Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - FSMO (Flexible Single Master Operation)
Knowledge Base Questions & Answers
What are the FSMO (Flexible Single Master Operation) roles?
-
FSMO (Flexible Single Master Operation) roles manage aspects of the Forest or Domain to prevent conflicts handled by DCs (Domain Controllers).
-
The administrator determines the DC to which a specific operation master role will be assigned.
-
These settings can be changed later.
What are the five FSMO roles in AD (Active Directory), and how are they categorized into forest-based and domain-based roles?
AD (Active Directory) has five FSMO roles, divided into forest-based and domain-based roles:
-
Forest-based roles manage forest-wide operations:
-
Schema Master
-
Domain Naming Master
-
-
Domain-based roles are responsible for domain-specific operations:
-
PDC (Primary Domain Controller) Emulator
-
RID (Relative Identifier) Master
-
IM (Infrastructure Master)
-
What is the “Operation Master Role”?
“Operations Master Role” is a DC that holds a specific role on the Forest or Domain and can make the associated directory changes.
What is the “Schema Master Role”?
-
“Schema Master Role” controls all updates and modifications to the Schema.
-
Changes to the Schema are initiated on the “Schema Master” and replicated to all DCs within the Forest.
-
DC, which holds the “Schema Master Role,” is called the “Schema Master Server”.
-
There is only one “Schema Master Server” in the Forest.
What is the “Domain Naming Master Role”?
-
“Domain Naming Master Role” controls changes to the forest-wide namespace.
-
When a new Domain is added or removed to/from the Forest, only the DC holding the “Domain Naming Master Role” can perform these operations.
-
DC that holds the “Domain Naming Master Role” is called the “Domain Naming Master Server.”
-
There is only one “Domain Naming Master Server” in the entire Forest.
What are the “PDC (Primary Domain Controller) Emulator Role” functions and responsibilities, and why is it important?
-
“PDC (Primary Domain Controller) Emulator Role” performs several vital functions:
-
Password changes - If this request was initiated by connecting to other DCs, it is redirected to the “PDC Emulator Server.”
-
Time synchronization - “PDC Emulator Server” serves as the authoritative time source for the Domain.
-
Authentication functions - If an authentication failure occurs on other DCs due to an incorrect password, the request is forwarded to the “PDC Emulator Server” for validation before reporting a failed password message to the user.
-
Account lockout and unlock processes.
-
Creating and editing GPOs (Group Policy Objects).
-
SAM (Security Accounts Manager) processes - “PDC Emulator Server” manages the SAM database, which stores and manages user account information, including authentication and security-related data.
-
Trust configuration.
-
-
DC that holds the “PDC Emulator Role” is called the “PDC Emulator Master Server.”
-
There is only one “PDC Emulator Master Server” in the Domain.
What is the role of the “RID (Relative Identifier) Master Role,” and how does it manage RID allocation to DCs (Domain Controllers)?
-
“RID (Relative Identifier) Master Role” generates and assigns RID pool requests to all DCs in a particular domain. RID pool exists on each DC within the Domain.
-
It issues 500 RIDs to all DCs in the Domain. As DCs consume RIDs and the pool decreases to 50% (250 RIDs remaining), the DCs request a new RID pool from the “RID Master Role.”
-
When a DC creates security principal objects such as Users or Groups, it attaches a unique SID (Security Identifier) to each object.
-
DC, which holds the “RID Master Role,” is called the “RID Master Server.”
-
There is only one “RID Master Server” in the Domain.
What is “IM (Infrastructure Master) Role”?
“IM (Infrastructure Master) Role” has the following responsibilities:
-
“IM Role” ensures that object references, such as Users, Groups, and GC (Global Catalog) entries, are correctly managed across Domains. It keeps its Domain's references to objects in other Domains up-to-date by comparing its data with information stored in the GC.
-
When an object moves from one Domain to another, the IM updates the object's references, ensuring they point to the object in its new Domain location.
-
AD periodically updates the DN (Distinguished Name) and SID on objects to reflect changes made to the object during domain moves. For example, if a user in Domain1 is added to a group in Domain2, the IM ensures that the group membership in Domain2 is updated with the correct username and any subsequent changes.
-
DC, which holds the “IM Role,” is called the “IM Server.”
-
There is only one “IM Server” in each Domain.
What is the purpose of “Role Transfer,” and when is it typically performed?
-
“Role Transfer” is a procedure that moves an FSMO role from one DC to another.
-
It is typically performed when the current role owner server is being decommissioned, experiencing issues, or undergoing maintenance.
What is “Role Seizure,” and under what circumstances is it used?
-
“Role Seizure” is assigning an operations master role to another DC without the availability of the existing role holder (generally because it is offline).
-
During “Role Seizure,” a “new” DC accepts the operations master role without communicating with the current role holder.
Experience-Based/Practical Questions & Answers
Where are five FSMO roles initially located?
-
When the first DC is installed in a Forest, it automatically assumes all five FSMO roles.
-
The administrator can move the FSMO roles to other DCs after their installation.
Can you have multiple DCs holding the same FSMO role?
-
No, within a given AD domain, you cannot have multiple DCs holding the same FSMO role simultaneously.
-
Each FSMO role can only be held by one DC at a time to ensure the integrity and consistency of the AD environment.
Can you have multiple Forests within the same AD infrastructure?
-
No, multiple Forests cannot exist within the same AD infrastructure.
-
In AD, a Forest is a top-level container that consists of one or more domains and their respective DCs.
-
Each Forest has its own unique Schema, GC, and Domain structure.
You create a new “Child Domain” and install the first DC. How many FSMO roles can be available on DC?
When you create a new “Child Domain” and install the first DC, three FSMO roles are available on that DC.
