programming4us
           
 
 
Windows Server

Windows Server 2012 : Backup and Recovery (part 8) - Backing up and restoring Active Directory

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
7/9/2013 7:25:27 PM

5. Backing up and restoring Active Directory

Backing up Active Directory is easy. Recovery of Active Directory itself, however, is different from recovery for other types of network services. A key reason for this involves the way Active Directory data is replicated and restored. Because of this, let’s look at backup and recovery strategies for Active Directory, and then look at various restore techniques.

Backup and recovery strategies for Active Directory

Domain controllers have replication partners with whom they share information. When you have multiple domain controllers in a domain and one fails, the other domain controllers automatically detect the failure and change their replication topology accordingly. You can repair or replace the failed domain controller from backup. However, the restore doesn’t recover Active Directory information stored on the domain controller.

To restore Active Directory on the failed domain controller, you use either a nonauthoritative or authoritative approach. A nonauthoritative restore allows the domain controller to come back online and then get replication updates from other domain controllers. An authoritative restore makes the restored domain controller the authority in the domain, and its data is replicated to other domain controllers.

In most cases, you’ll have multiple domain controllers in a domain, giving you flexibility in your disaster recovery plan. If one of the domain controllers fails, you can install a new domain controller, clone an existing domain controller, or promote an existing member server so that it can be a domain controller. The directory on the new domain controller is updated automatically through replication. You could also recover the failed domain controller, and then perform a nonauthoritative restore. In this case, you would restore Active Directory on the domain controller and obtain directory updates from other domain controllers in the domain.

In some cases, you might need to perform an authoritative restore of Active Directory. For example, if a large number of objects were deleted from Active Directory and you are not using Active Directory Recycle Bin, the only way to recover those objects would be to use an authoritative restore. In this case, you would restore Active Directory on a domain controller and use the recovered data as the master copy of the directory database. This data is then replicated to all other domain controllers.

The disaster recovery strategy you choose for Active Directory might depend on whether you have dedicated or nondedicated domain controllers, for the following reasons:

  • When you have dedicated domain controllers that perform no other domain services, you can implement a very simple disaster recovery procedure for domain controllers. As long as you have multiple domain controllers in each domain, you can restore a failed domain controller by installing a new domain controller or cloning an existing domain controller and then populating the directory on this new domain controller. You can do so through replication or by recovering the domain controller using a nonauthoritative restore. You should always back up one or more of the domain controllers and their system state as well so that you always have a current snapshot of Active Directory in the backup archives. If you need to recover from a disaster that has caused all your domain controllers to fail or Active Directory has been corrupted, you can recover using an authoritative restore in the Directory Services Restore mode.

  • When you have nondedicated domain controllers, you should back up the system state whenever you perform a full backup of a domain controller. This stores a snapshot of Active Directory along with the other pertinent system information that can be used to fully recover the domain controller. If a domain controller fails, you can recover the server the way you recover any server. You then have the option of restoring the system state data and Active Directory to allow the server to resume operating as a domain controller by using a nonauthoritative restore in the Directory Services Restore mode. If you need to recover from a disaster that has caused all your domain controllers to fail or Active Directory has been corrupted, you also have the option of using an authoritative restore in the Directory Services Restore mode.

When planning backups of Active Directory, you should also remember the tombstone lifetime. Active Directory doesn’t actually delete objects when you remove them from the directory. Instead, objects are either logically deleted or tombstoned (marked for deletion) and this state is replicated to all the other domain controllers. By default, the deleted object lifetime and the tombstone lifetime are 60 days, meaning that a deleted object will remain in the directory for at least 60 days. To ensure that you don’t accidentally restore objects that have actually been removed from Active Directory, you are prevented from restoring Active Directory if the backup archive is older than the tombstone lifetime. This means that, by default, you cannot restore a backup of Active Directory that is older than 60 days.

Other system information is contained in the system state besides Active Directory. So, any restore of Active Directory includes all that information, and that information will be restored to its previous state as well. If a server’s configuration changed since the backup, the configuration changes will be lost.

