Đang tải... (xem toàn văn)
Restart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restore. [r]
(1)Module 9: Implementing an
Active DirectoryM
(2)Module Overview
• Maintaining the AD DS Domain Controllers
• Backing Up Active Directory Domain Services
(3)Lesson 1: Maintaining the AD DS Domain Controllers
• The Active Directory Domain Services Database and Log Files
• How the AD DS Database Is Modified
• Managing the Active Directory Database Using NTDSUtil Tool
• What Is an AD DS Database Defragmentation?
• What Are Restartable Active Directory Domain Services?
• Demonstration: Performing AD DS Database Maintenance Tasks
(4)The Active Directory Domain Services Database and Log Files
Description
Ntds.dit
Edb*.log
Edb.chk
File
• Is the Active Directory database file
• Stores all Active Directory objects on the domain controller
• Uses the default location
systemroot\NTDS folder
• Is a transaction log file
• Uses the default transaction log file Edb.log
• Is a checkpoint file
• Tracks data not yet written to Active Directory database file
ebdres00001.jrs ebdres00002.jrs
(5)How the AD DS Database Is Modified
Write Request
Write Request
Transaction
is initiated Write to the transaction buffer
Write to the database on
disk
Ntds.dit on Disk
Ntds.dit on Disk
EDB.log
EDB.log Write to the
(6)Managing the Active Directory Database Using NTDSUtil Tool
Ntdsutil.exe is a command-line tool used to manage some Active Directory components
Use Ntdsutil.exe to:
Perform Active Directory database maintenance
Manage and control single master operations
Move the Active Directory database files
Remove metadata left behind by domain controllers that
were removed from the network without being properly uninstalled
(7)What Is an AD DS Database Defragmentation?
The new file may be considerably smaller, depending on how fragmented the original database file was
Active Directory performs online database defragmentation automatically every 12 hours
Use the NTDSUtil command-line tool to perform offline defragmentation on a dismounted database
Online defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database file
(8)What Are Restartable Active Directory Domain Services?
Restartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any
other services
Use restartable AD DS services when:
• Applying updates that modify Active Directory service
files on a domain controller
• Performing tasks such as offline defragmentation of the
Active Directory database
(9)Demonstration: Performing AD DS Database Maintenance Tasks
In this demonstration, you will see how to:
• Start and stop AD DS Services
• Move AD Database to a different drive using NTDSUtil
(10)Locking Down Services on AD DS Domain Controllers
Services required for AD DS to function correctly:
• Distributed File System
• DNS Server
• File Replication Service
• Kerberos Key Distribution Center
• Intersite Messaging
• Remote Procedure Call (RPC) Locator
Minimize the number of server roles and applications installed on domain controllers
Use the Security Configuration Wizard to lock down the services on a domain controller
(11)Lesson 2: Backing Up Active Directory Domain Services
• Introduction to Backing Up AD DS
• Windows Backup Features
(12)Introduction to Backing Up AD DS
To back up Active Directory, you must back up all critical volumes
Critical volumes include:
• The system volume: the volume that hosts the boot files
• The boot volume: the volume that hosts the Windows
operating system and the Registry
• The volume that hosts the SYSVOL tree
• The volume that hosts the Active Directory database
(Ntds.dit)
• The volume that hosts the Active Directory database log files
All of these files may be stored in a single volume or distributed
(13)Windows Backup Features
Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data
With Windows Server Backup, you can:
Recover the server without using third-party backup and recovery tools
Perform manual or automatic backups
Backup an entire server or selected volumes
Recover items or entire volumes
Use DVDs or CDs as backup media
(14)Demonstration: Backing Up AD DS
(15)Lesson 3: Restoring Active Directory Domain Services
• Overview of Restoring AD DS
• What Is a Nonauthoritative AD DS Restore?
• What Is an Authoritative AD DS Restore?
• What Is the Database Mounting Tool?
• Demonstration: Using the Database Mounting Tool
(16)Overview of Restoring AD DS
Options for restoring Active Directory Domain Services include:
• Normal Restore
• Authoritative Restore
• Full Server Restore
(17)What Is a Nonauthoritative AD DS Restore?
A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created
AD DS replication updates the domain controller with changes that have occurred since the backup was created
Restart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restore
Press F8 when restarting the server and choose Directory Services Restore Mode or type the command bcdedit /set safeboot dsrepair and restart the server
1
1
Provide the Directory Services Restore Mode password
2
(18)What Is an Authoritative AD DS Restore?
Authoritative restore is a four-step process:
Start the domain controller in DSRM
1
1
Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative
3
3
Restart the domain in normal mode to replicate the changes
4
4
Restore the desired backup, which is typically the most recent backup
2
2
Authoritative restore provides a method to recover objects and containers that have been deleted from AD DS
To mark an object as authoritative, use a command like:
(19)What Is the Database Mounting Tool?
The Database Mounting Tool can be used to:
Create and view snapshots of data that is stored in AD DS
Improve recovery processes for your organizations by
providing a means to compare data as it exists in snapshots that are taken at different times
Eliminate the need to restore multiple backups to compare
the Active Directory data that they contain
View, but not restore, deleted objects and containers
(20)Demonstration: Using the Database Mounting Tool
(21)Reanimating Tombstoned AD DS Objects
You can reanimate deleted objects manually in AD DS when:
• You not have current AD DS backups in a domain where user accounts or security groups were deleted
• The deleted object has not yet been scavenged from the Active Directory database
• The deletion occurred in domains that contain only Windows Server 2003 or later domain controllers
To reanimate tombstoned AD DS objects:
• Use LDP.exe to locate the deleted object
• Modify the object’s isDeleted attribute and provide a distinguished name
(22)Lab: Implementing an Active Directory Domain Services Maintenance Plan
• Exercise 1: Maintaining AD DS Domain Controllers
• Exercise 2: Backing Up AD DS
• Exercise 3: Performing a Nonauthoritative Restore of the AD DS Database
• Exercise 4: Performing an Authoritative Restore of the AD DS Database
• Exercise 5: Restoring Data Using the AD DS Data Mining Tool
Logon information
Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2
User name Administrator Password Pa$$w0rd
(23)Lab Review
• How could you apply the security policy you created in Exercise to multiple domain controllers? What concerns would you have with doing this?
• Why is a Nonauthoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening?
(24)Module Review and Takeaways • Review questions
• Considerations
(25)Beta Feedback Tool
• Beta feedback tool helps:
Collect student roster information, module feedback, and
course evaluations
Identify and sort the changes that students request, thereby
facilitating a quick team triage
Save data to a database in SQL Server that you can later
query
(26)Beta Feedback
• Overall flow of module:
Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
• Pacing:
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
• Learner activities:
Which demos helped you learn the most? Why you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions