Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 98 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
98
Dung lượng
1,44 MB
Nội dung
Lesson 1: Proactive Directory Maintenance and Data Store Protection 653 If you did not assign a static IP address, the AD DS Active Directory Domain Services Installation Wizard will give you a warning because you are using a dynamic IP Address. 23. Click the Yes, The Computer Will Use A Dynamically Assigned IP Address (Not Recom- mended) option. The Active Directory Domain Services Installation Wizard will warn you that it cannot create a delegation for the domain. 24. Click Yes. 25. On the Install From Media page, click Replicate Data From Media At The Following Location, type C:\IFM or click Browse to locate the IFM folder on the C drive, and click Next. Note that it indicates that the media must have been created from a writable DC because you did not select the RODC mode for this DC. 26. On the Source Domain Controller page, accept the defaults and click Next. 27. On the Location For Database, Log Files And SYSVOL page, accept the default locations and click Next. 28. Type a strong password, confirm it, and click Next. 29. Confirm your settings on the Summary page and click Next. Select Reboot On Comple- tion and wait for the operation to complete. Your new DC has been created from local media. This cuts down replication and then updates the data through replication after the DC has been created. Exercise 3 Perform Database Maintenance In this exercise, you will perform interactive database maintenance, using the restartable Active Directory Domain Services mode. You can perform this operation now because there are two DCs in the treyresearch.net domain. You must have at least two DCs to be able to use restartable AD DS. 654 Chapter 13 Directory Business Continuity 1. Log on to SERVER11 with the domain administrator account. 2. Use Windows Explorer to create a C:\Temp and a C:\OrignalNTDS folder. You will use these folders as temporary locations for the compacted and the original database. 3. In Server Manager, expand the Configuration node and click Services. 4. Locate the Active Directory Domain Services service (it should be first on the list) and right-click it to select Stop. 5. In the Stop Other Services dialog box, click Yes. The server will stop the service. Remember that if the service cannot contact another writable DC, it will not be able to stop; otherwise, no one would be able to log on to the domain. 6. Launch an elevated command prompt by right-clicking Command Prompt in the Start menu and choosing Run As Administrator. 7. Begin by compacting the database. Type the following commands: ntdsutil activate instance NTDS files compact to C:\temp The Ntdsutil.exe will compact the database and copy it to the new location. In very large directories, this operation can take some time. Lesson 1: Proactive Directory Maintenance and Data Store Protection 655 8. Type the following after the compaction operation is complete: quit quit 9. Now, delete all the log files. Type the following: cd %systemroot%\ntds del *.log You delete the log files because you will be replacing the Ntds.dit file with the newly com- pacted file, and the existing log files will not work with the newly compacted database. 10. Now, back up the Ntds.dit file to protect it in case something goes wrong. Type the following: copy ntds.dit \originalntds 11. Copy the newly compacted database to the original NTDS folder. Making sure you are still within the %SystemRoot%\NTDS folder, type the following: copy c:\temp\ntds.dit y 12. Finally, verify the integrity of the new Ntds.dit file. After this is done, you will also perform a semantic database analysis to verify the data within the database. Type the following: ntdsutil activate instance NTDS files integrity quit semantic database analysis go fixup quit quit Note that if the integrity check fails, you must recopy the original Ntds.dit back to this folder because the newly compacted file is corrupt. If you do not do so, your DC will no longer be operational. 13. Return to Server Manager, expand the Configuration node, and click Services. 14. Locate the Active Directory Domain Services service (it should be first on the list) and right-click it to select Start. Your server is back online and ready to deliver authentication services to the network. It can take several minutes for the dependent services to restart. Delete the Ntds.dit located in the Original NTDS folder because it is no longer valid. Exercise 4 Automate Database Maintenance You can script the entire database compaction operation from the command line if you want to automate it. You should, however, make sure all the operational results are captured in a text file so that you can review them if something goes wrong. 1. Log on to SERVER11 with the domain administrator account. 656 Chapter 13 Directory Business Continuity 2. Also, make sure both a C:\Temp folder and a C:\NTDS folder exist on your server and that both folders are empty. You will use this folder as a temporary location for the compacted database. You are ready to automate the compaction process. 3. Move to the C:\Temp folder and right-click in the details pane to select New; then click Text Document. 4. Name the Text document Compaction.cmd. If you cannot see the .txt extension of the file, click Folder Options from the Tools menu in Windows Explorer. On the View tab, clear Hide Extensions For Known File Types and click OK. Remove the .txt extension on your file name. Confirm the removal. 