Performing a nonauthoritative restore of Active Directory

When a domain controller fails, you can restore it the way you restore any other server except when it comes to Active Directory. With this in mind, first fix the problem that caused the server to fail. After you restore the server, you can then work to restore Active Directory.

You recover Active Directory by restoring the system state on the domain controller, using a special recovery mode called Directory Services Restore mode. If you made changes to Active Directory since the backup, the system-state backup will not contain those changes. However, other domain controllers in the domain will have the most recent changes, and the domain controller will be able to obtain those changes through the normal replication process.

When you want to restore Active Directory on a domain controller and have the domain controller get directory updates from other domain controllers, you perform a nonauthoritative restore. A nonauthoritative restore allows the domain controller to come back online and then get replication updates from other domain controllers.

Schedule a full server backup of a domain controller to ensure the recovery of the server operating system and application data in the event of a hardware failure. Schedule a separate backup of critical volumes to ensure timely recovery of Active Directory. To guard against unforeseen issues, schedule backups on at least two different domain controllers for each domain and schedule additional backups on any domain controller with a unique application partition.

A full server backup is a backup of every volume on the server. You can use this type of backup to recover a domain controller onto new hardware. On a domain controller, critical volumes include the boot volume and the volumes that contain the following data:

  • Operating-system files

  • The registry

  • The Active Directory database and log files

  • SYSVOL folders

You can use critical-volume backups to restore Active Directory on a domain controller. Critical-volume backups can also be restored and copied to transferrable media to install a new domain controller in the same domain.

The procedure to perform a full server or critical-volume recovery of a domain controller is the same as for any server. When you do this, you will also be performing a nonauthoritative restore of Active Directory. After the recovery is complete, restart the domain controller in the standard operations mode and then verify the installation. When you restart the domain controller, Active Directory automatically detects that it has been recovered from a backup. Active Directory will then perform an integrity check and re-index the database. From that point on, the server can then act as a domain controller and it has a directory database that is current as of the date of the backup. The domain controller then connects to its replication partners and begins updating the database so that any changes since the backup are reflected.

After you log on to the server, check Active Directory and verify that all of the objects that were present in the directory at the time of the backup are restored. The easiest way to confirm this is to browse Active Directory Users And Computers, Active Directory Domains And Trusts, and Active Directory Sites And Services.

Performing an authoritative restore of Active Directory

An authoritative restore is used when you need to recover Active Directory to a specific point in time and then replicate the restored data to all other domain controllers. Consider the following example: John accidentally deleted the Marketing organizational unit (OU) and all the objects it contained. Because the changes have already been replicated to all domain controllers in the domain and Recycle Bin is not enabled, the only way to fully restore the OU and the related objects would be to use an authoritative restore. Similarly, if Active Directory were somehow corrupted, the only way to recover Active Directory fully would be to use an authoritative restore.

When performing authoritative restores, there are several significant issues that you should consider. The first and most important issue has to do with passwords used for computers and Windows NT LAN Manager (NTLM) trusts. These passwords are changed automatically every seven days. If you perform an authoritative restore of Active Directory, the restored data will contain the passwords that were in use when the backup archive was made. If you monitor the event logs after the restore, you might see related events or you might hear from users who are experiencing problems accessing resources in the domain.

Computer account passwords allow computers to authenticate themselves in a domain using a computer trust. If a computer password has changed, the computer might not be able to reauthenticate itself in the domain. In this case, you might need to reset the computer account password by pressing and holding or right-clicking on the computer account in Active Directory Users And Computers, and then selecting Reset Account. If the reset of the password doesn’t work, you might need to remove the computer account from the domain, and then add it back.

NTLM trusts are trusts between Active Directory domains and Microsoft Windows NT domains. If a trust password has changed, the trust between the domains might fail.

Another significant issue when performing an authoritative restore has to do with group membership. Problems with group membership can occur after an authoritative restore for several reasons.

