501 Recipe 16.1 Backing Up Active Directory 16.1.1 Problem You want to back up Active Directory to tape or disk. 16.1.2 Solution Back up the System State, which includes the Active Directory-related files on the domain controller. Here are the directions for backing up the System State using the NtBackup utility that comes installed on Windows 2000 and Windows Server 2003 computers: 16.1.2.1 Using a graphical user interface 1. Go to Start All Programs (or Programs for Windows 2000) Accessories System Tools Backup. 2. Click the Advanced Mode link. 3. Click the Backup tab. 4. Check the box beside System State. 5. Check the box beside any other files, directories, or drives you would also like to back up. 6. For Backup destination, select either File or Tape depending on where you want to back up the data to. 7. For Backup media or file name, type either the name of a file or select the tape to save the backup to. 8. Click the Start Backup button twice. 16.1.2.2 Using a command-line interface The NtBackup utility supports several command-line parameters that you can use to initiate backups without ever bringing up the GUI. For the complete list of supported commands on Windows 2000, see MS KB 300439 (How to Use Command Line Parameters With the "Ntbackup" Command). For the complete list of supported commands on Windows Server 2003, see MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003). 16.1.3 Discussion Fortunately, domain controllers can be backed up while online. Having the ability to do live backups makes the process very easy. And since Active Directory is included as part of the System State on domain controllers, you are required to back up only the System State, although you can back up other folders and drives as necessary. On a domain controller, the System State includes the following: 502 • Boot files • Registry • COM+ class registration database • Active Directory files • System Volume (SYSVOL) • Certificates database (if running Certificate Server) 16.1.4 See Also Recipe 16.18 for modifying the tombstone lifetime, MS KB 216993 (Backup of the Active Directory Has 60-Day Useful Life), MS KB 240363 (HOW TO: Use the Backup Program to Back Up and Restore the System State in Windows 2000), MS KB 300439 (How to Use Command Line Parameters With the "Ntbackup" Command), MS KB 326216 (HOW TO: Use the Backup Feature to Back Up and Restore Data in Windows Server 2003), and MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003) Recipe 16.2 Restarting a Domain Controller in Directory Services Restore Mode 16.2.1 Problem You want to restart a domain controller in DS Restore Mode. 16.2.2 Solution To enter DS Restore Mode, you must reboot the server at the console. Press F8 after the power- on self test (POST), which will bring up a menu, as shown in Figure 16-1. From the menu, select Directory Services Restore Mode. Figure 16-1. Boot options 503 16.2.3 Discussion The Active Directory database is live and locked by the system when a domain controller is booted into normal mode. If you want to perform integrity checks, manipulate the Active Directory database in some way or restore part of the database, you have to reboot into DS Restore Mode. In this mode, Active Directory does not start up and the database files (ntds.dit) are not locked. It is not always practical to be logged into the console of the server when you need to reboot it into DS Restore Mode. You can work around this by modifying the boot.ini file for the server to automatically boot into DS Restore Mode after reboot. You can then use Terminal Services to log on to the machine remotely while it is in that mode. See MS KB 256588 for more information on how to enable this capability. Be careful if you try to access DS Restore Mode via Terminal Services. Unless you have configured everything properly, you may end up with the domain controller booted into DS Restore Mode and not be able to access it via Terminal Services. 16.2.4 See Also MS KB 256588 (Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode) Recipe 16.3 Resetting the Directory Service Restore Mode Administrator Password 16.3.1 Problem You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain. 16.3.2 Solution 16.3.2.1 Using a graphical user interface 1. For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information). 2. Go to Start Run. 3. Type compmgmt.msc and press Enter. 4. In the left pane, expand System Tools Local Users and Computers. 5. Click on the Users folder. 6. In the right pane, right-click on the Administrator user and select Set Password. 7. Enter the new password and confirm, then click OK. 16.3.2.2 Using a command-line interface 504 With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1. > ntdsutil "set dsrm password" "reset password on server DC1" ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server DC1 Please type password for DS Restore Mode Administrator Account: ********** Please confirm new password: ********** Password has been set successfully. Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely. 16.3.3 Discussion You may be thinking that having a separate DS Restore Mode administrator password can be quite a pain. Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you'll see that it is quite necessary. Generally, you boot a domain controller into DS Restore Mode when you need to perform some type of maintenance on the Active Directory database. To do this, the database needs to be offline. If the database is offline, then there is no way to authenticate against it. The system has to use another user repository, so it reverts back to the legacy SAM database. The DS Restore Mode administrator account and password are stored in the SAM database just like with standalone Windows clients. 16.3.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode, MS KB 239803 (How to Change the Recovery Console Administrator Password on a Domain Controller), and MS KB 322672 (HOW TO: Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003) Recipe 16.4 Performing a Nonauthoritative Restore 16.4.1 Problem You want to perform a nonauthoritative restore of a domain controller. This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem. 16.4.2 Solution 16.4.2.1 Using a graphical user interface 505 1. You must first reboot into Directory Services Restore Mode (see Recipe 16.2 for more information). 2. Open the NT Backup utility; go to Start All Programs (or Programs for Windows 2000) Accessories System Tools Backup. 3. Click the Advanced Mode link. 4. Under the Welcome tab, click the Restore Wizard button and click Next. 5. Check the box beside System State and any other drives you want to restore and click Next. 6. Click the Advanced button. 7. Select Original location for Restore files to. 8. For the How to Restore option, select Replace existing files and click Next. 9. For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points. Then click Next. 10. Click Finish. 11. Restart the computer. 16.4.3 Discussion If you encounter a failed domain controller that you cannot bring back up (e.g., multiple hard disks fail), you have two options for restoring it. One option is to remove the domain controller completely from Active Directory (as outlined in Recipe 3.6) and then repromote it back in. This is known as the restore from replication method, because you are essentially bringing up a brand new domain controller and letting replication restore all the data on the server. On Windows Server 2003 domain controllers, you can also use the Install From Media option described in Recipe 3.2 to expedite this process. The other option is described in the Solution section. You can restore the domain controller from a good backup. This method involves getting into DS Restore Mode, restoring the system state and any necessary system drive(s) and then rebooting. As long as the domain controller comes up clean, it should start participating in Active Directory replication once again and sync any changes that have occurred since the backup was taken. For a detailed discussion of the advantages and disadvantages of each option, see Chapter 13 in Active Directory, Second Edition (O'Reilly). 16.4.4 See Also Recipe 16.2 for getting into Directory Services Restore Mode and MS KB 240363 (HOW TO: Use the Backup Program to Back Up and Restore the System State in Windows 2000) 506 Recipe 16.5 Performing an Authoritative Restore of an Object or Subtree 16.5.1 Problem You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database. 16.5.2 Solution Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer. To restore a single object, run the following: > ntdsutil "auth restore" "restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q To restore an entire subtree, run the following: > ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q Restart the computer. There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information. 16.5.3 Discussion If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore it. Fortunately, the process isn't very painful. The key is having a good backup that contains the objects you want to restore. If you don't have a backup with the objects in it, you are out of luck. Well, that is not completely true with Windows Server 2003. See Recipe 16.17 for another option to restore deleted objects. To restore one or more objects, you need to follow the same steps as performing a nonauthoritative restore. The only difference is that after you do the restore, you need to use the ntdsutil command to mark the objects in question as authoritative on the restored domain controller. After you reboot the domain controller, it will replicate any changed objects since the backup that was restored on the machine, except for the objects or subtree that were marked as authoritative. For those objects, Active Directory increments the USN in such a way that they will become authoritative and replicate out to the other domain controllers. You can also use ntdsutil without first doing a restore in situations where an object has been deleted accidentally, but the change has not yet replicated to all domain controllers. The trick here is that you need to find a domain controller that has not had the deletion replicated yet and 507 either stop it from replicating or make the object authoritative before it receives the replication update. 16.5.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.17 for restoring a deleted object, MS KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), and MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers) Recipe 16.6 Performing a Complete Authoritative Restore 16.6.1 Problem You want to perform a complete authoritative restore of the Active Directory database because something very bad has happened. 16.6.2 Solution Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer. Run the following command to restore the entire database: > ntdsutil "auth restore" "restore database" q Restart the computer. 