Labs-Sample

System Admin Labs Sample

1 | P a g e B y : M U H A M M A D I Q B A L

Types of Backup

1- System Backup Or Active Directory Backup

2- Additional Domain Controller (ADC)

3- Active Directory Recycle bin

1- Active Directory Backup & Recovery

Requirements for Backup

Active Directory must exist

Need to install a feature “Windows backup feature”

Requires approximately 30-40min to take backup of an AD

Need dedicated Hard disk, or other media

Why do we need AD / system backup?

Let’s suppose, we have a lot of things in system AD like, 100 OU, and each OU as 1000 users plus each OU has

2000 policies. What happen if any disaster happens? To overcome this, off course we need a backup of either

whole directory or partial backup from where we can restore in case of any disaster.

Note: it is recommended that, you take backup on different HD or other system, not on the same drive.

Advantages of AD backup

Recover deleted objects

Recover crashed system

How to take AD backup

There are two (2) ways to create a system backup

GUI& CMD

OR

Either we use GUI or cmd,following window will open



This means, we need to install one feature before we start back up. This feature name is “windows

server backup”.

How to install that feature on GUI and CMD

Once you have installed this feature, you can see

Here there are types of Backup under “windows server backup” on most right top bar.

Types of Backup on GUI

We learn only how to create, but we will do this same process via CMD



Backup once option

Next window will be

Next will be to select right location where you want to save this backup



On next option you can select the right location

Once you press “Next” the error will generate

This means, the backup drive is also in same system, which is not recommended that is why this

message generates. Still you can back up on same drive.

When you press YES . Next window will be the last option before backup starts



After this backup will start

But as I mentioned earlier- we only wanted to discuss and learn how to take the back up on GUI.

That is very simple, so we try to learn backup on CMD.

Backup schedule option

Here we will set the time frame according to requirements



Because we don’t have dedicated hard drive so we will select 2nd option



When we add the destination

This way we will create different types of backup using GUI.

Create system state or AD backup using CMD

Similarly, to create backup on cmd, we have to install “windows backup feature” which is already

installed here.



On server command line we write this command

This command shows some more commands which can be use here.

For backup we need “start systemstatebackup” command

When we write this command, it will show you some errors or asking for target location; where you

want this back up.

Even it shows the exact syntax for this command(read the example – last line)



When we press “yes” – the backup will start. It takes approximately 30-40min.

Back up has been finished

While, the backup is happening

Real life Scenarios for Backup and Recovery

Scenario#1: - to see the solution go to page#20

let’s suppose while the backup is in progress, we add something in AD

Add one OU (mkt)

And some users in that OU

Now the scenario is that, we will check are these new things comes in this backup when we restore

Let suppose, our system has crashed and we have this backup and we created some OU and users

during the backup

Now we learn how to restore this backup using GUI or CMD



Restore the system from Backup

Very important:To restore the backup “we need to go Active Directory SAFE MODE”

During installation of Active Directory Domain Services (AD DS), you set the Administrator password

for logging on to the server in DSRM. When you start Windows Server 2008R2 in DSRM, you must

log on by using this DSRM password for the local Administrator account

Following slide shows you- if we recall our memoryduring the installation of active directory

This password is require before you go to “DSRM-Directory services Reset mode”

Let suppose, we have forgot that password- Is this password is recoverable or not ?

Yes it is recoverable– this password is inside “NTDS” folder, so we have to run “ntdsutil” on

command prompt.

Recover DSRM Password - On DC normal mode

Now we will recover the password for DSRM.

We can get some help by using “?”



Here we use this option or command to recover DSRM password

How to get help to use this option

Now we use proper command “ reset password on server %s” as we can see that , it says ! “Use NUL

for local machine”

Note: DSRM pw goes in “null” folder or database” while users password goes to “SAM” database.

Then we type null after the command

It prompts for new password

We have seen that password has been reset .

And next prompt is again on “reset DSRM admin password”, we have to come out from this prompt.

You can restart a domain controller in DSRM manually by pressing the F8 key during domain

controller startup

Here we can see, we can’t access Active directory.- we have to use that recovered password to

access DSRM-Select DSRM (Directory Services Restore Mode)



but we have to login without DC administrator, where we use recovered PW.

