■ Differential Uses the archive attribute to determine which files have changed since the last backup. Only the changed files are backed up.A Differential backup does not clear the archive attribute.This means that subse- quent backup operations back up files that have changed since the last backup ran, and other files that changed but were backed up by earlier backup opera- tions. ■ Daily This option reads the timestamps on files and only backs up files that were created or modified on the day of the backup.This option does not clear the archive attribute. 9. The Backup migrated Remote Storage data check box is located at the bottom of the Type of Backup page. Infrequently used files can be migrated to a near-time access point, using Remote Storage.When this occurs, they still show up for users as local files on the system in Explorer type interfaces, although they are stored remotely. Users are actually viewing reparse points, not the actual files. Because of this, it is possible that you selected files in step 4 that are not actually located on the local system disks, but have been migrated to Remote Storage. Files migrated to Remote Storage can be recalled seamlessly when the reparse point is clicked on by a user in an Explorer type interface. Checking this box ensures that these reparse points will be backed up.After completing your selec- tions on this page of the wizard, click the Next button. 10. The next page in the wizard, shown in Figure 11.21, contains the following three check boxes: ■ Verify data after backup This reads the data back off the storage medium used and compares it to the original information backed up.You should be www.syngress.com Ensuring Active Directory Availability • Chapter 11 725 Figure 11.20 The Type of Backup Wizard Page 256_70-294_11.qxd 9/4/03 4:47 PM Page 725 aware that this will greatly extend the amount of time required to finish the backup job. However, when the data is critical and you need to be assured that it was backed up correctly, you might want to select this option. ■ Use hardware compression, if available If the Backup utility detects a tape drive or other storage mechanism that is capable of hardware compres- sion, this box will be available for selection.Typically, these types of compres- sion are very advanced and it is recommended that you make use of them. This box will be grayed out if backup does not detect a device that supports this setting. ■ Disable Volume Shadow Copy As mentioned earlier, this feature is used to back up open files.This option is enabled by default. If you select to back up the system state data, the option to disable it will be grayed out because it is required for backing up the system state information. 11. After making your selections on the How to Back Up wizard page, click the Next button. 12. The Backup Options page, shown in Figure 11.22, allows you to choose to append this backup to an existing backup by selecting the Append this backup to the existing backups option, or replace any existing backups on the media selected by choosing the Replace the existing backups option. If replace the existing backups is selected, the Allow only the owner or the Administrator access to the backup data and to any backups appended to this medium check box becomes available for selection.When checked, this allows only the user who created the backup file or an administrator to restore the backed up information. Click the Next button to continue with the wizard. www.syngress.com 726 Chapter 11 • Ensuring Active Directory Availability Figure 11.21 The How to Back Up Wizard Page 256_70-294_11.qxd 9/4/03 4:47 PM Page 726 13. The Backup utility allows you to begin the backup immediately by selecting the Now option on the When to Back Up page, shown in Figure 11.23. However, you can also schedule a backup job to run at another time by selecting the Later option.When this option is selected, the Job name: text box becomes available, as does the Start date: option. Enter a descriptive name for the backup operation in the Job name: box. www.syngress.com Ensuring Active Directory Availability • Chapter 11 727 Figure 11.22 The Backup Options Wizard Page Figure 11.23 The When to Back Up Wizard Page 256_70-294_11.qxd 9/4/03 4:47 PM Page 727 14. By default, the Start date: option is set to the current date and time when you click the Later option.To change this to another date and time, or use the more advanced schedule features, click the Set Schedule… button. 15. This displays the Schedule Job dialog box with the Schedule tab in the fore- ground, as shown in Figure 11.24. Several options can be selected in the Schedule Task: drop-down box, including: ■ Daily This setting allows you to specify a start time, and the number of con- secutive days on which you would like the task to run. It also allows you to click the Advanced… button to bring up the Advanced Schedule Options dialog box.This box allows you to specify start and end dates, how often the task will repeat, and the maximum duration or time past which the backup job cannot run. ■ Weekly This option allows you to specify a start time, and you can click the Advanced… button to configure all of the advanced options listed previ- ously. In addition, it allows you to specify the number of consecutive weeks the backup should run, and has