16.6.3 Discussion In a production environment, you should never have to perform a complete authoritative restore. It is a drastic measure and you will inevitably lose data as a result. Before you even attempt such a restore, you may want to contact Microsoft Support to make sure all options have been exhausted. That said, you should test the authoritative restore process in a lab environment, and make sure you have the steps properly documented in case you ever do need to use it. 16.6.4 See Also Recipe 16.2 for getting into Directory Services Restore Mode, MB KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), MS KB 241594 (HOW TO: Perform an Authoritative Restore to a Domain Controller in Windows 2000), and MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers) 508 Recipe 16.7 Checking the DIT File's Integrity 16.7.1 Problem You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries. 16.7.2 Solution 16.7.2.1 Using a command-line interface First, reboot into Directory Services Restore Mode. Then run the following commands: > ntdsutil files integrity q q > ntdsutil "semantic database analysis" "verbose on" go 16.7.3 Discussion The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years in other products, such as Microsoft Exchange. Since the Active Directory DIT ultimately is a database, it can suffer from many of the same issues that traditional databases do. The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state. It reads every byte of the database and can take quite a while to complete depending on how large your DIT file is. The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour. Whereas the ntdsutil integrity command verifies the overall structure and health of the database, the ntdsutil semantics command looks at the contents of the database. It will verify, among other things, reference counts, replication metadata, and security descriptors. If any errors are reported back, you can run go fixup to attempt to correct them. You should have a recent backup handy before doing this because in the worst case the corruption cannot be fixed or may become worse after the go fixup command completes. 16.7.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode and MS KB 315136 (HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe) 509 Recipe 16.8 Moving the DIT Files 16.8.1 Problem You want to move the Active Directory DIT files to a new drive to improve performance or capacity. 16.8.2 Solution 16.8.2.1 Using a command-line interface First, reboot into DS Restore Mode. Then, run the following commands, in which <DriveAndFolder> is the new location where you want to move the files (e.g., d:\NTDS): > ntdsutil files "move db to <DriveAndFolder>" q q > ntdsutil files "move logs to <DriveAndFolder>" q q 16.8.3 Discussion You can move the Active Directory database file (ntds.dit) independently of the log files. The first command in the solution moves the database and the second moves the logs. You may also want to consider running an integrity check against the database after you've moved it to ensure everything checks out. See Recipe 16.7 for more details. 16.8.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking DIT file integrity, MS KB 257420 (HOW TO: Move the Ntds.dit File or Log Files), and MS KB 315131 (HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000) Recipe 16.9 Repairing or Recovering the DIT 16.9.1 Problem You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state. 16.9.2 Solution 16.9.2.1 Using a command-line interface First, reboot into DS Restore Mode. Run the following command to perform a soft recovery of the transaction log files: 510 > ntdsutil files recover q q If you continue to experience errors, you may need to run a repair, which does a low level repair of the database, but can result in loss of data: > ntdsutil files repair q q If either the recover or repair are successful, you should then check the integrity (see Recipe 16.7). 16.9.3 Discussion You should (hopefully) never need to recover or repair your Active Directory database. A recovery may be needed after a domain controller unexpectedly shuts down, perhaps due to a power loss, and certain changes were never committed to the database. When it boots back up, a soft recovery is automatically done in an attempt to reapply any changes contained in the transaction log files. Since Active Directory does this automatically, it is unlikely that running the ntdsutil recover command will be of much help. The ntdsutil repair, on the other hand, can fix low-level problems, but it can also result in a loss of data, which cannot be predicted. USE AT YOUR OWN PERIL! I recommend you use extreme caution when performing a repair, and you may want to engage Microsoft Support first in case something really bad goes wrong. If you try the repair and it makes things worse, you should consider rebuilding the domain controller from scratch. See Recipe 3.6 for forcibly removing a domain controller. 16.9.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking the integrity of the DIT, and MS KB 315131 (HOW TO: Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000) Recipe 16.10 Performing an Online Defrag Manually This recipe must be run against a Windows Server 2003 domain controller. 16.10.1 Problem You want to initiate an online defragmentation. This can be useful if you want to expedite the defrag process after deleting a bunch of objects. 16.10.2 Solution 16.10.2.1 Using a graphical user interface . Discussion The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (formerly called Jet) for Active Directory, which has been used for years. 16.1 Backing Up Active Directory 16.1.1 Problem You want to back up Active Directory to tape or disk. 16.1.2 Solution Back up the System State, which includes the Active Directory- related. Manage Active Directory Files from the Command Line in Windows 2000) Recipe 16.9 Repairing or Recovering the DIT 16.9.1 Problem You need to repair or perform a soft recovery of the Active Directory