In the first case, an administrator has updated a group object’s membership on a domain controller that has not yet received the restored data. In this case, the domain controller might replicate the changes to other domain controllers, causing a temporary inconsistency. The changes shouldn’t be permanent, however, because when you perform an authoritative restore, the update sequence number (USN) of all restored objects is incremented by 100,000. This ensures that the restored data is authoritative and overwrites any existing data.

Another problem with group membership can occur if group objects contain user accounts that do not currently exist in the domain. In this case, if group objects are replicated before these user objects are, the user accounts that do not currently exist in the domain will be seen as invalid user accounts. As a result, the user accounts will be deleted as group members. When the user accounts are later replicated, the user accounts will not be added back to the groups.

Although there is no way to control which objects are replicated first, there is a way to correct this problem. You must force the domain controller to replicate the group membership list with the group object. You can do this by creating a temporary user account and adding it to each group that contains user accounts that are currently not valid in the domain. Here’s how this would work: You authoritatively restore and then restart the domain controller. The domain controller begins replicating its data to other domain controllers. When this initial replication process finishes, you create a temporary user account and add it to the requisite groups. The group membership list will then be replicated. If any domain controller has removed previously invalid user accounts as members of these groups, the domain controller will then return the user accounts to the group.

You can perform an authoritative restore by completing the following steps:

  1. Perform a full server or critical-volume recovery of the domain controller. After you repair or rebuild the server, restart the server and access the Advanced Boot Options menu. Typically, to do this you must press F8 before the Windows splash screen appears.

  2. On the Advanced Boot Options menu, select Directory Services Repair Mode. Windows will then restart in Safe Mode without loading Active Directory components.

  3. You will next need to choose the operating system you want to start.

  4. Log on to the server using the Administrator account with the Directory Services Repair Mode password that was configured on the domain controller when Active Directory was installed.

  5. The Desktop prompt warns you that you are running in Safe Mode, which allows you to fix problems with the server but makes some of your devices unavailable. Tap or click OK.

  6. At an elevated command prompt, type ntdsutil. This starts the Directory Services Management Tool.

  7. At the Ntdsutil prompt, type authoritative restore . You should now be at the Authoritative Restore prompt, where you have the following options:

    • You can authoritatively restore the entire Active Directory database by typing restore database. If you restore the entire Active Directory database, there will be a significant amount of replication traffic generated throughout the domain and the forest. You should restore the entire database only if Active Directory has been corrupted or there is some other significant reason for doing so.

    • You can authoritatively restore a container and all its related objects (referred to as a subtree) by typing restore subtree ObjectDN, where ObjectDN is the distinguished name of the container to restore. For example, if someone accidentally deleted the Marketing OU in the cpandl.com domain, you could restore the OU and all the objects it contained by typing the command restore subtree ou=marketing,dc=cpandl,dc=com.

    • You can authoritatively restore an individual object by typing restore object ObjectDN, where ObjectDN is the distinguished name of the object to restore. For example, if someone accidentally deleted the Sales group from the default container for users and groups (cn=users) in the cpandl.com domain, you could restore the group by typing the command restore object cn=sales,cn=users,dc=cpandl,dc=com.

  8. When you type a restore command and press Enter, the Authoritative Restore Confirmation dialog box appears, which prompts you to tap or click Yes if you’re sure you want to perform the restore action. Tap or click Yes to perform the restore operation.

  9. Type quit twice to exit Ntdsutil, and then restart the server.

Note

Every object that is restored will have its USN incremented by 100,000. When you are restoring the entire database, you cannot override this behavior, which is necessary to ensure that the data is properly replicated. For subtree and object restores, you can override this behavior by setting a different version increment value using the Verinc option. For example, if you want to restore the Sales group in the cpandl.com domain and increment the USN by 500 rather than 100,000, you could do this by typing the command restore object cn=sales,cn=users,dc=cpandl,dc=comverinc 500.

