Use the Backup Wizard to troubleshoot Active Directory

1
Goals

• Use the Backup Wizard to troubleshoot Active
  Directory
• Schedule Active Directory backups
• Examine Active Directory restores
• Execute a nonauthoritative restore
• Execute an authoritative restore

2
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory

• Active Directory is a transaction log-based
  database service that depends on files such as
  ntds.dit and a number of log files in order to
  function
• To prepare for disaster recovery, you must use
  the Backup Wizard to back up Active Directory
• The wizard creates an archive with a .bkf
  extension, which contains the files that were
  selected for backup
• To back up Active Directory, you must be a member
  of either the Backup Operators or Administrators
  group

3
(Skill 1)
Figure 8-1 The Backup Utility Advanced Mode window
4
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (2)

• An Active Directory backup includes the Active
  Directory database file, ntds.dit, and the shared
  system volume (SYSVOL) folder
• SYSVOL is a shared folder created when Active
  Directory is installed
• It contains all publicly available files for
  domains, such as scripts and Group Policy
  Objects, which users and other domain controllers
  need for domain access

5
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (3)

• To back up Active Directory, you back up the
  System State data on a domain controller
• In addition to the Active Directory database file
  and the SYSVOL folder, System State data has
  other components
• Registry Database that stores the configuration
  of a computer, including user profiles and folder
  settings
• COM Class Registration database Database that
  stores entries for dynamic link library (.dll)
  and executable (.exe) files on a computer

6
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (4)

• In addition to the Active Directory database file
  and the SYSVOL folder, System State data has
  other components
• System boot files Files used to load and
  configure the Windows Server 2003 operating
  system
• Windows File Protection system files All files
  under Windows File Protection

7
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (5)

• Tasks to perform before you start any backup
  operation
• Choose the scope for the backup, based on your
  requirements
• Back up the entire contents of a computer
• Select only particular files, drives, or network
  data
• Back up only the System State data

8
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (6)

• Tasks to perform before you start any backup
  operation
• Choose the type of backup media
• You can use Zip or Jaz drives, tape, or the hard
  drive on a remote file server
• A backup to a file on the file server can be
  backed up to a Zip, Jaz, or tape drive
• Magnetic tape is the most widely used backup
  medium
• Inexpensive
• Stores large amounts of data

9
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (7)

• Tasks to perform before you start any backup
  operation
• Choose the type of backup
• There are five backup types from which you can
  choose
• To choose one of these types, you must first
  understand the archive attribute or archive bit
  and how each backup type handles it

10
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (8)

• Tasks to perform before you start any backup
  operation
• Choose the type of backup
• Archive attribute
• A property for files and folders that is used to
  identify them when they have changed
• When a file has changed, the archive attribute,
  which is actually an attribute of the file
  header, is automatically selected

11
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (9)

• Tasks to perform before you start any backup
  operation
• Choose the type of backup
• Archive attribute
• Some backup types
• Remove the archive attribute to mark files as
  having been backed up, while others do not
• Some backup types use the archive attribute to
  determine which files to back up
• Others back up all files regardless of the status
  of the archive attribute

12
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (10)

• Tasks to perform before you start any backup
  operation
• Choose the type of backup
• Archive attribute
• Organizations use a blend of the different backup
  types
• This optimizes the time spent on both the backup
  and the restore processes

13
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (11)

• Tasks to perform before you start any backup
  operation
• Notify users about the backup operation
• Through e-mail or administrative messages
• During the backup operation, users who are
  connected over the Internet will have their
  sessions terminated and may lose any unsaved data

14
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (12)

• Tasks to perform before you start any backup
  operation
• Make sure that the media device you have selected
  for storing the backup is listed in the Windows
  Server Catalog
• The catalog contains a list of devices tested by
  Windows Hardware Testing Labs
• These devices are supported by Windows Server
  2003

15
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (13)

• Tasks to perform before you start any backup
  operation
• Make sure the backup media device is attached to
  the computer and the device is switched on
• Make sure the backup media is loaded in the media
  device

16
(Skill 1)
Figure 8-2 The Backup or Restore Wizard
17
(Skill 1)
Figure 8-3 The Backup or Restore screen
18
(Skill 1)
Figure 8-4 The What to Back Up screen
19
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (14)

• The default settings in the Backup Wizard work
  well in most cases
• Additional advanced settings
• Specify a backup type other than Normal
• Verify data after the backup operation to ensure
  its success

20
(Skill 1)
Using the Backup Wizard to Back Up Active
Directory (15)

• Additional advanced settings
• Append the backup data to an existing archive or
  create a new archive
• Set a job name to identify the backup job
• Schedule the backup process to occur at specified
  intervals

21
(Skill 1)
Figure 8-5 The Items to Back Up screen
22
(Skill 1)
Figure 8-6 The Backup Type, Destination, and Name
screen
23
(Skill 1)
Figure 8-7 The Completing the Backup or Restore
Wizard screen
24
(Skill 2)
Scheduling Active Directory Backups

• To be prepared to recover from a hardware
  failure, system or disk failure, or a virus
  attack, it is best back up Active Directory
  daily, preferably after office hours
• A typical schedule
• Perform a Normal backup once a week
• Perform an Incremental backup on each other day
  of the week
• This method ensures the backup file occupies less
  disk space and that you have the most recent data
  in the event of a disaster

25
(Skill 2)
Scheduling Active Directory Backups (2)

• Most production networks have ample backup
  capacity to perform a full Normal backup daily
• Backing up servers can become time-consuming
• To ease the burden, use the Backup utility to
  schedule backups to run at specified dates and
  times
• Ntbackup then uses the Task Scheduler to schedule
  the backup

26
(Skill 2)
Scheduling Active Directory Backups (3)

• Task Scheduler
• Runs the Backup Wizard to carry out the backup
  operation at the scheduled date and time
• This is also known as an unattended backup
• Two ways to schedule an unattended backup
• Use the Advanced settings on the Completing the
  Backup Wizard screen
• Use the Schedule Jobs tab in the Backup Utility
  to schedule unattended backups

27
(Skill 2)
Figure 8-8 Running Ntbackup from the Run dialog
box
28
(Skill 2)
Figure 8-9 Scheduling a System State Backup
29
(Skill 2)
Figure 8-10 The How to Back Up screen
30
(Skill 2)
Figure 8-11 The Backup Options screen
31
(Skill 2)
Scheduling Active Directory Backups (4)

• Task Scheduler
• On the Schedule Jobs tab in the Backup window
• Click the icon for a scheduled job to open the
  Scheduled Job Options dialog box
• You can change the job name on the Schedule data
  tab
• You can view the job details on the Backup
  details tab

32
(Skill 2)
Scheduling Active Directory Backups (5)

• Task Scheduler
• On the Schedule Jobs tab in the Backup window
• View details about the backup in the Job summary
  section
• Displays the backup type
• Displays the properties set for the backup job
• Whether Verify data has been set
• Whether hardware compression is to be used
• Whether access is restricted to the owner or
  administrator
• The media name used for the job and the set
  description

33
(Skill 2)
Scheduling Active Directory Backups (6)

• Using Ntbackup
• You cannot back up individual components of the
  System State data because of the dependencies
  between components
• Third-party utilities such as Veritas Backup Exec
  can back up individual components
• You can use Ntbackup to restore System State data
  to an alternate location

34
(Skill 2)
Schedule Active Directory Backups (7)

• When you restore the System State to an alternate
  location, certain components are restored
• SYSVOL directory
• Cluster database data
• System boot files
• When you restore the System State to an alternate
  location, certain components are not restored
• Active Directory database
• Certificate Services database
• COM Class Registration database

35
(Skill 2)
Figure 8-12 The Schedule Job dialog box
36
(Skill 2)
Figure 8-13 The Advanced Schedule Options dialog
box
37
(Skill 2)
Figure 8-14 The Set Account Information dialog box
38
(Skill 2)
Figure 8-15 Scheduled jobs on the calendar on
the Schedule Jobs tab
39
(Skill 3)
Examining Active Directory Restores

• Active Directory stores information about all of
  the objects in a domain
• If the files that make up Active Directory become
  corrupt, users and applications cannot access
  Active Directory objects
• In disaster recovery situations, you must restore
  the latest System State backup data to restore
  Active Directory objects

40
(Skill 3)
Examining Active Directory Restores (2)

• Methods of restoring System State data
• Nonauthoritative restore (Normal)
• Authoritative restore
• Primary restore

41
(Skill 3)
Examining Active Directory Restores (3)

• Nonauthoritative restore (Normal)
• When to use this method
• You need to recover a domain controller from
  hardware failure or replacement
• You are sure the data on the other domain
  controllers in the forest is correct
• All you must do is restore the most recent System
  State backup of the domain controller
• Restored data, including Active Directory
  objects, will have the USN they had when the
  System State backup was created

42
(Skill 3)
Examining Active Directory Restores (4)

• Nonauthoritative restore (Normal)
• Update sequence numbers (USNs)
• Used to detect and propagate Active Directory
  changes among the servers on the network
• Make multi-master replication possible
• Used to track changes made to the database just
  like a version number in DNS
• When you create an object, Active Directory
  assigns a unique USN to the object
• When you make changes to the object, Active
  Directory increments the USN for the object by one

