Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
AD (Active Directory) - GPO (Group Policy Objects) - Part 1
Knowledge Base Questions & Answers
What is a GPO in AD, and what are the various types of settings and configurations it can contain?
-
GPO is an actual container or object within AD that holds the settings and configurations defined using “Group Policy.”
-
Each GPO contains multiple settings organized under "Computer Configuration" and "User Configuration." These settings include:
-
Folder redirection options.
-
Maintenance options - Provides settings for managing Windows updates and applying other computer maintenance tasks.
-
Registry-based policies.
-
Script options - Allows administrators to run logon and logoff scripts on computers to perform specific tasks.
-
Security options - Controls security settings such as password policies, account lockout policies, user rights assignments, and security auditing.
-
Software installation.
-
-
Only “Security Settings” are configured by default when a GPO is created. Other settings are either disabled or not enabled.
What is “Group Policy,” and what does it do?
-
“Group Policies” are settings inside GPO that manage configurations, network resources, security, software deployment, and the OS (Operating System) settings for users and computers in an organization, making it easier to control and process large groups of users or computers.
-
They can be added, changed, and removed from the existing GPO.
What are "Group Policy Preferences," and what advantages do they offer over traditional "Group Policy" settings?
-
“Group Policy Preferences” enhance the capabilities of traditional “Group Policy” settings by offering a more comprehensive range of configurable options and advanced targeting mechanisms.
-
They provide a more user-friendly and flexible approach to managing configurations while allowing users to retain some control over their environment.
-
“Group Policy Preferences” are beneficial when you must provide default configurations, manage diverse settings, or target specific users or computers more precisely.
How many Nodes are in a GPO, and how do they function differently?
-
Two Nodes in each GPO are created:
-
“Computer Configuration” Node - For computers. It allows configuring policies affecting the computer's behavior, security settings, network settings, and software installations. These settings are applied to the computer regardless of which user logs in.
-
“User Configuration” Node - For users. It allows configuring policies affecting the user's environment, desktop settings, application restrictions, and other user-specific configurations. These settings are applied to the user account when the user logs in to any computer in the domain.
-
-
When creating GPO, the “Computer Configuration” or “User Configuration” Nodes can be disabled if there is no configuration on one of them. It will decrease the time of applying GPO.
-
When user and computer group policies overlap, the computer policy wins.
Where are GPO settings stored within AD?
GPO settings are stored in two locations within AD:
-
GPC (Group Policy Container)
-
GPT (Group Policy Template)
What is the GPC (Group Policy Container), and what information does it contain?
-
GPC (Group Policy Container) is an object within AD that holds the metadata and properties of a specific GPO.
-
It includes information such as the GPO's GUID (Globally Unique Identifier), display name, version number, GPO status, and other administrative settings.
-
When you create a new GPO using the GPMC (Group Policy Management Console), a corresponding GPC is automatically created in AD.
-
GPC resides within the domain's system container. GPC is seen through the “Active Directory Users and Computers” MMC (Microsoft Management Console) snap-in. “Advanced Features” on View must be enabled to see it.
What is the GPT (Group Policy Template), and where is it stored and replicated?
-
GPT (Group Policy Template) is a file system that contains the policy settings and configurations defined within a GPO.
-
GPT itself is stored in the SYSVOL (System Volume) share on a DC (Domain Controller) and is replicated across all other DCs in the network.
What are ADMX files?
-
ADMX files are XML (eXtensible Markup Language) - based templates used in “Group Policy” to define policy settings.
-
They provide a user-friendly interface for managing policies related to computers and users.
-
ADMX files are stored in the C:\Windows\PolicyDefinitions directory on local machines or in a central store for domain-based networks.
How many Linking types are there for GPOs, and what is their scope of application?
There are four Linking types for GPOs:
-
Local
-
Site
-
Domain
-
OU (Organizational Unit)
What is “GPO Linking,” and how does it work?
-
“GPO Linking” refers to the process of associating or connecting a GPO to a specific AD container, such as a domain, OU, or site.
-
When a GPO is linked to a container, its settings and configurations will apply to the users and computers within that container.
-
Multiple GPOs can be linked to the domain, site, or OU, allowing administrators to apply different configurations based on the scope of the GPO.
-
Single GPO can be linked to several sites or OUs, allowing for flexibility in the policy application.
-
Computer and user AD objects do not have to be put in the same container object. For example, User1 can be in OU1, while his computer object can be in OU2. It all depends on how AD is structured.
What is a “Local GPO,” and how does it work?
