Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Trust
Knowledge Base Questions & Answers
What is “AD (Active Directory) Trust”?
“AD (Active Directory) Trust” allows users in one Domain to access resources in another.
What is a “Trusted Domain”?
-
The “Trusted Domain” is a Domain that has established a Trust relationship with another Domain.
-
This Trust relationship allows users from the “Trusted Domain” to access resources in the other Domain.
What is a “Trusting Domain”?
-
“Trusting Domain” is a Domain that has established a Trust relationship with another Domain.
-
This Trust relationship enables users from the “Trusted Domain” to access resources in the “Trusting Domain.”
What are the Direction types of Trust relationships that exist?
There are two Direction types of Trusts:
-
One-Way Trust
-
Two-Way Trust
What is “One-Way Trust”?
-
“One-Way Trust” is a type of Trust relationship between two Domains in which one Domain, called the “Trusting Domain,” allows users from another Domain, called the “Trusted Domain,” to access its resources.
-
This Trust is established in one direction only.
What is “Two-Way Trust”?
-
“Two-Way Trust” is a relationship between two Domains where each Domain trusts the other.
-
Users and resources in both Domains can access each other’s resources.
What are the Transitive types of Trust relationships that exist?
There are two Transitive types of Trusts:
-
Transitive Trust
-
Non-Transitive Trust
What is “Transitive Trust”?
-
“Transitive Trust” means that if “Domain A” trusts “Domain B,” and “Domain B” trusts “Domain C,” then “Domain A” automatically trusts “Domain C.”
-
It allows Trust to extend beyond two Domains to include other trusted Domains in the network.
What is “Non-Transitive Trust”?
-
“Non-Transitive Trust” is a type of Trust relationship between Domains in which the Trust is limited to the two specific Domains involved and does not extend to other Domains in the network.
-
It means that if “Domain A” trusts “Domain B” and “Domain B” trusts “Domain C,” it does not imply that “Domain A” trusts “Domain C.”
What are the Establishment types of Trust relationships that exist?
There are two Establishment types of Trusts:
-
Explicit Trust
-
Implicit Trust
What is “Explicit Trust”?
-
“Explicit Trust” is a Trust relationship that is manually set up between two Domains by administrators.
-
It allows specific access permissions to be granted to Users or Groups from the “Trusted Domain.”
What is “Implicit Trust”?
-
“Implicit Trust” is a Trust relationship that is automatically established between Parent and Child domains in an AD Forest. This type of trust is also called “Parent-Child Trust”.
-
It is created when a new Child Domain is added to the Forest.
-
By default, users from the “Parent Domain” can access resources in the “Child Domain.” However, users from the “Child Domain” do not have direct access to resources in the “Parent Domain” unless specific permissions are granted.
What are the Scope types of Trust relationships that exist?
There are two Scope types of Trusts:
-
Forest Trust
-
External Trust
What is “Forest Trust”?
-
“Forest Trust” is a Trust relationship established between two separate AD Forests.
-
It allows users and resources in one Forest to access resources in the other Forest.
-
“Forest Trust” can be either “One-Way Trust” or “Two-Way Trust.”
What is “External Trust”?
-
“External Trust” is a Trust relationship established between two separate AD Domains that are not part of the same Forest.
-
It allows users in one Domain to access resources in another Domain, which is located on the other Forest.
-
“External Trust” can be “One-Way Trust” or “Two-Way Trust,” and it is “Non-Transitive Trust.”
What are the Special types of Trust relationships that exist?
There are two Special types of Trusts:
-
Shortcut Trust
-
Realm Trust
What is a “Shortcut Trust”?
“Shortcut Trust” is a Trust relationship established between two Domains within the same AD Forest.
What is “Realm Trust”?
-
“Realm Trust” allows users from a non-Windows Kerberos Realm to access resources in an AD Domain using their Kerberos credentials.
-
It enables cross-platform authentication between different systems.
What is “Selective Authentication”?
-
“Selective Authentication” is a feature in AD that allows you to control which Users or Groups in a “Trusted Domain” can access resources in the “Trusting Domain.”
-
By default, when a Trust relationship is established between two Domains, all Users in the “Trusted Domain” have the ability to authenticate and access resources in the “Trusting Domain.”
What protocols does AD use to establish Trust?
-
Kerberos Authentication
-
LDAP (Lightweight Directory Access Protocol)
-
FTAP (Forest Trust Authentication Protocol)
What command is used for managing Trusts?
The command is:
netdom
Experience-Based/Practical Questions & Answers
Why is AD Trust required?
AD Trusts are required for:
-
Resource access in the other Domains in the Forest
-
Resource access to Domains in another Forest
-
Collaboration between teams of an organization.
-
SSO (Single Sign-On)
-
Centralized authentication and security
-
Resource sharing: files, printers, applications.
-
Security Boundaries: Defining who can access what securely.
-
Bridging Windows and non-Windows environments.
“Child Domain” was created in the “Domain Tree.” What type of Trust relationship will be created between the new “Child Domain” and the “Trees Root Domain”?
-
When a new “Child Domain” is created in an AD “Domain Tree,” a “Two-Way Transitive Trust” relationship is automatically established between the new “Child Domain” and the “Root Domain” of the Tree.
-
This trust relationship is known as a “Parent-Child Trust.”
Where can Trust relationships be created?
Trust can be created using the “Active Directory Domain and Trust” MMC (Microsoft Management Console) snap-in.