5. Right-click Compaction.cmd and choose Edit. Type the following commands: del C:\temp\*.dit del C:\originalntds\*.dit net stop ntds /y ntdsutil Òactivate instance NTDSÓ files Òcompact to C:\tempÓ quit quit \cd \windows\ntds del *.log copy ntds.dit \originalntds del ntds.dit copy c:\temp\ntds.dit ntdsutil Òactivate instance NTDSÓ files integrity quit Òsemantic database analysisÓ Ògo fixupÓ quit quit net start ntds 6. Save and close the Compaction.cmd file. Note that you can add a pause command after each command in your text file to verify the proper operation of the commands while testing. 7. Test the file by launching an elevated command prompt by right-clicking Command Prompt in the Start menu and choosing Run As Administrator. 8. Type: cd \temp compaction 9. If at any time the file does not work, use Ctrl+C to cancel the batch file and correct the errors. If the file works properly, you can use it to automate the compaction process. 10. Remove any pause statements you entered in the file and save it again. You can reuse this command file each time you want to run the compaction on your sys- tems. It is recommended that you run this command file interactively to address any errors or issues during the process. Be very wary of putting this file into a scheduled task. You should never run compaction in unattended mode because errors could destroy your DC. Lesson 1: Proactive Directory Maintenance and Data Store Protection 657 11. If a DC is nonfunctioning, you can use the following command to remove the DC role: dcpromo /forceremoval 12. Run the Active Directory Domain Services Installation Wizard again to re-create the DC. Perform the Ntds.dit compaction operation at least once a month. Exercise 5 Protect Group Policy Objects In this exercise, you will use the GPMC to back up GPOs. 1. Log on to SERVER11 with the domain administrator account. 2. Verify the existence of a folder named Temp on the C drive. 3. Launch the GPMC from the Administrative Tools program group. 4. Expand Forest\Domains\domainname\Goup Policy Objects. 5. Right-click Group Policy Objects and select Back Up All. 6. Type the location as C:\Temp or use the Browse button to locate the folder. 7. Type a description, in this case, First GPO Backup and click Back Up. The GPO backup tool will show the progress of the backup. 8. Click OK after the backup is complete. Your GPOs are now protected. 9. Back up the Temp folder. You can rely on this folder to copy the GPOs from one domain to another if you wish. Perform this operation at least once a week. Exam Tip Backing up and restoring GPOs are both important parts of the exam. Practice these operations thoroughly to prepare for this topic. Lesson Summary ■ To maintain your directory service, you must perform proactive maintenance tasks. These tasks fall into twelve categories, many of which should be delegated to others. Domain administrators are responsible for the AD DS service and should focus on core directory operations such as database administration tasks. ■ Several tools are available for AD DS administration. The most commonly used tools are the three main Active Directory consoles: Active Directory Users and Computers, Active Directory Sites and Services, and Active Directory Domains and Trusts. ■ With Windows Server 2008, AD DS is now a manageable service like all other servers and can be started and stopped without having to restart the server in Directory Services Restore Mode. ■ When you delete an object in AD DS, you must restore the object to re-create its proper- ties. If you simply re-create the object, it will not have the same SID and, therefore, will 658 Chapter 13 Directory Business Continuity not retain any of the deleted object’s properties. Restoring an object restores the original SID and, therefore, will automatically restore most of the access rights associated with the object. ■ There are several ways to protect information in the directory: ❑ You can protect objects from deletion. ❑ You can audit AD DS changes to view previous and changed values when changes are made. ❑ You can rely on the tombstone container to recover deleted objects. ❑ You can rely on backup and restore to recover lost information. ■ To restore objects from the deleted objects container in AD DS, you must use a tool that will expose this container and enable you to modify the state of the object. Two tools are available for this operation: Ldp.exe and Quest Object Restore for Active Directory. After the object is restored, you must reassign its password, group memberships, and other informational attributes and then enable the object. ■ When you restore an object from backup, the object is restored with all its previous attributes. No additional changes are required. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Proactive Directory Maintenance and Data Store Protection.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You are a systems administrator for contoso.com. You have been requested to compact the database on one of the two DCs for the forest root domain. However, when you try to stop the AD DS service, you find that you cannot stop it on the server you are working on. What could be the problem? A. You cannot stop the AD DS service on a Windows Server 2008 DC. B. Someone else is working on another DC in this domain. C. You must restart the server in Directory Services Restore Mode. D. You must use the net stop command to stop the AD DS service. 