selection boxes for each day of the week so that you can determine on which days the backup job should run. Figure 11.24 shows this option. ■ Monthly As with the Daily and Weekly options, this option allows you to specify a start time and click the Advanced… button to configure all of the advanced options listed previously.You can select the day of the month on which you want to have the job run.This can include patterns such as the first Tuesday of the month. Clicking the Select Months button brings up the Select Months dialog box with check boxes for each month of the year, all of which are selected by default. ■ Once This option will run the backup job one time, and allows you to specify a start time and access the Advanced… button options. It provides a Run on: drop-down box that enables you to select a date from a calendar. This is the default setting. ■ At System Startup This option starts the backup job when the computer is booted. ■ At Logon This option starts the backup job when a user logs on to the computer. ■ When Idle This option allows you to specify an idle setting for the com- puter in the When the computer has been idle for: entry box.This refers to the amount of time the system is not in use.The default is 10 minutes. www.syngress.com 728 Chapter 11 • Ensuring Active Directory Availability 256_70-294_11.qxd 9/4/03 4:47 PM Page 728 16. At the bottom of the Schedule tab is the Show multiple schedules check box. When selected, it adds a new section to the top of the tab, which consists of a drop-down box, a New button, and a Delete button.The current schedule becomes the first entry in the drop-down box. Additional schedules can be cre- ated by clicking the New button and modifying the options on the Schedule tab. Changes to existing schedule entries can be made by selecting the schedule from the drop-down box and changing the settings on the tab.Any schedule can be deleted by selecting it in the drop-down box and clicking the Delete button. 17. The Schedule Job dialog box contains a second tab labeled Settings, which is shown in Figure 11.25.When selected, this tab displays a number of additional scheduling options, including the following: ■ Delete the task if it is not scheduled to run again. This removes the task from the list of scheduled tasks if it is not scheduled to run in the future. ■ Stop the task if it runs for: This allows you to specify the number of hours and minutes that a backup job can run before it is terminated. Failed backup jobs often just keep running and consuming resources.They can even cause subsequent jobs to fail because they still have exclusive use of the required system resources, such as tape drives.The default value is 72 hours. ■ Only start the task if the computer has been idle for: This allows you to specify how much time must pass since the computer has been used by a user before a backup must begin. www.syngress.com Ensuring Active Directory Availability • Chapter 11 729 Figure 11.24 The Schedule Tab in the Schedule Job Dialog Box 256_70-294_11.qxd 9/4/03 4:47 PM Page 729 ■ If the computer has not been idle that long, retry for up to: This works in conjunction with the previous setting and allows you to specify how long the scheduler will continue to check to see if the required amount of idle time has been accumulated before giving up. ■ Stop the task if the computer ceases to be idle. This terminates the backup job if a user begins to use the computer again. ■ Don’t start the task if the computer is running on batteries. Because backups require the use of system resources such as the hard drive, they can be very power intensive.This setting allows you to specify that you do not want to have the backup start if the computer is running on batteries.This is primarily a setting for laptops. ■ Stop the task if battery mode begins. This setting terminates the backup job if the computer on which it is running switches over to battery power after the job has started.This setting is also primarily for laptops. ■ Wake the computer to run this task. If a power-saving mode is in use on the computer, this selection can be used to wake the system up so that the backup job can be run at the scheduled time. 18. When you have finished configuring the options on each of the tabs in the Schedule Jobs dialog box, click the OK button. 19. Click the Next button in the wizard. www.syngress.com 730 Chapter 11 • Ensuring Active Directory Availability Figure 11.25 The Settings Tab in the Schedule Job Dialog Box 256_70-294_11.qxd 9/4/03 4:47 PM Page 730 20. This brings up the Set Account Information dialog box, shown in Figure 11.26.The backup job must be set to run with the user rights of a member of the local administrators or backup operators group.Alternatively, it can be run by a user who has been granted the right to Back up files and directories. In the Run as: text box, specify a user account that meets these requirements. Provide the password associated with the account in the Password: and Confirm pass- word: text boxes. Click the OK button to proceed. 21. Click the Next button in the wizard. 22. Review the summary information for the backup job and click the Finish button to close the wizard. 