Restoring Sysvol data

The Sysvol folder is backed up as part of the system-state information and contains critical domain information, including GPOs, Group Policy templates, and scripts used for startup, shutdown, logging on, and logging off. If you restore a domain controller, the Sysvol data will be replicated from other domain controllers. Unlike Active Directory data, Sysvol data is replicated using the File Replication Service (FRS).

When you perform a nonauthoritative restore of a domain controller, the domain controller’s Sysvol data is not set as the primary data. This means that the restored Sysvol would not be replicated and could instead be overwritten by Sysvol data from other domain controllers.

When you perform an authoritative restore of a domain controller, the domain controller’s Sysvol data is set as the primary data for the domain. This means that the restored Sysvol would be replicated to all other domain controllers. For example, if someone deleted several scripts used for startup or logon and there were no backups of these scripts, these could be restored by performing an authoritative restore and allowing the restored, authoritative domain controller’s Sysvol data to be replicated.

You can prevent a restored, authoritative domain controller’s Sysvol data from overwriting the Sysvol on other domain controllers. To do this, you should back up the Sysvol in the desired state on another domain controller prior to performing the authoritative restore. After you complete the authoritative restore, you can then restore the Sysvol in the desired state to the authoritative domain controller.

Restoring a failed domain controller by installing a new domain controller

Sometimes you won’t be able to or won’t want to repair a failed domain controller and might instead elect to install a new domain controller. You can install a new domain controller by promoting an existing member server so that it is a domain controller, or by installing a new computer and then promoting it. Either way, the domain controller will get its directory information from another domain controller.

Installing a new domain controller is the easy part. When you’ve finished that, you need to clean up references to the old domain controller so that other computers in the domain don’t try to connect to it anymore. You need to remove references to the server in DNS, and you need to examine any roles that the failed server played. If the failed server was a global catalog server, you should designate another domain controller as a global catalog server. If the failed server held an operations master role, you need to seize the role and give it to another domain controller. Let’s start with DNS and roles:

  • To clean up DNS, you need to remove all records for the server in DNS. This includes SRV records that designate the computer as a domain controller and any additional records that designate the computer as a global catalog server or PDC emulator if applicable.

  • To designate another server as a global catalog server.

  • To transfer operations master roles.

To clean up references to the failed domain controller in Active Directory, you are going to need to use Ntdsutil. You must use an account with Administrator privileges in the domain and should run Ntdsutil on your Windows Server. The cleanup process is as follows:

  1. At an elevated command prompt, type ntdsutil. This starts the Directory Services Management Tool.

  2. At the Ntdsutil prompt, type metadata cleanup. You should now be at the Metadata Cleanup prompt.

  3. Access the Server Connections prompt so that you can connect to a domain controller. To do this, type connections and then type connect to server DCName, where DCName is the name of a working domain controller in the same domain as the failed domain controller.

  4. Exit the Server Connections prompt by typing quit. You should now be back at the Metadata Cleanup prompt.

  5. Access the Select Operation Target prompt so that you can work your way through Active Directory from a target domain to a target site to the actual domain controller you want to remove. Type select operation target.

  6. List all the sites in the forest by typing list sites and then type select site Number, where Number is the number of the site containing the failed domain controller.

  7. List all the domains in the site by typing list domains in site and then type select domain Number, where Number is the number of the domain containing the failed domain controller.

  8. List all the domain controllers in the selected domain and site by typing list servers in site and then type select server Number, where Number is the number of the server that failed.

  9. Exit the Select Operation Target prompt by typing quit. You should now be back at the Metadata Cleanup prompt.

  10. Remove the selected server from the directory by typing remove selected server. When prompted, confirm that you want to remove the selected server.

  11. Type quit twice to exit Ntdsutil. Next, remove the related computer object from the Domain Controllers OU in Active Directory Users And Computers. Finally, remove the computer object from the Servers container for the site in which the domain controller was located, using Active Directory Sites And Services.