2. You are the network administrator of a large network. One of your DCs recently failed. You need to restore the DC to a working state. You have several backups of the server that were created with Windows Server Backup. Which of the following steps should you perform? (Choose all that apply.) Lesson 1: Proactive Directory Maintenance and Data Store Protection 659 A. Restart the server in Directory Services Restore Mode. B. Perform an authoritative restore using the Ntdsutil.exe command. C. Reinstall Windows Server 2008. D. Restart the server in WinRE. E. Perform a nonauthoritative restore using the Ntdsutil.exe command. F. Perform a full server recovery using the command line. 660 Chapter 13 Directory Business Continuity Lesson 2: Proactive Directory Performance Management The second activity you must master to maintain your DCs proactively is performance man- agement. When you use proper installation and creation procedures, your DCs should just work. Remember that the Domain Controller role is now in its fifth iteration since it appeared in Microsoft Windows NT, and it has evolved with the different releases of the Microsoft server operating system. This means that it is now a very solid and stable service. However, you’ll find that despite this stability, things can still go wrong, whether they are related to system or human errors. And when they do, you need to be ready to identify the issues quickly and take appropriate steps to correct the situation. When you perform proactive performance management, you are forewarned when untoward events might occur. This is the crux of this lesson. After this lesson, you will be able to: ■ Work with system performance indicators. ■ Use the Windows Server performance and reliability tools. ■ Use the Windows System Resource Monitor. ■ Generate and view performance reports. Estimated lesson time: 45 minutes Managing System Resources Windows Server includes several tools that help identify potential issues with system resources. When systems are not configured properly and are not assigned appropriate resources such as CPU, RAM, or disk space, systems monitoring will help you identify where bottlenecks occur. When you identify these bottlenecks, you then assign additional resources to the system. If the system is physical, this most often means shutting down the system; installing new resources, for example, additional memory chips; and then restarting the sys- tem. If the system is virtual, then depending on the virtualization engine you use, you might be able to allocate new resources while the virtual machine is still running. If not, shut it down; allocate new resources, for example, an additional CPU and additional RAM; and then restart it. After the system is restarted, monitor its performance again to identify whether the new resources solved the problem. The tools you can rely on to identify performance bottlenecks in Windows Server 2008 include: ■ Task Manager, which displays current system resource usage. ■ Event Viewer, which logs specific events, including performance related events. Lesson 2: Proactive Directory Performance Management 661 ■ Reliability Monitor, which tracks changes brought to the system, enabling you to identify whether a change could be the cause of a new bottleneck. ■ Performance Monitor, which collects data in either real time or at specific intervals to identify potential issues. ■ Windows System Resource Manager (WSRM), which can be used to profile specific applications to indicate which resources they need at which time. You can also use it to manage application resource allocation based on the profiles you generate. You can use other tools as well, such as Microsoft System Center Operations Manager, to moni- tor the state of a system continuously and automatically correct well-known issues. Operations Manager relies on custom management packs to monitor specific applications. Using Task Manager The simplest of all tools to use is Task Manager. This tool provides real-time system status information and covers several key aspects of a system’s performance, including: ■ Running applications ■ Running processes ■ Running services ■ Performance, including CPU and memory usage ■ Networking, including network interface card (NIC) utilization ■ Currently logged-on users You can access Task Manager in a variety of ways, the most common of which is to right-click the taskbar and select Task Manager. Another common method is to use the Ctrl+Alt+Delete key combination and click Task Manager when the menu choices appear. For example, this is how you would access Task Manager on Server Core because it does not include a taskbar. You can also type Taskmgr.exe at a command prompt. When you access information regarding system performance, the Performance tab is the most useful tab. (See Figure 13-7.) This displays complete information about your system’s key resource usage. It details physical and kernel memory usage. This tab also includes a button that gives you access to Resource Monitor. Clicking this button will launch Resource Monitor while keeping Task Manager open. Resource Monitor is a super Task Manager because it brings together the CPU, disk, memory, and network usage graphs in a single view. (See Figure 13-8.) In addition, it includes expand- able components for each resource, displaying details of each component so that you can iden- tify which processes might be the culprit if issues are evident. These two tools are ideal for on- the-spot verifications of resource usage. You should rely on them if you need to identify imme- diately whether something is wrong with a server. 