Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
AD (Active Directory) - GPO (Group Policy Objects) - Part 2
Experience-Based/Practical Questions & Answers
How is GPO replicating between DCs (Domain Controllers)?
GPOs replicate between DCs (Domain Controllers) by using two solutions:
-
AD replication.
-
SYSVOL replication. DFSR (Distributed File System Replication) does it.
Who can create a “Local Group Policy”?
-
“Local Administrator”
-
“Local Users” are granted specific privileges.
Who can link GPO to the AD Site?
-
“Enterprise Administrators”
-
“Group Policy Creator Owners”
Who can link GPO to the Domain?
-
“Domain Administrator”
-
“Enterprise Administrators”
Who can link GPO to OU?
-
“Domain Administrator”
-
“Enterprise Administrators”
-
“Group Policy Creator Owners” - This special group is given the right to create GPOs at the domain level.
-
AD Users who were delegated to do it.
How do you prevent GPOs from applying?
-
Disable GPO.
-
Unlink GPO.
When do “Group Policy” scripts start executing?
-
“Startup Scripts” are executed when the computer boots up.
-
“Shutdown Scripts” are executed when the computer is shutting down.
-
“Logon Scripts” are executed when the user logs in.
-
“Logoff Scripts” are executed when the user logs off.
How often are “Group Policies” applied to computers?
-
When a computer starts up.
-
After the initial startup, computers will refresh “Group Policy” every 90 minutes by default.
-
When a user logs on to a computer, the computer checks for user-specific computer “Group Policy” updates.
-
After the initial logon, user “Group Policy” settings are refreshed every 90 minutes by default.
How often are user’s “Group Policies” applied to users?
-
When the user log on to a computer.
-
After the initial logon, the user’s “Group Policy” settings are refreshed every 90 minutes by default.
Can you change the “Group Policy” Refresh period?
Yes, you can change the “Group Policy” Refresh period by modifying the "Group Policy Refresh Interval For Computers" and "Group Policy Refresh Interval For Users" settings in the GPO.
Which are the “Group Policies” that do not get affected by the refreshing process?
Specific “Group Policy” settings are unaffected by the regular refreshing process, which occurs periodically on user and computer accounts:
-
Folder redirection.
-
Registry-based policies.
-
Scheduled tasks.
What are the steps to configure software deployment using GPO?
Configuring software deployment using GPO involves the following steps:
-
Create a shared folder.
-
Create a subfolder within that shared folder as the software package's distribution point. This is where the installation files will be copied for deployment.
-
Convert the software package to an MSI. This step is unnecessary if the software package is already in MSI format.
-
Create a new GPO or edit an existing one to configure the software deployment settings.
-
Under the GPO, navigate to the "Computer Configuration" or "User Configuration" nodes for the "Software Installation" option.
-
Create a new "Package" by selecting the MSI file.
-
Choose the deployment method for the software: Assigned or Published.
-
Link the GPO to the appropriate AD container.
Do “Group Policy” settings provide a “Windows Firewall” configuration?
“Group Policy” provides several settings related to “Windows Firewall” configuration, which allow administrators to manage the firewall settings on computers within an AD domain. For example: “Windows Firewall,” “Windows Firewall: Protect all network connections.”
How can you deploy the latest Windows patches through GPO without having the administrator on the computer?
-
Configure “Group Policy” to point the computer to the WSUS server.
-
Link the GPO to the appropriate OU(s) containing the target computer.
-
As scheduled, the computer will automatically download and install patches from the WSUS server.
Can you apply GPO to a “Security Group”?
-
You cannot apply a GPO directly to a “Security Group” in the AD. But you can apply a GPO to a “Security Group” in AD through a process known as "Security Filtering."
-
With “Security Filtering,” you can control which users or computers the GPO affects based on their membership in specific “Security Groups.”
How can specific applications be restricted from running on a computer?
-
It can be done on GPO on the Computer node. It is located at “Security Settings” -> “Software Restriction Policies” option.
-
In newer versions of Windows, "AppLocker" under "Application Control Policies" is also used for a similar purpose and offers more advanced features.
-
For the policies to take effect, the GPO should be linked to the appropriate AD container containing the computer where the applications need to be restricted.
Is it possible to set folder permissions by using GPO?
-
GPO allows administrators to configure security settings for computers and users in an AD environment, including folder permissions. However, GPO is not typically used for setting permissions on individual folders. Instead, folder permissions are commonly managed through NTFS (New Technology File System) permissions set directly on the folder.
-
GPO can be used to deploy scripts that modify folder permissions or to enforce policies that might indirectly affect access to folders (such as user rights assignments or security options), but it doesn't directly set folder permissions in the same way it manages other settings like registry keys, security settings, or software installation.
How can you enforce a GPO to override conflicting “Group Policy” settings?
-
You can use the Enforced setting to enforce a GPO and ensure it takes precedence over other conflicting GPO settings.
-
Enforcing a GPO ensures that its settings are applied regardless of other GPOs that might be linked at lower levels.
You want to create a new GPO but do not want to inherit the setting from higher-level GPOs. What should you do?
If you want to create a new GPO but do not want it to inherit settings from any higher-level GPO, you can simply link the GPO to the desired OU without enabling inheritance. To do it, you need to check “Block Inheritance.”
You have set the Enforce option at the domain level and “Block Inheritance” at the OU level. Which policy will take effect?
When both the Enforce option and "Block Inheritance" are set, the Enforce option takes precedence over "Block Inheritance."