How many FSMO roles are available on Root and its three Child Domains?
The total is 14. Five are on the “Root domain.” Three are on each “Child Domain.”
What happens if the “Schema Master Server” is not available?
-
While Schema updates are relatively rare, the unavailability of the “Schema Master Server” can impact certain AD operations that require Schema changes. For example, if an application or service requires a Schema extension or modification.
-
Limited immediate impact: In many cases, the unavailability of the “Schema Master Server” may not cause an immediate critical problem since schema updates are infrequent.
What happens if the “Domain Name Master Server” is not available?
-
If the “Domain Naming Master Server” is unavailable, creating new Domains cannot be done. It affects the process of promoting or demoting DCs.
-
The unavailability of the “Domain Naming Master Server” may not cause an immediate critical problem unless there is a need to add or remove Domains, DCs, or perform significant Domain restructuring.
What happens if the “PDC Emulator Server” is not available?
If the “PDC Emulator Server” becomes unavailable, immediate impacts occur:
-
Time synchronization - The “PDC Emulator Server” is responsible for time synchronization within the Domain. If it is unavailable, time synchronization may be affected, leading to potential issues with authentication, Kerberos tickets, and other time-dependent operations.
-
Password changes and Account lockouts - “PDC Emulator Server” is responsible for processing password changes, Account lockouts, and other account-related operations. If it is unavailable, these operations may be delayed or impacted.
-
“Group Policy” processing - “PDC Emulator Server” plays a crucial role in processing “Group Policy” updates and resolving conflicts. If it is unavailable, “Group Policy” changes may not be appropriately applied.
-
Logon authentication - While the “PDC Emulator Server” is down, logon authentication will still be possible using cached credentials on domain-joined computers. However, certain operations that require “PDC Emulator” functionality may be affected.
-
DFSR (Distributed File System Replication) consistency - DFSR operations may encounter issues, such as delays in Namespace updates or difficulties in replicating DFSR data between servers.
-
While the Domain will remain operational without the “PDC Emulator Server,” resolving the issue as soon as possible is crucial.
What happens if the “RID Master Server” is not available?
-
Each DC in the Domain has its own pool of RIDs that is used to create new AD objects. However, If the “RID Master Server” is unavailable, the DCs may exhaust their available RID pools, preventing the creation of new objects.
-
The unavailability of the “RID Master Server” would generally have little impact on day-to-day operations, especially if there are no immediate requirements to add a large number of AD objects (such as Users or Groups).
What happens if “IM Server” is not available?
-
If the “IM Server” is unavailable, changes to group membership may not be replicated accurately across Domains.
-
The impact of an “IM Server” being unavailable can vary based on the specific AD environment and the frequency of cross-domain object movements or modifications.
-
In a single-domain environment, the unavailability of the “IM Server” has no impact.
-
If the “IM Server” is unavailable, there may be delays or inconsistencies in Group modifications and authentication processes that involve cross-domain operations.
Which FSMO role directly affects the consistency of “Group Policies”?
The “PDC Emulator Server's” unavailability will affect the consistency of “Group Policies.”
What maximum RID can be available in the DCs’ RID Pool?
The maximum number that can be available on DCs’ RID pools is 750 RIDs.
Can two “IM Servers” exist in the Forest?
Yes. Only one DC should be handling “IM Role” in a Domain. Hence, if there are two Domains in a Forest, there will be two “IM Servers,” one in each Domain.
What is FSMO placement consideration?
Usually, an administrator can keep all five FSMO roles on the same DC. However, there are scenarios where FSMO roles are placed on different DCs. There is the following consideration:
-
“PDC Emulator” - Since the “PDC Emulator Role” receives more traffic than other FSMO role holders, it should be placed on a server with sufficient resources to handle the load.
-
IM - In a multi-domain environment, it is recommended not to place the “IM Role” on a DC that acts as a GC server. This is because a GC server contains a partial replica of objects in the Forest. If all the DCs in a Domain also host the GC, all the DCs have the current data, and it is not essential which DC holds the IM role.
What command can be used to check where FSMO roles are located?
Run command:
netdom query fsmo
What permissions should the administrator have to transfer FSMO roles?
An administrator must have the following permissions to transfer FSMO roles in an AD environment:
-
“Schema Master” - Requires membership in the “Enterprise Admins” or “Schema Admins” group
-
“Domain Naming Master” - Requires membership in the “Enterprise Admins” group.
-
“PDC Emulator,” “RID Master,” and IM - Requires membership in either the “Domain Admins” group or the “Enterprise Admins” group.
What can be used to transfer or seize the “Schema Master Role”?
-
Through GUI - “Active Directory Schema” MMC (Microsoft Management Console) snap-in.
-
On the command prompt is the ntdsutil utility.
What can be used to transfer or seize the “Domain Naming Master Role”?
Through GUI - “Active Directory Domains and Trusts” MMC snap-in.
-
On the command prompt is the ntdsutil utility.
What can be used to transfer or seize domain-level FSMO roles?
Through GUI - “Active Directory Users and Computers” MMC snap-in.
-
On the command prompt is a ntdsutil utility.
What are the conditions and steps for transferring the FSMO role?
-
The current role holder DC is operational and accessible.
-
Find another DC where you will transfer the FSMO roles.
-
Transfer the roles to a specific DC in the Forest or Domain before doing maintenance work or demoting the DC.
-
It is a recommended approach for maintaining continuity and avoiding service interruptions.
What are the conditions and steps for seizing the FSMO role?
-
DC is experiencing an operational issue that prevents an FSMO-dependent operation from being completed successfully, and that role cannot be transferred, or DC is unavailable.
-
Find another DC to where you will seize the FSMO roles.