6. Troubleshooting startup and shutdown

Resolving startup issues

When you have problems starting a system, think about what has changed recently. If you and other administrators keep a change log, access the log to see what has changed on the system recently. A new device driver might have been installed or an application might have been installed that incorrectly modified the system configuration.

Often you can resolve startup issues using Safe Mode to recover or troubleshoot system problems. In Safe Mode, Windows Server loads only basic files, services, and drivers. Because Safe Mode loads a limited set of configuration information, it can help you troubleshoot problems. You start a system in Safe Mode by completing the following steps:

  1. If the system is currently running and you want to troubleshoot startup, shut down the server, and then start it again. If the system is already powered down or has previously failed to start, start the server again.

  2. If you see a Windows Boot Manager error screen stating that Windows failed to start, press Enter to continue.

  3. Press F8 during startup to access the Windows Advanced Options menu. You must press F8 before the Windows splash screen appears.

  4. In the Windows Advanced Options menu, select a startup mode. The key options are as follows:

    • Safe Mode Starts the computer, and loads only basic files, services, and drivers during the initialization sequence. The drivers loaded include the mouse, monitor, keyboard, mass storage, and base video. No networking services or drivers are started.

    • Safe Mode With Command Prompt Starts the computer, and loads only basic files, services, and drivers, and then starts a command prompt instead of the graphical interface. No networking services or drivers are started.

    • Safe Mode With Networking Starts the computer, and loads only basic files, services, drivers, and the services and drivers needed to start networking.

    • Enable Boot Logging Starts the computer with boot logging enabled, which enables you to create a record of all startup events in a boot log.

    • Enable Low Resolution Video Starts the computer in low-resolution 640x480 display mode, which is useful if the system display is set to a mode that can’t be used with the current monitor.

    • Last Known Good Configuration Starts the computer normally using registry information that the operating system saved at the last working configuration.

    • Debugging Mode Starts the system in debugging mode, which is useful only for troubleshooting operating system bugs.

    • Directory Services Recovery Mode Starts the system in safe mode, and allows you to restore the directory service. This option is available on domain controllers.

    • Disable Automatic Restart On System Failure Prevents the operating system from automatically restarting after an operating system crash.

    • Disable Driver Signature Enforcement Starts the computer in safe mode without enforcing digital signature policy settings for drivers. If a driver with an invalid or missing digital signature is causing startup failure, this will resolve the problem temporarily so that you can start the computer and resolve the problem by either getting a new driver or changing the driver signature enforcement settings.

    • Disable Early Launch Anti-Malware Driver Starts the computer in safe mode without initiating an anti-malware driver. This prevents an anti-malware driver from blocking a critical driver that might be needed for startup.

  5. If a problem doesn’t reappear when you start in Safe mode, you can eliminate the default settings and basic device drivers as possible causes. If a newly added device or updated driver is causing problems, you can use Safe mode to remove the device or roll back the update.

  6. Make other changes as necessary to resolve startup problems. If you are still having a problem starting the system, you might need to uninstall recently installed applications or devices to try to correct the problem.

Repairing missing or corrupted system files

Windows Server 2012 enters Windows Error Recovery mode automatically if Windows fails to start. In this mode, you have options similar to those you have when working with the Advanced Boot menu. For troubleshooting, you can choose from the following options to boot the system: Safe Mode, Safe Mode With Networking, or Safe Mode With Command Prompt. You can also choose to use the Last Known Good Configuration or to start Windows normally.

If you can’t start or recover a system in Safe mode, you can manually run Startup Repair to try to force Windows Server 2012 to resolve the problem. To do this, complete the following steps:

  1. Insert the Windows installation or Windows Recovery disc for the hardware architecture, and then boot from the installation disc by pressing a key when prompted. If the server does not allow you to boot from the installation disc, you might need to change firmware options to allow booting from a CD/DVD-ROM drive.

  2. With a Windows Recovery disc, select Windows Setup (EMS Enabled) on the Windows Boot Manager menu to start Windows Setup. With a Windows installation disc, Windows Setup should start automatically.