-
“Local GPO” refers to policy settings stored and applied exclusively on local computers, including those that are not part of the domain.
-
Each computer has only one “Local GPO.” However, in some Windows versions like “Windows 7” and later, there are additional local GPOs for different user groups, known as MLGPOs (Multiple Local GPOs).
What is “Site-Linked GPO,” and how does it work?
-
“Site-Linked GPO” refers to the process of linking a GPO to a specific AD site.
-
By linking a GPO to a site, the GPO's settings and configurations will apply to all users and computers within that site.
What is “Domain-Linked GPO,” and how does it work?
-
“Domain-Linked GPO” refers to the process of linking a GPO to the entire AD domain.
-
When a GPO is linked to the domain, its settings and configurations will apply to all users and computers, including DCs within that domain.
What is “OU (Organizational Unit) - Linked GPO,” and how does it work?
-
“OU (Organizational Unit) - Linked GPO” refers to the process of linking a GPO to a specific OU within an AD domain.
-
When a GPO is linked to an OU, its settings and configurations will apply to all users and computers within that OU.
What is LSDOU (Local, Site, Domain, OU)?
-
LSDOU (Local, Site, Domain, OU) is an acronym representing the order of precedence for GPO processing in an AD environment.
-
It describes the sequence in which GPO settings are applied to users and computers.
What is the order of priority for applying GPOs in an AD domain, from lowest to highest?
The priorities of GPO orders, from low to high, are as follows:
-
“Local GPO”.
-
“Site-Linked GPOs” apply to all objects within an AD site and take precedence over “Local GPO” settings.
-
“Domain-Linked GPOs” apply to all objects within an AD domain, including users and computers from different sites. They take precedence over “Site GPO” settings.
-
“OU-Linked GPOs” apply to specific OUs within the domain and take precedence over “Domain GPO” settings.
How many types of default GPOs are automatically created in the AD domain environment?
In an AD environment, two types of Default GPOs are automatically created and linked when a new domain is set up:
-
Default Domain Policy
-
Default Domain Controllers Policy
What is the "Default Domain Policy," and what are its primary characteristics and configurations?
-
"Default Domain Policy" is a GPO that is automatically created and linked to the domain object when an AD domain is set up.
-
It defines a set of default settings and configurations that affect the entire domain.
-
Some common settings configured in the "Default Domain Policy" include password policies, account lockout policies, user rights assignments, security options, and auditing settings. These settings help establish initial security and configuration standards for the domain.
-
"Default Domain Policy" GPO applies to all users and computers within the domain by default.
What is the "Default Domain Controller Policy," and what are its primary settings and configurations?
-
"Default Domain Controller Policy" is a GPO that is automatically created and linked to the DC when an AD domain is set up.
-
It defines a set of default settings and configurations that are essential for the security and proper functioning of DCs.
-
Some common settings configured in the "Default Domain Controller Policy" include security options, auditing settings, account policies, and other configurations specific to DC functions.
What is the “Local Group Policy Editor” MMC snap-in?
-
“Local Group Policy Editor” MMC snap-in is a tool that allows administrators to manage local “Group Policy” settings on individual Windows computers.
-
Administrators can modify local “Group Policy” settings without needing a domain-based AD infrastructure. It is particularly useful for standalone computers, workgroup computers, or test environments that do not participate in a domain.
-
Command gpedit.msc can be used to open the “Local Group Policy Editor” MMC snap-in.
What are the GPMC (Group Policy Management Console) snap-in features?
-
GPMC (Group Policy Management Console) snap-in provides a centralized and user-friendly interface for managing “Group Policy” in an AD environment.
-
It allows the following:
-
Creating new GPOs and configuring them.
-
Linking GPOs.
-
Managing inheritance and precedence of GPOs.
-
Applying security filtering to control which users or groups the GPO affects.
-
Enforcing or blocking GPO inheritance to control policy application across the domain.
-
Viewing and analyzing “Group Policy Results” to troubleshoot policy application issues.
-
Backing up and restoring GPOs.
-
What is “Group Policy Modeling”?
-
“Group Policy Modeling” is a feature that allows administrators to simulate and predict the effect of “Group Policy” settings on specific users and computers.
-
The read-only simulation does not change the target users' or computers' “Group Policy” settings.
-
“Group Policy Modeling” informs about the “Group Policy Results” in the feature, which provides a detailed report on the actual “Group Policy” settings applied to a specific user or computer in the live environment.
-
It is included in GPMC.
What is the RSoP (Resultant Set of Policy) tool and its modes?