23. The backup will take at least a few minutes.The Backup Progress screen is dis- played during this time, as shown in Figure 11.27. Even on the most basic Windows Server 2003 DC, the system state data will average approximately 500MB in size. Note that the file size can be even larger.The actual backup file can take up to twice as much disk space as the amount listed in the Backup Progress dialog box. As an example, the file shown in these images actually con- sumed 857,175KB of disk space. 24. When the backup has completed, click the Close button to close the Backup Progress dialog box, shown in Figure 11.28, or click the Report… button to view the backup log associated with the job. Clicking the Report… button will open the Notepad application with the log file displayed, as shown in Figure 11.29.You should review the log for any error messages, such as those pertaining to files that were skipped. After reviewing the log, close the Notepad application. www.syngress.com Ensuring Active Directory Availability • Chapter 11 731 Figure 11.26 The Set Account Information Dialog Box 256_70-294_11.qxd 9/4/03 4:47 PM Page 731 www.syngress.com 732 Chapter 11 • Ensuring Active Directory Availability Figure 11.27 The Backup Progress Dialog Box During Backup Figure 11.28 The Backup Progress Dialog After the Backup Has Completed Figure 11.29 The Backup Log 256_70-294_11.qxd 9/4/03 4:47 PM Page 732 Backing Up at the Command Line Instead of using the graphical Backup utility, you can back up the system state data by using the command-line version of the Backup utility.This might be desirable for use with administrative scripts.The command-line utility is a full-featured backup program that can specify many of the same options covered in the previous section.To back up the system state data, open a command prompt (Start | Run and type cmd) and use the following command and options: ntbackup backup systemstate /J “Syngress Backup Job” /F “C:\backupfile.bkf ”. ■ Ntbackup is the name of the command-line backup utility. ■ Backup is the option to specify a backup operation. ■ Systemstate is the option used to specify that the system state data should be backed up. ■ /J specifies the backup job name, which should be surrounded in quotes if it contains spaces. ■ /F specifies the name of the backup file. Note that when you run this command, the graphical utility appears to show you the progress of the job. There are many more switches that you can use with the Ntbackup command-line utility; those described here are the ones you will most commonly use to back up the system state data. TEST DAY TIP Although you can back up the system state data from the command line using the Ntbackup utility, you cannot perform a restore with this utility. Restores must be done from the graphical Backup utility. Restoring Active Directory Windows Server 2003 includes three types of directory services restore methods: ■ Primary ■ Normal ■ Authoritative Microsoft has designed each of these restoration types to address a complex need that arises when restoring Active Directory or one of its related components. In addition to these three modes, specialty restore functionality is also provided within the Ntdsutil command-line www.syngress.com Ensuring Active Directory Availability • Chapter 11 733 EXAM 70-294 OBJECTIVE 2.4 2.4.1 2.4.2 256_70-294_11.qxd 9/4/03 4:47 PM Page 733 utility and the Directory Services Restore Mode. It is very important for you to know which modes, features, and utilities to use to restore your server in a given recovery scenario.An improper restore can destabilize your entire Active Directory forest. Directory Services Restore Mode Before we discuss the three different restore methods that can be used, it is important to discuss the Directory Services Restore Mode.We mentioned this mode earlier in the chapter when discussing maintenance operations, such as moving the Active Directory database. Remember that the special feature of this mode is that it allows a DC to boot without initializing its copy of the Active Directory database. Because you must always log on to a Windows Server 2003 computer before you can use the operating system, a small version of a local directory service database (called a SAM database) remains on the com- puter after it has been promoted to a DC.This database has a single account, the local administrator account. When you have booted to the Directory Services Restore Mode using the directions given earlier in the chapter, you must log on with this account. After you are authenticated, you can perform certain limited maintenance functions, such as running the Ntdsutil utility mentioned earlier.You can also run the Backup utility to perform restores of the Active Directory database. It is necessary to perform all restores while running in this mode, because the Active Directory database must be offline to be restored. In this mode, you are logged on to a local account and the Active Directory database is not in use. Normal Restore The simplest of all restore methods is the normal restore.This method can be used in the following circumstances: www.syngress.com 734 Chapter 11 • Ensuring Active Directory Availability New Restore Options in Windows 2003 The Active Directory restore options have seen some significant changes since Windows 2000. In Windows 2000, there were only two methods of restoration: Authoritative and Non-Authoritative. With Windows Server 2003, Authoritative restores remain unchanged; however, Non-Authoritative restores are now referred to as Normal restores. Despite the name change, they function exactly as they always have. A new type of restore is added, the Primary restore. This is designed to be used when all DCs for a given domain have been wiped out and need to be restored. Under Windows 2000, this could be an exhaustive Authoritative restore process involving many hours of labor and double-checking. With the new Primary restore type, it is as simple as selecting a check box. New & Noteworthy 256_70-294_11.qxd 9/4/03 4:47 PM Page 734 [...]