Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
DNS (Domain Name System) - Zone
Knowledge Base Questions & Answers
What is a “DNS (Domain Name System) Zone”?
-
“DNS (Domain Name System) Zone” contains information (DNS records) about a specific domain or subdomain.
-
They store information that is used to resolve hostnames to IP (Internet Protocol) addresses and vice versa.
What are the different types of DNS zones?
There are four types of DNS zones:
-
Primary Zone
-
Secondary Zone
-
Stub Zone
-
Delegated Zone
What is the “Primary Zone” (Master Zone)?
-
“Primary Zone” (Master Zone) is the authoritative zone where the original copies of all DNS records for a domain are stored.
-
The DNS server hosting a “Primary Zone” can create, update, or delete DNS records in that zone.
-
The server with a “Primary Zone” is called a primary DNS server.
-
While it’s possible to configure multiple DNS servers as primary servers for the same zone, this setup is not typical due to potential data synchronization and consistency issues.
What is the “Secondary Zone” (Slave Zone)?
-
“Secondary Zone” (Slave Zone) is a copy of the primary zone.
-
It is used for LB (Load Balancing) and redundancy.
-
The “Secondary Zone” cannot create, update, or delete records; it only replicates data from the primary zone.
-
The server with a “Secondary Zone” is called a secondary DNS server.
What is the “Stub Zone”?
-
“Stub Zone” contains only enough information to identify the authoritative DNS servers for a domain.
-
It’s used to help reduce DNS query traffic across different servers and improve DNS resolution efficiency.
What is the “Delegated Zone”?
-
“Delegated Zone” is a portion of a domain that is delegated to and managed by a different DNS server.
-
It’s essentially a way to distribute the DNS infrastructure for a large domain across multiple servers.
What are the different types of “DNS Lookup Zones”?
There are two types of “DNS Lookup Zones”:
-
Forward Lookup Zone
-
Reverse Lookup Zone
What is the “Forward Lookup Zone”?
-
“Forward Lookup Zone” maps domain names to IP addresses.
-
Depending on the domain’s configuration, it contains records like “A,” AAAA, CNAME, MX, and other types of records.
-
It does not contain PTR resource records.
What is the “Reverse Lookup Zone”?
-
“Reverse Lookup Zone” maps IP addresses to domain names.
-
It contains only PTR records.
What are “DNS Zone Intervals” types?
There are three “DNS Zone Intervals” types:
-
“Refresh Interval” - How often do secondary DNS servers check for updates from the primary DNS server.
-
“Retry Interval” - Time that a secondary DNS server waits before retrying a failed zone transfer attempt.
-
“Expiration Interval” - Maximum time servers can serve the zone without a successful refresh.
What is “DNS Delegation”?
-
“DNS Delegation” is when a DNS server delegates authority over a part of its namespace to one or more other DNS servers.
-
Almost all subdomains are DNS delegated.
-
“DNS Delegation” is commonly used when different organizations or service providers want to manage their own subdomains while maintaining the overall structure and integrity of the DNS hierarchy.
-
Example of “DNS Delegation”:
-
There is a domain called itguidespro.com (parent domain).
-
During installation on the first DC (Domain Controller) on the child domain (dc1.child.itguidespro.com), “DNS Delegation” is created on the parent domain.
-
The DNS server on the child domain will hold all records for its zone.
-
When a user on the primary domain tries to connect, for example, to server server1.child.itguidespro.com, it sends a request to the DNS server on its local domain (itguidespro.com). Because it does not have zone records for the child.itguidespro.com zone but has a delegation, this DNS server will send a request to the child domain DNS server (dc1.child.itguidespro.com), where it gets an answer.
-
What is “DNS RPZ (Response Policy Zones)”?
-
“DNS RPZ (Response Policy Zones)” allows administrators to control DNS resolution by defining rules to block, redirect, or modify queries for specific domain names or IP addresses.
-
It’s a tool for enforcing security and content-filtering policies on DNS servers.
-
“DNS RPZ” can be implemented using DNS server software like BIND (Berkeley Internet Name Domain), and its capabilities can be further enhanced with solutions from third-party companies specializing in network security.
Experience-Based/Practical Questions & Answers
How is the DNS zone structured?
-
The DNS zone is structured with an initial SOA record identifying the primary authoritative server and NS records indicating the authoritative DNS servers.
-
Resource records (A, AAAA, CNAME, MX, PTR, and TXT) define DNS mappings.
-
Each record has TTL.
What are the benefits of using DNS delegation?
-
DNS delegation reduces the load of DNS Servers on the parent domain and increases performance for DNS server requests.
-
Ability to delegate the child’s DNS zone management to their administrator’s team.
How can you troubleshoot common DNS zone-related issues?
To troubleshoot DNS zone-related issues:
-
Check the DNS server.
-
Check the DNS zone configuration.
-
Verify DNS records.
-
Check DNS replication (if using multiple servers).
-
Check DNS forwarders.
-
Examine DNS cache.
-
Review DNS event logs.
-
Use DNS troubleshooting tools like nslookup.
-
Review firewall and security settings.