43
(Skill 3)
Examining Active Directory Restores (5)

• Nonauthoritative restore (Normal)
• Update sequence numbers (USNs)
• The copy of the object that has the highest USN
  is considered to be the most up-to-date, and is
  replicated to the other domain controllers
• Because the USNs in the System State backup will
  be lower than more recent versions of Active
  Directory objects, the Active Directory
  replication system views data that is restored
  non-authoritatively as old data
• If more recent data is available on other
  servers, the Active Directory replication system
  uses it to update the restored data

44
(Skill 3)
Examining Active Directory Restores (6)

• Nonauthoritative restore (Normal)
• After the nonauthoritative restore
• Active Directory replication begins
• Changes that occurred on the other domain
  controllers are automatically propagated to the
  domain controller that has come back online
• You must use an authoritative restore to
  replicate restored data to other servers

45
(Skill 3)
Examining Active Directory Restores (7)

• Nonauthoritative restore (Normal)
• Unless you only have one domain controller, or
  are at an isolated remote location, a
  nonauthoritative restore is not very useful
• This is because in order to perform a
  nonauthoritative restore on a failed domain
  controller, you must first reinstall Windows
  Server 2003 and promote the server to a domain
  controller
• As part of this process, the Active Directory
  database is copied from the other servers onto
  your failed server, fully restoring Active
  Directory

46
(Skill 3)
Examining Active Directory Restores (8)

• Authoritative restore
• Used when an Active Directory object, or group of
  objects, has been accidentally deleted
• When an object is deleted in Active Directory, it
  is not truly deleted it is tombstoned
• Tombstoning essentially marks the object dead,
  which makes it unusable, and updates the USN for
  the object
• This is done so that the deletion is properly
  replicated to all domain controllers

47
(Skill 3)
Examining Active Directory Restores (9)

• Authoritative restore
• Once every night, a process known as Garbage
  Collection runs on all domain controllers
• Any object that has been tombstoned for more than
  60 days (by default) is actually deleted during
  this process
• Because of the tombstoning process, to
  effectively restore a deleted object
• You must increment the USN of that object
  subsequent to the actual restore process
• This makes the restored copy the more up-to-date
  version

48
(Skill 3)
Examining Active Directory Restores (10)

• Authoritative restore
• During an authoritative restore, the USN of the
  deleted object is increased by 100,000 for each
  day since the backup was performed so that it is
  higher than the USNs of the existing objects
• You perform an authoritative restore by executing
  the Ntdsutil command on a domain controller

49
(Skill 3)
Examining Active Directory Restores (11)

• Authoritative restore
• Using Ntdsutil
• Ntdsutil is a command-line utility, which is
  stored in Systemroot\System32
• It supplies a number of other directory
  management features not found in any of the
  graphical tools
• You mark Active Directory objects for
  authoritative restore
• This modifies the USN making it higher than any
  other update sequence number in the Active
  Directory replication system
• Objects restored using this command are
  considered to be the most current copy of those
  objects, and are properly replicated to the other
  servers on the network

50
(Skill 3)
Figure 8-16 Authoritative Restore
51
(Skill 3)
Figure 8-17 First level of commands for ntdsutil
52
(Skill 3)
Examining Active Directory Restores (12)

• Primary restore
• You do a primary restore when you must rebuild
  the domain from backup because all domain
  controllers in the domain have been lost
• You perform a primary restore on the first domain
  controller and nonauthoritative restores on all
  of the other domain controllers
• You only perform a primary restore when the
  server you are trying to restore is the only
  running server in a replicated data set

53
(Skill 3)
Examining Active Directory Restores (13)

• Active Directory actually performs attribute
  level replication in most cases
• If you change a field in a user account, only the
  field is replicated, not the entire object
• To provide full replication functionality, Active
  Directory actually assigns a USN
• To the database
• To each object in the database
• To each attribute of each object

54
(Skill 4)
Executing a Nonauthoritative Restore

• Nonauthoritative restore
• Used to restore Active Directory in cases where
  no objects have been accidentally deleted and no
  other options are available
• You use the backup of the System State data to
  restore Active Directory on a domain controller
• To begin, start the computer in a special safe
  mode called Directory Services Restore Mode
• Then use the Restore Wizard to restore Active
  Directory

55
(Skill 4)
Executing a Nonauthoritative Restore (2)

• Directory Services Restore Mode
• This mode ensures the domain controller remains
  offline while you restore the Active Directory
  database and the SYSVOL folder
• In this offline mode, Active Directory services
  on the domain controller are stopped so that a
  successful restoration can occur
• The computer is not disconnected from the
  network, but all Active Directory services are
  halted

