue, change the computer's network configuration.
-
If there is no issue, proceed to the next step.
-
-
Ping the DC using its IP (Internet Protocol) address and verify its availability.
-
If there is an issue, check the network and DC.
-
If there is no issue, proceed to the next step.
-
-
Ping the DC using its DNS name and verify its availability.
-
If there is an issue, check AD and DNS. Flush the DNS cache on the computer if necessary.
-
If there is no issue, proceed to the next step.
-
-
Check the date and time on the computer.
-
If there is an issue, change the date and time on the computer.
-
If there are no issues, proceed to the next step.
-
-
Check if you can join another computer on the same VLAN to the Domain.
-
If there is an issue, check the AD settings on DC.
-
If there are no issues, check if AD has the same computer name as the computer with the problem and delete it.
-
If there are no issues, consider reinstalling the OS on the problematic computer or troubleshoot and fix it.
-
-
Note: during troubleshooting, you can also restart the computer, which can resolve the issue.
Many network users have a latency issue while logging into their workstations. How do you investigate this problem?
-
Verify that the DC in the Site, where the user’s workstation is located, is up and running without high resource usage.
-
If there is an issue, resolve the performance issue on DC.
-
If there is no issue, go to the next step.
-
-
Verify if GC is configured on local DC.
-
If GC is not configured, then configure it.
-
If there is no issue, then check the network.
-
The user account is frequently locked out. How do you investigate this issue? What can the User do to resolve the problem on his side?
-
Check for any devices or applications using outdated or incorrect credentials. Update the saved passwords or remove and reconfigure the problematic devices or applications.
-
Verify if a User is not logged in on multiple devices simultaneously with different passwords. Ensure consistent password usage across all devices.
-
Update the password on any mobile devices, such as smartphones or tablets, configured to access email or other services using the User's account.
-
If required, reconfigure the account lockout threshold if it is very narrow.