  3. On the Install Windows page, select the language, time, and keyboard layout options that you want to use. Tap or click Next.

  4. When prompted, do not tap or click Install Now. Instead, tap or click the Repair Your Computer link in the lower left corner of the Install Windows page.

  5. On the Recovery screen, tap or click Troubleshoot. Then, on the Advanced Options screen, tap or click Command Prompt to access the MINWINPC environment. 

  6. At the command prompt, change directories to x:\sources\recovery by typing cd recovery.

  7. Run the Startup Repair Wizard by typing startrep.

Resolving restart or shutdown issues

Normally, you can shut down or restart Windows Server 2012 by tapping or clicking the Power Options button on the Charms bar and then selecting Shut Down or Restart as appropriate. Sometimes, however, Windows Server 2012 won’t shut down or restart normally and you are forced to take additional actions, such as stopping programs that have stopped responding when prompted. Telling Windows Server to stop programs that aren’t responding to the shutdown event won’t always resolve your problem, however. In these cases, follow these steps:

  1. Press Ctrl+Alt+Delete. The Windows Security screen should be displayed. If the Windows Security screen doesn’t appear, skip to step 4.

  2. Tap or click Task Manager, and then look for an application that is not responding. If all programs appear to be running normally, skip to step 4.

  3. Select the application that is not responding, and then tap or click End Task. If the application fails to respond to the request, you’ll see a prompt you can use to end the application immediately or cancel the end task request. Tap or click End Now.

  4. Try shutting down or restarting the computer. Press Ctrl+Alt+Delete, tap or click the Power Options button, and then tap or click Shut Down. As a last resort, you might be forced to perform a hard shutdown by holding down the physical power button or unplugging the computer. If you do this, run Check Disk the next time you start the computer to check for errors and problems that might have been caused by the hard shutdown.
Other -----------------
- Installing Windows Server 2012 and Server Core : Managing and Configuring a Server Core Installation
- Installing Windows Server 2012 and Server Core : Understanding Server Core Installation
- Windows Server 2008 : Using dnscmd - Adding DNS Zones, Creating and Deleting DNS Records
- Windows Server 2008 : Using dnscmd - Clearing the DNS Cache, Working with DNS Partitions
- Windows Server 2008 : Using dnscmd - Retrieving DNS Information, Exporting DNS Data, Forcing Zone Transfers
- Windows Small Business Server 2011 : Deploying SQL Server 2008 R2 for Small Business
- Windows Small Business Server 2011 : Deploying a Second Domain Controller
- Windows Small Business Server 2011 : Deploying a Second Server (part 2) - Performing Post-Installation Tasks - Changing the Computer Name and Joining the Domain
- Windows Small Business Server 2011 : Deploying a Second Server (part 2) - Performing Post-Installation Tasks - Adjusting Time Zone Settings, Configuring Network Settings
- Windows Small Business Server 2011 : Deploying a Second Server (part 1) - Installing a Second Server
- Windows Small Business Server 2011 : Adding a Second Server - Expanding Your Network
- Troubleshooting Windows Home Server 2011 : Troubleshooting Startup - Troubleshooting Startup Using the System Configuration Utility
- Troubleshooting Windows Home Server 2011 : Troubleshooting Device Problems
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 14) - Managing volumes on dynamic disks - Configuring RAID 5
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 13) - Managing volumes on dynamic disks - Configuring RAID 1, Mirroring boot and system volumes
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 12) - Managing volumes on dynamic disks - Creating a simple or spanned volume, Configuring RAID 0
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 11) - Managing GPT disk partitions on basic disks
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 10) - Managing MBR disk partitions on basic disks - Extending partitions, Shrinking partitions
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 9) - Managing MBR disk partitions on basic disks - Formatting a partition, logical drive, or volume, Configuring drive
- Managing Windows Server 2012 Storage and File Systems : Storage Management (part 8) - Managing MBR disk partitions on basic disks - Creating partitions and simple volumes
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us