We are now on “DSRM”- can recover DSRM (directory Services restore mode)

Restore the Backup

Before we start recovery of backed up AD, make sure this backup is available on “D-drive”

This verifies that we are on

safe mode- where we can’t

access any service(s).



On GUI we can see that

Here we can see that backup is available now we can recover by using this utility.

Here it will show the available backup and time when it happened



We have to select which one we want (in case if multiple backups are available)

Here we can select what we want “either whole drive” or “simple folders”



Once we press recover, it restoration will start.

Restore Backup using Command Prompt

User the appropriate command

Its mean we have to check the available version of backup.



Here we used command “wbadmin get versions” to get available versions, as we can see that

backup time and dates is showing.

Create Additional Domain Controller

Requirments to create ADC

i. Install another Sever2008R2

ii. Create Active driectory or run Dcpromo–using Existing forest

iii. Assign ADC IP and DNS IP of Main Server (DC)- to join with DC

iv. Assign all DC FSMO roles to ADC – one by one

Let’s suppose we have installaed server2008R2 on another system and have installed active direcory.

After that

iii-Assign IP and DNS (DC) IP on ADC

iv-Rundcpromo on ADC

Here try to understand this

statement “add a domiain controller

to an existing domain”- here

add=additional. Which means

system already has one domain,

now we need another domain which

would be addional domain



Remmember: we already have a DC that is DC+forest, that is why DC has 5 roles and ADC will be

existing forest on

Here clearly asking, that write the name of forest where the installation will occur.When you press

“Set” will ask Administration password



Will show the main sever (DC) name



There should be only one DNS server (which is server1) but we can create separate DNS for load

balancing. Also there should be only one global catalog in a network





Once this has done we can see on server 1

You will notice on startup



It is showing that server2 is part of corvit.com

Furthermore we can notice, now what ever we add on server1 it will add on server2 as well and vice

versa

We can also verify by pinging any user

Server1

pinging

successfully

Server2

pinging

successfully



Additional Domain Controller is ready

Now we will assign/transfer FSMO roles to ADC which is on main server (DC).First we verify who

have these FSMO roles

First we check on DC (main server)

Here we can see that main server (DC) has those FSMO roles

Now we check ADC



Here we notice that FSMO roles are on DC, which proves that “these 5 roles assign to only one

person in a forest

How to check same things on GUI mode

On DC

We can see both servers have GC, it means both servers has global database.

Time to transfer these FSMO roles from Sever (DC) to Server2 (ADC)

Remember: we will do this step by step

1. Transfer three (3) Domain’s roles (RID,PDC and infrastructure) first

2. Transfer two (2) Forest roles (Domain naming master and Schema master)

First we transfer Domain’s roles one by one, as shown in the picture



We’ve transferred RID role, as you can read that, only one server on the domain performs this role

Verify

RID role has changed from server.corvit.com to server2.corvit.com

Here we can see PDC still has server.corvit.com role



After changing

Now last one infrastructure

Before changing



After changing

Up to here all domain roles have been transferred from server(DC) to ADC(server2)

For verification we check FSMO

On ADC

On DC

Schema master and Domain naming

master roles are still on server(DC)



Now we transfer other two (2) forest roles

Again we will use ADC computer

Note: as we notice, when we were changing “domain roles” we change under “corvit.com” domain.

Now to change for forest will use “active directory domains and trust”

On ADC (server2)

When we pressed “changed button”- this message appears

Read this: it say this role will be

unique. Only one Active directory

controller can perform this role.

Additional domain

controller name is

automatically

appears. Press

Change



After changing

At last, we will transferred last role “Schema master”

To transferred “schema role” we need to run a command “regsvr32 schmmgt.dll”

On ADC

As we can see there is

no any item in this

console



By default “Schema Master” role is disabled – we have to activate by using above mentioned

command Actually this command adds “schema master” then using MMC console we can see this

Go to MMC

Without regsvr32 command it won’t appear here, have to run this command first

Add this role



Now we can transfer this role from server (dc) to server2 (ADC)



Showed error so first we remove this error



This error comes because of DNS and firewall is not configured

After removing both errors

Error means

alternate DNS

server has Loop

back IP- have to

remove first



Now we will verify that, all the roles have been transferred to Server2 (ADC)

On ADC

Here we can see all the roles have been transferred

Labs-Sample

Documents