662 Chapter 13 Directory Business Continuity Figure 13-7 Viewing real-time performance information in Task Manager For example, if the system does not have enough memory, you will immediately see that memory usage is constantly high. In this case, Windows will be forced to use on-disk virtual memory and will need to swap or page memory contents constantly between physical and vir- tual memory. Constant paging is a typical issue that servers with insufficient physical memory face and is often indicated by slow system behavior. One good indicator of insufficient mem- ory is slow Server Manager operation. Figure 13-8 Viewing real-time performance information in Resource Monitor [...]... the scenarios in the Windows Server 20 08 Performance and Reliability Monitoring Step-by-Step Guide at http://technet2 .microsoft. com /windowsserver20 08/ en/library/7e17a3be-f24e-4fdd-9e 3 8- a88e2c8fb4d81033.mspx?mfr=true 672 Chapter 13 Directory Business Continuity Figure 1 3-1 2 Viewing an Active Directory diagnostics report Working with Windows System Resource Manager Windows Server 20 08 includes an additional...Lesson 2: Proactive Directory Performance Management MORE INFO 663 Resource Monitor For more information on Resource Monitor, see Scenario 1 in Windows Server 20 08 Performance and Reliability Monitoring Step-by-Step Guide” at http://technet2 .microsoft. com/windowsserver20 08 /en/library/7e17a3be-f24e-4fdd-9e 3 8- a88e2c8fb4d81033.mspx?mfr=true Working with Event Viewer... http://technet2 .microsoft. com/windowsserver20 08/ en/library/67928ddc-3c0 1-4 a4a-a924f964908b072b1033.mspx Events provide much more information in Windows Server 20 08 and Windows Vista than ever before In previous versions of Windows, events were arcane items that provided very little information about an issue Today, you get a full explanation on an event in Event Viewer, and you can link to an online database maintained by Microsoft. .. the “How to Use the Practice Tests” section in this book’s introduction Chapter 14 Active Directory Lightweight Directory Services Of the five different Active Directory technologies available in Windows Server 20 08, the one that most resembles Active Directory Domain Services (AD DS) is Active Directory Lightweight Directory Services (AD LDS) That’s because AD LDS is really nothing more than a subset... arise, Windows Server 20 08 provides a series of tools for analysis and problem correction These include both real-time and scheduled analysis tools Real-time tools include Task Manager, Resource Monitor, and Performance Monitor Scheduled or tracking tools include Event Log, Reliability Monitor, and scheduled data collection sets in Performance Monitor Chapter 13 Review ■ 683 Windows Server 20 08 also... their NOS directory? Adding to the schema for an application such as Exchange Server is appropriate because it provides a core networking service: e-mail MORE INFO Best practices for Active Directory design For a guide outlining best practices for the design of Active Directory as well as AD DS schema management guidelines, download the free “Chapter 3: Designing the Active Directory from Windows Server. .. available at http://www.resonet.com/Documents/007222343X_Ch03 .pdf For information on creating a new forest as well as migrating its contents from one forest to another, look up Windows Server 20 08: The Complete Reference by Ruest and Ruest (McGraw-Hill Osborne, 20 08) This book outlines how to build a complete infrastructure based on Microsoft Windows Server and how to migrate all of its contents from one... would assist system administrators to manage Active Directory environments We were thrilled by the request because Active Directory was one of our favorite technologies Besides being a true Lightweight Directory Access Protocol (LDAP) directory service, Active Directory is also a very powerful NOS directory that can manage millions of objects In addition, Active Directory includes Group Policy, a very powerful... Also, note that there is no Server Performance Advisor (SPA) in Windows Server 20 08 This Windows Server 2003 tool has been rolled into Windows Reliability and Performance Monitor Don’t get caught on questions regarding SPA on the exam Lesson 2: Proactive Directory Performance Management 671 Creating Baselines for AD DS and DNS For long-term system monitoring, you must create data collector sets These... Active Directory Application Mode (ADAM), is a technology that is designed to support directory- enabled applications on an application-by-application basis and without having to modify the database schema of your network operating system (NOS) directory running on AD DS AD LDS is a boon to administrators who want to use directoryenabled applications without integrating them in their NOS directory Active . 1 in Windows Server 20 08 Performance and Reliability Monitoring Step-by-Step Guide” at http://technet2 .microsoft. com/windowsserver20 08 /en/library/7e17a3be-f24e-4fdd-9e 3 8- a88e2c8fb4d81033.mspx?mfr=true. Working. http://technet2 .microsoft. com /windowsserver20 08/ en/library/7e17a3be-f24e-4fdd-9e 3 8- a88e2c8fb4d81033.mspx?mfr=true. 672 Chapter 13 Directory Business Continuity Figure 1 3-1 2 Viewing an Active Directory. http://technet2 .microsoft. com/windowsserver20 08/ en/library/67928ddc-3c0 1-4 a4a-a92 4- f964908b072b1033.mspx. Events provide much more information in Windows Server 20 08 and Windows Vista than ever before.