Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - DC (Domain Controller), AD Database - Part 1
Knowledge Base Questions & Answers
What is a DC (Domain Controller) in a Windows server environment, and what are its main functions?
-
DC (Domain Controller) is a computer that runs the Windows server OS (Operating System) and hosts the AD (Active Directory) database.
-
It handles all the security requests from other computers and servers.
-
DC responds to user's requests to access the Domain environment and grants them access to the available resources.
What is a RODC (Read-Only Domain Controller) in AD (Active Directory), and what are its advantages?
-
RODC (Read-Only Domain Controller) is a read-only copy of the AD (Active Directory) database.
-
It can be deployed in a remote office where physical security is not guaranteed.
-
RODC provides faster logon time in the branch office.
What is a “Member Server” in a Domain network, and what roles does it typically perform?
-
“Member Server” is a server in the Domain but not configured as DC.
-
It provides resources such as shared folders, printers, software, applications, and servers.
What is a “Stand-Alone Computer”?
“Stand-Alone Computer” is a computer that belongs to a Workgroup but not to a Domain.
What is “AD DS” (Active Directory Domain Service), and what are its primary functions?
-
“AD DS” (Active Directory Domain Service) is a directory service.
-
It provides authentication and authorization mechanisms.
What is the role of the NetLogon service in a Windows Domain environment, and what are the potential impacts of stopping this service?
-
NetLogon service provides authentication services for Users and Computers in a Windows Domain environment.
-
If NetLogon is stopped, the computer may not be able to authenticate users, and they may encounter login failures or be unable to access network resources. Also, DC may be unable to register or update DNS (Domain Name System) records.
What is the KDC (Key Distribution Center) service?
KDC (Key Distribution Center) service provides authentication using the Kerberos protocol, validating user's credentials.
What is the WinLogon (Windows Logon Process) service?
WinLogon (Windows Logon Process) service manages user logins and logouts.
What is the ADAC (Active Directory Administrative Center)?
-
ADAC (Active Directory Administrative Center) is a GUI (Graphic User Interface) tool that simplifies the management and administration of AD environments.
-
It helps administrators perform common management tasks on AD objects across multiple Domains on the same ADAC instance.
What MMC (Microsoft Management Console) snap-ins with GUI (Graphic User Interface) are available on DC, which allows working with an AD environment?
-
“Active Directory Domains and Trusts” MMC (Microsoft Management Console) snap-in provides the ability to manage Domain trusts and configure Forest functional level.
-
"Active Directory Sites and Services" MMC snap-in allows managing the AD Sites, “Site Link Bridges,” Subnets, and replication topology.
-
"Active Directory Users and Groups" MMC snap-in provides the ability to manage Users' accounts, Groups, and OUs (Organizational Units) and configure the Domain functional level.
-
“ADSI Edit” (Active Directory Service Interfaces Editor) MMC snap-in provides:
-
GUI for managing objects in AD using LDAP (Lightweight Directory Access Protocol).
-
"ADSI Edit” (Active Directory Service Interfaces Editor) MMC snap-in enables you to view, add, delete, and edit AD objects and their attributes that may not be visible through the "Active Directory Users and Computers" MMC snap-in.
-
Using "ADSI Edit," you can clean up metadata.
-
Be careful with "ADSI Edit." Making a mistake can destroy the entire AD.
-
-
“DNS Manager” (Domain Name System Manager) MMC snap-in allows managing DNS Zones, “Resource Records”, and other DNS-related settings.
-
"Group Policy Management" MMC snap-in allows management of GPO (Group Policy Object).
-
"Active Directory Schema" is not a standard MMC snap-in that provides the ability to manage “AD Schema.” To be able to work with it, the MMC snap-in DDL file must be registered first.
-
"AD Replication Status Tool" is not a standard MMC snap-in and must be downloaded and installed from the Microsoft website. It provides the ability to manage AD replication.
What is a “System State” on DC?
“System State” on DC includes all the files necessary for the proper functioning of a DC in case of a recovery.
What components are included in the “System State” backup on DC?
“System State” contains:
-
AD Database - (NTDS (NT Directory Services) Folder)
-
SYSVOL (System Volume) Folder
-
Boot Files
-
Critical System Files
-
Registry
What is the Netlogon folder in the context of “AD DS” on DCs, and what does it contain?
-
Netlogon folder is a system folder created on DCs as part of the “AD DS.” It is located within the Windows folder on the DC. This share is pointing to a folder on:
%SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts -
Netlogon folder contains Logon, Logoff, Startup, Shutdown scripts, and other resources necessary for the Domain's authentication and logon processes.
What is SYSVOL (System Volume) on the DCs, what does it contain, and how its data is replicated?
-
SYSVOL (System Volume) is a shared folder that exists on all DCs. The folder path is:
%system-root%\SYSVOL -
SYSVOL contains various types of data, including:
-
Administrative Templates
-
GPOs.
-
Logon, Logoff, Startup, and Shutdown scripts.
-
System Policies
-
-
Data within SYSVOL is replicated between all DCs using the DFRS (Distributed File System Replication) protocol.
What are the default hidden shares on a DC, and what are they mapped to?
There are the following default hidden shares on DC:
-
ADMIN$ (mapped to the Windows folder).
-
C$ (mapped to the C volume).
-
IPC$ (Inter-Process Communication)
-
NETLOGON (mapped to the Scripts folder).
-
SYSVOL (mapped to the SYSVOL folder).
What is UGMC (Universal Group Membership Caching), and how often is it refreshed?
-
Due to limited network bandwidth and hardware limitations, having a GC (Global Catalog) in smaller branch office locations may not be practical. In such cases, DCs can be deployed, which store UGMC (Universal Group Membership Caching) information locally in the cache on the DC.
-
By default, UGMC is refreshed every 8 hours.
What is the adprep command, and where is it executed?
-
adprep.exe command is a tool used to prepare the AD environment when introducing a new DC running a newer version of the Windows server into an existing AD Domain or Forest.
-
It performs necessary operations to update the “AD Schema,” security permissions, and AD infrastructure to support the new features and functionalities of the newer Windows server version.
-
adprep command is executed on the DC with the “Schema Master” role.
What is the netdom command-line tool used for, and on which type of server is it available?
-
netdom command-line tool performs Domain-related operations, including Domain joining, renaming, trust management, and DC management.
-
It is available only on DC.
What is the ADMT (Active Directory Migration Tool), what are its primary uses, and what additional tools or services does Microsoft offer for similar purposes?
-
ADMT (Active Directory Migration Tool) is designed to facilitate the migration of AD objects and settings between AD Domains or Forests. It can be downloaded from the Microsoft website.
-
It is beneficial for significant changes in the AD environment, such as Domain name changes, Domain merging, consolidation, or optimizing the organization of AD objects, including Users, Computers, and Groups. For example, it can migrate from a 1,000-user environment spread across 10 AD Domains to a single Domain.
-
ADMT provides wizards that automate migration operations through its console or command line interface.
-
ADMT database requires a Microsoft SQL (Structured Query Language) server for operation.
-
Microsoft also offers an alternative tool suite called ADMS (Active Directory Migration Services), which operates in the “Azure Cloud”.
Where is the AD database located?
AD database is located in the folder:
%systemroot%\NTDS
What types of files are found in the NTDS (NT Directory Services) folder, and what are their purposes?
There are three important types of files in the NTDS (NT Directory Services) folder:
-
ntds.dit - This file is the AD database.
-
temp.edb - This temporary database file is used to process DC data.
-
edb.log - Almost all changes in AD are first written to this file before being transferred to the AD database.
What is a USN (Update Sequence Number), and why might these numbers differ on different DCs?
-
Each AD object has a USN (Update Sequence Number), and if the object is modified, then the USN of AD databases is incremented.
-
Due to the decentralized nature of AD replication, the USNs can and often differ between different DCs.
-
Do the following to see information about USN. Open the “Active Directory Users and Computers.” Right-click on “Domain Name” and then on “Properties”. Click on the “Object” tab.
What is “Garbage Collection” in AD, and how does it help reclaim space and maintain database efficiency?
-
“Garbage Collection” is a process used to reclaim space within the AD database by removing previously deleted objects known as tombstones.
-
It also deletes unnecessary log files and initiates a defragmentation thread to reclaim additional free space.
-
“Garbage Collection” typically runs on all the DCs at intervals of approximately 12 hours.
What is “Online Defragmentation,” and what are its advantages and limitations?
-
“Online Defragmentation” is a method that runs as part of the garbage collection process.
-
The advantage of the “Online Defragmentation” method is that the server does not need to be taken offline to run it.
-
“Online Defragmentation” does not shrink the AD database file (ntds.dit).
What are “Offline Defragmentation” advantages and limitations?
-
“Offline Defragmentation” is a method of defragmenting AD database (ntds.dit).
-
Disadvantages of “Offline Defragmentation”:
-
It requires restarting DC to DSRM (Directory Services Restore Mode). When DC is in DSRM mode, it will not be available for normal network operations.
-
It does not include the garbage collection process.
-
You must create a backup of the AD database if something goes wrong.
-