Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - GC (Global Catalog)
Knowledge Base Questions & Answers
What is the GC's (Global Catalog) purpose in AD (Active Directory)?
The purpose of the GC (Global Catalog) in AD (Active Directory) is to enable efficient searching for objects across multiple Domains in a Forest.
What specific types of information are stored in the GC?
GC in AD is a distributed database containing a subset of attributes for all objects in the Forest.
What protocol is used to access the GC?
GC is accessed by using the LDAP (Lightweight Directory Access Protocol).
Experience-Based/Practical Questions & Answers
How do you designate a DC as a GC server?
-
Open "Active Directory Sites and Services" MMC (Microsoft Management Console) snap-in. Double-click on the Sites folder. Double-click on Site.
-
Double-click on the Servers folder. Double-click on DC, which you want to use as GC. Right-click on "NTDS Settings" (NT Directory Services Settings) and choose Properties.
-
Click on the General tab. Enable "Global Catalog."
How does the GC differ from a regular DC (Domain Controller)?
-
GC stores a subset of information about objects from all Domains in the Forest, enabling efficient searches across multiple Domains.
-
Regular DC (Domain Controller) stores complete information only for its specific Domain, not the entire Forest.
Why is it recommended not to configure all DCs as GCs in a large Forest environment?
Configuring all DCs in a large Forest environment as GC servers is not recommended due to the following reasons:
-
Network traffic - GC servers generate significant network traffic during the replication process.
-
WAN (Wide Area Network) traffic - In environments with low bandwidth WAN connections, configuring all DCs as GCs can negatively impact network performance.
How many GC Servers are recommended for a Tree?
Having at least two GC servers in each Domain within a Tree is recommended to ensure redundancy, FT (Fault Tolerance), and optimal performance for Forest-wide searching and authentication processes. However, the specific number of GC servers can vary based on the size of the environment, the number of users, the physical network infrastructure, and the bandwidth available, especially between sites in a multi-site environment.
What is the function of "Universal Groups" with the GC?
-
The purpose of "Universal Groups" in relation to the GC is to manage access permissions efficiently across multiple Domains in a Forest.
-
"Universal Groups," stored in the GC, allow users from any Domain in the Forest to be grouped together to assign access rights, simplifying cross-domain resource access.
What is the impact of promoting or demoting a DC as a GC server?
-
Promoting a DC as a GC server increases replication traffic, improves search functionality, and enables handling "Universal Groups" memberships.
-
Demoting a DC as a GC server reduces search capability and impacts "Universal Groups" membership resolution.
If you are on a remote site and GC is unavailable there, what can be done to speed up the login process?
Enable "Universal Group Membership Caching" on DC.
How does the GC interact with DNS in AD?
GC registers itself in DNS as a GC server.
What five common issues or challenges are related to the GC, and how would you troubleshoot them?
-
GC unavailability - If GC services are not functioning or available, clients may experience search failures or authentication issues. To troubleshoot it, try:
-
Verify GC server availability and network connectivity.
-
Ensure that the GC service is running and properly configured on the server.
-
Check the health of the DC hosting the GC using the dcdiag utility.
-
-
Search functionality issues - Insufficient hardware resources or high workload can cause GC servers to become overwhelmed, leading to degraded performance or unresponsiveness. To troubleshoot it, try:
-
Monitor and optimize server performance.
-
Evaluate and possibly distribute the search load among multiple GC servers to avoid overloading a single server.
-
-
Replication delays - GC servers are responsible for replicating data across Domains in the Forest. If a GC server fails, replication delays may occur, potentially leading to inconsistencies in directory data until the failed server is restored or other GC servers take over the replication responsibilities. To troubleshoot it, try:
-
Check the replication status using the repadmin utility.
-
-
DNS resolution problems - Incorrect DNS configurations or failures can impact GC functionality. To troubleshoot it, try:
-
Verify that GC DNS settings are correctly configured.
-
Check for any issues with DNS.
-
Use the nslookup utility to troubleshoot DNS resolution issues.
-
-
GC database corruption - Database corruption can impact GC server functionality. To troubleshoot it, try:
-
Use tool ntdsutil for database repair and consistency checks
-
Use the esentutl tool for low-level database analysis and repair.
-
Can you describe a scenario where you need to modify the GC replication frequency or scope?
-
Company expansion.
-
Increased data volume
-
Network infrastructure changes
Why can GC and IM (Infrastructure Master) FSMO (Flexible Single Master Operations) role holders not be on the same DC?
-
In a multi-domain environment, the IM (Infrastructure Master) role should not be hosted on a DC that also acts as a GC server.
-
Suppose the IM role is running on a GC server. In that case, it will not update the object references for objects it does not hold, leading to potential inconsistencies in cross-domain operations.
-
GC server only holds a partial replica of all objects in the Forest, containing attributes necessary for Forest-wide searches and authentication. Since the IM role requires knowledge of the entire Forest's objects and their attributes, it is best to host the IM on a DC not serving as a GC to ensure it has access to complete and up-to-date object information.
-
-
In a Forest with only a single AD Domain, there is no harm in placing both the GC and IM FSMO role holders on the same DC.
Do you need GC servers in a single-domain Forest?
In a single-domain Forest, GC servers are not strictly required for the functionality within that single Domain because the GC server's primary role is to facilitate searching and authentication across multiple Domains in a Forest. Since you have only one Domain, the need for a GC server is reduced.
What command can be used to determine all GC servers in the Forest?
Run command:
dsquery server -forest -isgc
What command is used to get information about all GCs in the Domain where you log in?
Run command:
dsquery server -isgc | dsquery server -o rdn
Which command can you use to display all GCs in the specific Domain?
Run command:
dsquery server -Domain DomainName -isgc
Example:
dsquery server -domain abc.com -isgc