You changed the “Group Policies,” and now the computer and user settings have conflicts. Which one has the highest priority?
When there are conflicts between computer and user settings in “Group Policy,” the computer policy takes precedence over the user policy.
You removed some security settings, but they are still in effect. Why?
-
“Group Policy Refresh Interval” - “Group Policy” settings are not applied immediately when changes are made. The refresh interval defines how often “Group Policy” settings are applied. By default, the refresh interval is every 90 minutes. You can force an immediate refresh using the gpupdate command.
-
“Group Policies” inheritance - If the GPO is linked at a higher-level container, such as the domain or site level, it might be inherited by multiple OUs and objects. Even if you remove the settings from the GPO, the settings might still be in effect due to inheritance.
-
Enforced GPO - If the GPO with the removed settings is enforced, it will take precedence over other GPOs linked at the same level, and the settings might still apply.
-
“Security Filtering” - If the GPO uses security filtering to target specific users or groups, the removed settings might still affect those targeted objects.
How do GPOs work when they are in conflict?
When GPOs are in conflict, their settings can behave differently based on the order of precedence:
-
By default, if there are conflicts between two or more GPOs, the GPO that was linked later takes precedence and overwrites conflicting settings from GPOs applied earlier. However, it's important to note that not all GPO settings are in conflict. Some settings are cumulative and can be combined from different GPOs to create a comprehensive configuration.
-
The order of precedence for GPOs, from highest to lowest, is “Local GPO,” “Site-Linked GPOs,” “Domain-Linked GPOs,” and “OU-Linked GPOs.”
-
Enforced and “Blocked Inheritance” GPOs can also conflict with application settings.
-
Computer “Group Policies” take precedence in case of conflicts.
The user stated that he did not receive new settings through GPO. Everyone else gets the GPO. What are your steps?
-
Verify OU membership. Confirm that the user's and computer's accounts are in the correct OU where the GPO is linked.
-
Run the "gpresult /z" command to display the extended details of Group Policy settings.
-
Use RSoP MMC snap-in to check which GPOs are applied to the user and computer.
-
Check the Loopback policy. Ensure that the user is not a security group member with enabled loopback policy processing.
-
Verify “Group Policy” filtering. Check if the user is not a member of a security group where filtering is applied to restrict the application of specific GPOs.
-
Review the event logs on the user's computer for any “Group Policy” related errors or warnings.
How do you troubleshoot GPO issues?
Here's a general outline of how to troubleshoot GPO issues:
-
Identify the Issue - Find what is a specific problem. Note which “Group Policies” are not applying correctly and to which users or computers.
-
Use the "gpupdate" command on client computers to force a manual “Group Policy” update and see if it resolves the Issue.
-
Run “gpresult /v” command. It lets you view detailed information about the “Group Policies” settings applied to the current user and computer.
-
Verify that the GPO is correctly linked.
-
Check GPO settings.
-
Verify the GPO inheritance and order of precedence to ensure that the intended GPO settings are taking effect and not being overridden by conflicting policies.
-
Check if any WMI (Windows Management Instrumentation) filters are applied to the GPO and ensure they function as expected.
-
Use the "Group Policy Results" wizard in the GPMC to analyze the applied GPOs for a specific user or computer.
-
Use RsoP.
-
Use the "Group Policy Modeling" wizard in GPMC to simulate GPO applications for specific users or computers.
-
Check the “Event Viewer” on affected computers and domain controllers for related “Group Policies” errors or warnings.
How does a slow network link affect the processing of “Group Policy” settings, and what specific behaviors are impacted?
-
Under slow link behavior, the processing of “Group Policy” settings can be affected.
-
When a client computer connects to a DC using a slow network link, specific “Group Policies” processing aspects may change.
-
These changes are designed to optimize performance and prevent excessive network traffic.
-
The specific behaviors that are affected under slow link conditions include:
-
Administrative template policies.
-
Background processing.
-
Folder redirection.
-
Registry settings.
-
Scripts execution.
-
Software installation.
-
What are ways to back up GPO?
Backing up and restoring GPOs in a Windows server can be accomplished using:
-
GPMC snap-in.
-
PowerShell command Backup-GPO.
What are ways to restore GPO?
There are the following options:
-
Restore GPO by using the “Restore” option in the GPMC snap-in.
-
Restore GPO by using the “Import Settings” option in GPMC. For this procedure, you need to locate a backup file of GPO.
-
PowerShell command Restore-GPO.
What are the best practices and recommendations for planning GPOs?
-
Create simple GPOs that are easily manageable and can be used for multiple targets.
-
Reduce the number of GPOs for better performance and simplicity.
-
Create separate GPOs for "Computer" or "User" settings to simplify troubleshooting.
-
Minimize filtering to keep the GPO application straightforward.
-
Avoid direct modifications to the "Default Domain Controller" and "Default Domain" GPOs and create new GPOs instead.
-
Apply GPO settings at the highest level to take advantage of GPO inheritance.
-
Assign GPO settings to the domain or OU structure rather than the site, except when specific to a single site.
-
Avoid creating more than five layers of GPO linking to prevent complexity.
How do you force the reloading of all group policies (for users and computers)?
Run command:
gpupdate /force
How do you force refreshing only user policies?
Run command:
gpupdate /target:user /force
How do you force refreshing only computer policies?
Run command:
gpupdate /target:computer /force
What commands can be used to check applied "Group Policies"?
-
Displays RSoP summary data
gpresult /R -
Displays RSoP summary data with additional information
gpresult /V