Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Replication - Part 1
Knowledge Base Questions & Answers
What is “AD (Active Directory) Replication,” and what are its characteristics and types?
-
"AD (Active Directory) Replication” is the process of distributing the data stored within the directory throughout the organization for increased availability, performance, and data protection.
-
It occurs between DCs (Domain Controllers) when directory data is updated on one DC, and then updates are replicated to all other DCs.
-
The “AD Replication” process uses an increasing value assigned to transactions on each DC, known as USN (Update Sequence Number).
-
AD employs a Multi-Master type of replication, allowing multiple DCs to accept updates to the directory independently.
-
There are two types of “AD Replication”:
-
“Intra-Site Replication” - occurs inside of the “AD Site.”
-
“Inter-Site Replication” - happens between “AD Sites."
-
What are some of the services that are required for “AD Replication”?
Some services are required for “AD Replication”:
-
DFSR (Distributed File System Replication)
-
DNS (Domain Name System)
-
KDC (Kerberos Key Distribution Center)
-
Netlogon Service
-
RPC (Remote Procedure Call)
-
Time Synchronization Service
What is the role of DFSR (Distributed File System Replication), and what does it replicate across DCs (Domain Controllers)?
DFSR (Distributed File System Replication) replicates folders stored in shared folders inside the SYSVOL (System Volume) folder across DCs (Domain Controllers).
What is KDC (Kerberos Key Distribution Center)?
KDC (Kerberos Key Distribution Center) provides authentication services using the Kerberos protocol.
What is RPC (Remote Procedure Call), and how does it facilitate communication between DCs?
-
RPC (Remote Procedure Call) is a communication protocol that allows a program on one computer to execute a procedure or function on another computer.
-
It establishes a secure channel between DCs and transfers the replication data.
What is the role of IP (Internet Protocol) in AD replication?
IP (Internet Protocol) is the transport mechanism for transferring replication data between DCs.
What is the role of KCC (Knowledge Consistency Checker), and how does it establish replication topology between DCs?
-
KCC (Knowledge Consistency Checker) is responsible for establishing the Intra-Site and Inter-Site replication topology and ensuring that all DCs are up to date.
-
It runs on all DCs and uses RPC to communicate with the directory service.
-
KCC selects a “Bridgehead Server” in each “AD Site.” The KCC will choose an alternative DC within the same “AD Site” if the designated “Bridgehead Server” is unavailable.
-
It runs every 15 minutes by default.
What is the USN (Update Sequence Number), and how is it used in replication?
-
USN (Update Sequence Number) is a unique identifier assigned to each change made to an object in AD.
-
DCs compare USNs to detect and replicate newer changes.
-
USN is also used for conflict resolution and optimizing replication efficiency.
What is a “Bridgehead Server”?
-
“Bridgehead Server” is a DC that serves as an entry point or interaction point for replication between “AD Sites” in AD.
-
When a “Bridgehead Server” receives updates from another “AD Site,” it replicates the data to the other DCs within its “AD Site.”
What is “Intra-Site Replication,” and how does it function within an “AD Site”?
-
“Intra-Site Replication” is a type of replication that occurs between DCs located within the same “AD Site”.
-
It uses high-bandwidth Links connecting the DCs within the “AD Site,” sending replication traffic uncompressed.
-
“Intra-Site Replication” uses RPC over IP as the underlying communication mechanism.
-
It is not based on a predefined replication schedule. Instead, it occurs as needed due to the assumption of low-cost connections within the “AD Site.”
-
By default, the source DC waits 15 seconds after a change and then sends an update notification to its closest replication partner within the “AD Site,” initiating the replication process.
What is "Inter-Site Replication," and how does it differ from "Intra-Site Replication" regarding replication type, data compression, communication protocols, and schedule?
-
“Inter-Site Replication” is a type of replication between DCs located in different “AD Sites.”
-
It sends all data compressed because traffic is going across slower WAN (Wide Area Network) links. Compression increases the server's load because compression/decompression is added to the processing requirements.
-
“Inter-Site Replication” primarily uses RPC over IP as the recommended protocol for replication. However, in case of connection issues or specific requirements, it can also use SMTP (Simple Mail Transfer Protocol) as an alternative, but it is slower than IP.
-
It is facilitated through “Bridgehead Servers.”
-
By default, “Inter-Site Replication” occurs every 180 minutes across each “AD Site Link.”
What is “Multi-Master Replication”?
-
“Multi-Master Replication” is a type of replication in which all AD database replicas are considered equal Masters.
-
Changes can be made to the AD database on any DC, which will be replicated to other DCs within the Domain.
-
In “Multi-Master Replication,” when changes are made to the AD database on a DC, it notifies other DCs within the same “AD Site.”
What is “Urgent Replication,” and what events trigger it?
Usually, the source DC sends out a change notification after a delay. However, some delays in replication can result in a security risk for specific types of changes. “Urgent Replication” confirms that critical directory changes are immediately replicated. There are the following events for “Urgent Replication”:
-
You assign an account lockout, which a DC performs to prohibit a user from logging on after a certain number of failed attempts.
-
You are changing the “Account Lockout policy.”
-
You are changing the “Domain Password Policy.”
-
You are changing a user’s password.
-
You are changing the password on a DC computer account.
-
You are changing the “RID (Relative Identifier) Master Role Owner,” which is the single DC in a Domain that assigns RID to all DCs in that Domain.
What is the purpose of enabling "Strict Replication" on a DC?
-
If a DC has the “Strict Replication” enabled, then this DC will not get Lingering objects from a DC that was isolated for more than the “Tombstone Lifetime.”
-
To enable “Strict Restriction,” changes to the registry must be made.
What is the concept of Latency in “AD Replication,” and why is lower Latency desirable for replication across DCs?
-
Latency refers to the time delay or the period it takes for data updates or changes to be replicated across all DCs within a network Domain or Forest.
-
Lower Latency indicates faster replication and ensures that all DCs are up to date with the latest changes in the AD environment.
What is “Propagation Dampening”?
“Propagation Dampening” is a feature that helps reduce unnecessary data replication by preventing repetitive or redundant data from being sent to servers that have already been transmitted.
What is Convergence?
Convergence ensures all nodes have the same data and are up-to-date with the latest changes or information.
What is the role of ISTG (Inter-Site Topology Generator), and how is it chosen which DC holds this role within an “AD Site”?
-
One DC per site holds the ISTG (Inter-Site Topology Generator) role, which manages the inbound replication connection objects for the “Bridgehead Server.”
-
By default, the first server on-site has this role. If that server cannot perform this role, then the next server with the highest GUID (Globally Unique Identifier) takes over the role of ISTG.
What is the purpose of the "Bridge All Site Links" option in replication?
-
"Bridge All Site Links" creates a virtual transitive replication path between all “AD Sites” when not directly linked to each other.
-
It is enabled by default.
What is the purpose of the repadmin command in diagnosing replication issues between DCs, and what tasks can it perform in relation to replication troubleshooting?
The repadmin command helps diagnose replication problems between DCs. It allows:
-
To view the replication topology and metadata.
-
Force replication events between DCs.
-
Monitor replication.
-
Check for replication errors.
-
It doesn’t fix replication problems.
What is the dcdiag command?
-
dcdiag command is used to analyze the state of DCs in a Forest or Domain.
-
It helps identify any issues or problems with the DCs and provides diagnostic information for troubleshooting purposes.
-
It doesn’t fix problems.