-
RSoP (Resultant Set of Policy) is a tool that allows administrators to view and analyze the cumulative effect of “Group Policy” settings applied to a specific user or computer.
-
It provides a comprehensive report detailing which GPOs are in effect and how they affect the user or computer configuration.
-
RsOP has two Modes:
-
“Logging Mode” - RSoP polls the existing policies that are currently applied to the user or computer and then generates a report with the results of the query.
-
“Planning Mode” allows administrators to plan and simulate GPO settings without being sent to the target user or computer.
-
-
You can call RSoP by command rsop.msc.
What is “Group Policy Inheritance”?
-
“Group Policy Inheritance” determines how GPO settings flow down the AD hierarchy from parent containers to child containers.
-
It allows administrators to apply GPO settings consistently throughout the domain while providing flexibility for customizations at different levels.
What are the inheritance options for OUs?
There are the following inheritance options available for OUs in AD:
-
“Enforced (No Override) Inheritance” - When a GPO is enforced on a container, it has higher precedence than any other GPO linked at the same level. “Enforced GPOs” cannot be blocked by GPOs linked to child containers.
-
“Blocked Inheritance” - If inheritance is blocked on an OU, GPOs linked to parent OUs do not apply to the objects within the blocked OU. However, enforced GPOs still take precedence.
What are “Security Policies”?
-
“Security Policies” are rules and settings that define how computers and users should behave securely in a network.
-
They include password requirements, access controls, auditing, and other security measures to protect the system from threats.
What is “Security Filtering”?
-
“Security Filtering” - Allows GPO to be applied only to certain users or computers within a container where the GPO is linked.
-
For example, by default, when you link a GPO to an OU, it applies to all users and computers within that OU. However, with “Security Filtering,” you can further narrow down the scope of GPO applications to a specific subset of users and groups within the linked OU.
What is “Loopback Processing,” and how does it work?
-
“Loopback Processing” is a feature that allows administrators to control the application of user-based GPO settings based on the location of the computer rather than the user. For example, you have a computer lab in your organization, and you want to apply a specific set of user policies to all users who log in to computers in that lab, regardless of their regular user policies in their respective OU.
-
GPO loopback is the configuration that can be enabled in GPO's “Computer Configuration” node.
What are modes of “Loopback Processing”?
“Loopback Processing” can be configured in two modes:
-
“Replace Mode” - The user's regular policies from their own OU are completely replaced by the policies applied at the computer's OU. The user's regular policies are not applied, and only the computer's policies take effect.
-
“Merge Mode” - Merges the regular user policies with the policies from the computer's OU. It allows both sets of policies to apply to the user, with the computer's policies taking precedence in case of conflicts.
What are four methods for software deployment using GPOs?
There are several ways to install software using GPOs:
-
“Software Installation Policy” - This is a built-in feature of GPOs that allows you to deploy software to users or computers. It supports MSI (Microsoft Installer) and ZAP (Zero Administration Package) (legacy) software packages. It supports both Assigned and Published software deployment modes.
-
“Assigned Software” - Automatically installed on targeted computers or users without user interaction.
-
“Published Software” - Available for users to install themselves when needed.
-
-
“Startup Script” - Run the software installation commands during the computer startup process. The script is assigned through a GPO.
-
“Logon Script” - Run software installation commands during the user logon process. The script can be assigned through a GPO.
-
Third-party software deployment tools - Some third-party tools can integrate with GPOs to provide more advanced software deployment capabilities. These tools offer additional features and automation options for software deployment.
What is “Tattooing The Registry”?
“Tattooing The Registry” refers to the phenomenon where certain GPO settings will not be reverted Windows registry back after it is no longer applied or have been removed.
What is the delegation of administration of GPO to specific users or groups?
-
Delegating the administration of GPOs to specific users or groups in an AD environment involves granting them the necessary permissions to create, edit, and manage them.
-
Only “Domain Admins” and “Enterprise Administrators” group members have full access to GPO management by default.
What is the gpupdate command-line tool and its purpose?
-
gpupdate is a command-line tool in Windows that allows you to refresh “Group Policy” settings on a computer manually.
-
When executed, it updates the GPO settings from the DCs and immediately applies any changes to the local computer.
What is the “dcgpofix.exe” command-line utility and its purpose?
-
dcgpofix.exe command-line utility is a tool in Windows servers that allows you to reset the “Default Domain Group Policy” and “Default Domain Controller Group Policy” to their original default settings.
-
It is used for repairing or recovering these default policies when they become corrupted or misconfigured.
-
This tool is helpful when the GPMC MMC snap-in cannot be used.