Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Site
Knowledge Base Questions & Answers
What is an “AD (Active Directory) Site,” and its benefits?
-
“AD (Active Directory) Site” is a logical representation of a network segment based on geographical location.
-
It is a manually defined grouping of subnets within a network.
-
“AD Sites” are primarily used to control and manage the replication traffic in AD but also impact other network services and operations such as:
-
DFSR (Distributed File System Replication)
-
GPO (Group Policy Object)
-
-
They help manage network traffic by defining boundaries for replication, authentication, and other operations within the network. DCs (Domain Controllers) located in different “AD Sites” schedule replication traffic and compress it to minimize network utilization.
-
“AD Sites” are beneficial in scenarios with slower WAN (Wide Area Network) links between different locations.
What are the components (objects) of an “AD Site”?
The components (objects) of an “AD Site” include:
-
Subnets
-
DCs
-
Site Links
-
Bridgehead Servers
-
Site Link Bridges
-
GC (Global Catalog) Servers
What are “Site Links,” their main components and functions?
-
“Site Links” are configuration objects that define the connectivity between different “AD Sites.”
-
They define the replication schedule, cost, and other parameters to control the flow of replication traffic between “AD Sites.”
-
“Site Link” consists of two main components:
-
“Physical Connection” - “Site Link” represents the physical connection between the “AD Sites,” typically a WAN link. The physical connection enables the transmission of replication traffic between the “AD Sites.”
-
“Site Link Object” - Created within AD and defines the properties and parameters for replication traffic transfer. It determines the protocol used for replication, which can be either IP (Internet Protocol) or SMTP (Simple Mail Transport Protocol). IP is the recommended protocol as it offers more reliable and efficient replication. SMTP can be used when a dedicated network connection is unavailable.
-
What is a “Site Link Bridge”?
-
“Site Link Bridge” allows you to connect multiple “Site Links,” enabling replication traffic to flow between “AD Sites” that are not directly connected by a single “Site Link.”
-
By default, it is enabled.
-
Note - Look at the picture on the question ““What is a “Site Link”?” to see “Site Link Bridge.”
What is a “Bridgehead Server,” and its role in managing replication traffic?
-
“Bridgehead Server” is a central hub for managing replication traffic in AD replication.
-
Its purpose is to optimize replication by reducing network congestion. Instead of each DC communicating directly with all others, replication traffic flows through the “Bridgehead Server.”
-
“Bridgehead Server” determines when replication occurs, allowing flexibility in the replication topology and maintaining data consistency.”
What is Interval (Replication Interval)?
-
Interval (Replication Interval) is the period between each replication cycle, determining how often data is replicated between sites.
-
Note - Look at the picture on the question ““What is a “Site Link”?” to see “Replication Interval”.
What is a “Site Link Schedule”?
-
“Site Link Schedule” controls when replication between different “AD Sites” occurs.
-
It helps manage network traffic by scheduling replication for specific times, often during off-peak hours.
-
Note - Look at the picture on the question “How do you configure the “Site Link Schedule”?” to see “Site Link Schedule”.
What is the “Subnet Association”?
-
“Subnet Association” is the process of linking IP subnets to specific “AD Sites.”
-
It determines which “AD Site” a computer belongs to based on its IP address.
-
“Subnet Association” helps efficiently manage network traffic and replication within an AD environment.
Experience-Based/Practical Questions & Answers
How do you create an “AD Site”?
-
Open “Active Directory Sites and Services” MMC (Microsoft Management Console) snap-in. Right-click on the Sites folder.
-
Click on “New Site”. Do configuration.
How do you associate Subnet with “AD Site”?
-
Open “Active Directory Sites and Services” MMC snap-in. On the left bar, double-click on Sites.
-
Right-click on Subnet and click on “New Subnet”. Do configuration.
How can you create a “Site Link”?
-
Open the “Active Directory Sites and Services” MMC snap-in. On the left bar, double-click on Sites. Then, double-click on “Inter-Site Transports.”
-
Right-click on the IP folder and click on “New Site Link.” Do configuration
How do you configure the “Site Link Schedule”?
-
Open the “Active Directory Sites and Services” MMC snap-in. On the left bar, double-click on Sites. Then, double-click on Site.
-
Double-click on the Servers folder. Double-click on the DC on which you want to configure the schedule. Double-click on the “NTDS Settings” (NT Directory Services Settings).
-
On the right pane, click on the DC to which you want to configure the “Site Link Schedule.” Click on Properties.
-
On the General tab, click on the button “Change Schedule”. Do configuration.
What is the difference between an Interval and a “Site Link Schedule”?
-
Interval specifies the frequency or time period between “Inter-Site Replications” within the “Site Link.” It indicates how often the replication process should take place. The default interval for a “Site Link” is typically set to 180 minutes.
-
“Site Link Schedule” defines the specific weekdays or hours during which the “Site Link” is available for replication.
How do “AD Sites” help in optimizing network traffic and authentication?
“AD Sites” optimize network traffic and authentication in AD in the following ways:
-
Network traffic optimization:
-
“AD Sites” group resources based on physical location.
-
Clients primarily communicate with DCs within their own sites, reducing cross-site network traffic.
-
Replication traffic is controlled within site boundaries, minimizing unnecessary data transfer over WAN links.
-
-
Authentication optimization:
-
Clients first attempt to authenticate with a DC on their “AD Site.” It reduces authentication latency by connecting to nearby DCs. Clients can contact other “AD Sites” for authentication if a local DC is unavailable.
-
How does AD choose a DC for authentication based on “AD Sites”?
-
AD selects a DC for authentication based on the client’s network location.
-
It matches the client’s Subnet to an “AD Site” and chooses the DC in that “AD Site” for authentication. It ensures fast and efficient authentication using a nearby DC within the same “AD Site.”
How do you force authentication to a specific “AD Site”?
To force authentication to a specific “AD Site”:
-
Associate the client’s Subnet with the desired “AD Site.”
-
Use “Group Policy” to configure “Force Active Directory Site Discovery.”
-
Create site-specific SRV (Service) records in DNS (Domain Name System) to direct clients to the desired “AD Site” for authentication.