56
(Skill 4)
Executing a Nonauthoritative Restore (3)

• Directory Services Restore Mode
• After the Active Directory restoration process is
  complete and the server is restarted, the normal
  replication process updates the restored Active
  Directory database with the help of the
  replication partner domain controllers on the
  domain

57
(Skill 4)
Figure 8-18 The Desktop message box
58
(Skill 4)
Figure 8-19 Restoring the System State
59
(Skill 4)
Figure 8-20 The Warning dialog box
60
(Skill 4)
Executing a Nonauthoritative Restore (4)

• Directory Services Restore Mode
• You can also use Ntdsutil to reset the Directory
  Services Restore Mode password
• At the ntdsutil prompt, type Set DSRM and press
  Enter
• At the Reset DSRM Administrator Password prompt,
  type Reset Password on server s where s is the
  name of the server
• After you press Enter, you are prompted to type
  the password and re-enter the password

61
(Skill 4)
Figure 8-21 The Restore Progress dialog box
62
(Skill 4)
Figure 8-22 The Backup Utility warning dialog box
63
(Skill 5)
Executing an Authoritative Restore

• You use an authoritative restore to recover
  selected Active Directory objects
• Preliminary tasks
• Copy the Policies folder in the SYSVOL folder to
  an alternate location
• Copy the Policies folder from the alternate
  location back to its original location
• After you perform an authoritative restore
• After the SYSVOL share has been published

64
(Skill 5)
Executing an Authoritative Restore (2)

• Preliminary tasks
• Perform a nonauthoritative restore of the System
  State data
• You can then use Ntdsutil to perform an
  authoritative restore to recover the deleted
  object

65
(Skill 5)
Executing an Authoritative Restore (3)

• Run the Ntdsutil command-line utility to perform
  an authoritative restore
• Ntdsutil marks an object for authoritative
  restore by increasing the USN by 100,000 for each
  day since the backup was performed so that it is
  higher than the USNs of the existing object
• To restore a deleted object, you must specify the
  distinguished name of the object

66
(Skill 5)
Executing an Authoritative Restore (4)

• Distinguished name (DN)
• Uniquely identifies an object on a network
• It is an LDAP component that includes the name of
  the domain that holds the object and the complete
  path to the object through the container
  hierarchy
• It identifies an object throughout the LDAP
  hierarchy because it refers to the relative
  distinguished name, domain name, and the
  container where the object is stored

67
(Skill 5)
Executing an Authoritative Restore (5)

• Distinguished name (DN)
• Can consist of the common name (cn), the
  organizational unit name (ou), and the domain
  component name (dc)
• The common name for a user object is the full
  user name, not the logon name
• For user names and OUs that contain spaces, the
  DN must be enclosed in quotation marks

68
(Skill 5)
Executing an Authoritative Restore (6)

• To restore an OU and all objects in it, use the
  command Restore subtree s, where s represents
  the server name
• To restore an object, use Restore object s
• To override the version (USN) increase
• Add the parameter verinc d, where d represents
  the variable by which you want to increment the
  version number
• Use this parameter only to authoritatively
  restore over an incorrect authoritative restore

69
(Skill 5)
Executing an Authoritative Restore (7)

• Just like a nonauthoritative restore, an
  authoritative restore requires that the domain
  controller be running in Directory Services
  Restore Mode
• Run the Ntdsutil command
• After you have restored the System State data
• Before you have restarted the server from Active
  Directory Restore mode
• You cannot restart normally between the
  nonauthoritative restore and the authoritative
  restore

70
(Skill 5)
Executing an Authoritative Restore (8)

• After the restoration is complete, the domain
  controller is brought back online by restarting
  the computer normally
• If the Active Directory database has changed on
  the replication partner domain controllers, the
  replication process updates their databases using
  the restored Active Directory database
• The replication process also distributes
  information about the restored object to other
  domain controllers

71
(Skill 5)
Figure 8-23 Copying the Policies folder to an
alternate location
72
(Skill 5)
Executing an Authoritative Restore (9)

• If you accidentally delete a large number of
  objects, manually recovering each object would be
  a cumbersome task
• Instead you can authoritatively restore the
  entire database
• To do this, type the restore database command at
  the authoritative restore prompt

73
(Skill 5)
Executing an Authoritative Restore (10)

• Do not perform an authoritative restore of the
  entire database on servers holding the RID master
  or schema master FSMO roles
• The schema cannot be authoritatively restored,
  and authoritatively restoring the RID master can
  lead to SID conflicts

74
(Skill 5)
Figure 8-24 Confirming an authoritative restore
75
(Skill 5)
Figure 8-25 Using Ntdsutil to recover a deleted
object