... command from the files: prompt Recall that the integrity command works by calling the Esentutl utility, which has full knowledge of the ESE database system but not necessarily all portions of the Active Directory database.The semantic database analysis command is specific to Active Directory and does not use the Esentutl command As its name implies, it analyzes the Active Directory database, based on Active. .. changed information and its related metadata, and packaged it into transactions.These transactions are initially written to memory, and then to the Edb.log file Finally, they are written to the Active Directory database, and the checkpoint file is updated so that the system knows what has and has not been fully committed to the database We also examined the Garbage Collection process.You learned that... www.syngress.com 751 256 _70- 294 _11.qxd 752 9/ 4/03 4:47 PM Page 752 Chapter 11 • Ensuring Active Directory Availability Figure 11.45 A Failed Recover Operation Using the Semantic Database Analysis Command The semantic database analysis command is the primary command that is used to verify the full integrity of the Active Directory database.You might be wondering what the difference is between this command and the integrity... tasks We began with a look at the defragmentation process and you learned that there are two different types of defragmentation for the Active Directory database: online and offline Both types rearrange the contents of the database so that the stored data and free space are contiguous, and re-index the database.These measures provide greater database performance However, the online defragmentation process... Summary of Exam Objectives In this chapter, we examined the many factors involved in ensuring Active Directory availability In the first section, we began with a thorough examination of the Active Directory database and its related files: Ntds.dit, Edb*.log, Res1.log, Res2.log, and Edb.chk Next, we discussed the ESE database engine and how data is updated in Active Directory. You learned that ESE captured... perform a “soft” recovery of the Active Directory database by re-running its log files.The semantic database analysis command is the only native Active Directory command and thus provides the most thorough examination of Active Directory database integrity.We examined some of the available switches that can be used with the esentutl command, including the /p switch that is used to perform a full, binary-level... that this is a command-line utility so the command prompt will change to ntdsutil: 5 Type authoritative restore.The command prompt should change to display authoritative restore: 6 Use one of the following commands to mark Active Directory or a portion of it as authoritative I Type restore database to mark the domain and configuration containers of the database as authoritative.The schema container cannot... system state data.You learned that the system state data contains the most critical system configuration information.You also learned that the data it contains depends on the Windows Server 2003 components installed in the system Finally, you learned the critical role that hardware plays in fault tolerance and performance In the second section of the chapter, we examined Active Directory maintenance tasks... optimum performance The third section of the chapter covered backing up and restoring Active Directory. You learned that the best way to back up Active Directory was with system state data.You also learned that there are three ways to restore Active Directory: primary, normal, and authoritative.You learned that all restore operations must be performed while the database is offline in Directory Services... command prompt window 17 Navigate to your profile directory and use Notepad to open the log file that you saw displayed in step 13 (for example, dsdit.dmp.0) 18 View the contents of the log, paying careful attention to any warning messages, and then close Notepad 19 Reboot the server normally EXAM WARNING Remember, only the semantic database analysis command is specific to Active Directory (checks the database . or a portion of it as authoritative. ■ Type restore database to mark the domain and configuration containers of the database as authoritative.The schema container cannot be marked as authoritative;. to a Windows Server 2003 computer before you can use the operating system, a small version of a local directory service database (called a SAM database) remains on the com- puter after it has. is a full-featured backup program that can specify many of the same options covered in the previous section.To back up the system state data, open a command prompt (Start | Run and type cmd) and