8.1 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Goals Use the Backup Wizard to troubleshoot Active Directory
Schedule Active Directory backups
Examine Active Directory restores
Execute a nonauthoritative restore
Execute an authoritative restore
8.2 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Active Directory is a transaction log-based database service that depends on files such as ntds.dit and a number of log files in order to function
To prepare for disaster recovery, you must use the Backup Wizard to back up Active Directory
The wizard creates an archive with a .bkf extension, which contains the files that were selected for backup
To back up Active Directory, you must be a member of either the Backup Operators or Administrators group
(Skill 1)
Using the Backup Wizard to Back Up Active Directory
8.3 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-1 The Backup Utility Advanced Mode window
(Skill 1)
8.4 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
An Active Directory backup includes the Active Directory database file, ntds.dit, and the shared system volume (SYSVOL) folder
SYSVOL is a shared folder created when Active Directory is installed
It contains all publicly available files for domains, such as scripts and Group Policy Objects, which users and other domain controllers need for domain access
Using the Backup Wizard to Back Up Active Directory (2)
(Skill 1)
8.5 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
To back up Active Directory, you back up the System State data on a domain controller
In addition to the Active Directory database file and the SYSVOL folder, System State data has other components
Registry: Database that stores the configuration of a computer, including user profiles and folder settings
COM+ Class Registration database: Database that stores entries for dynamic link library (.dll) and executable (.exe) files on a computer
Using the Backup Wizard to Back Up Active Directory (3)
(Skill 1)
8.6 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
In addition to the Active Directory database file and the SYSVOL folder, System State data has other components
System boot files: Files used to load and configure the Windows Server 2003 operating system
Windows File Protection system files: All files under Windows File Protection
Using the Backup Wizard to Back Up Active Directory (4)
(Skill 1)
8.7 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the scope for the backup, based on your requirements
Back up the entire contents of a computer
Select only particular files, drives, or network data
Back up only the System State data
Using the Backup Wizard to Back Up Active Directory (5)
(Skill 1)
8.8 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the type of backup media
You can use Zip or Jaz drives, tape, or the hard drive on a remote file server
A backup to a file on the file server can be backed up to a Zip, Jaz, or tape drive
Magnetic tape is the most widely used backup medium
Inexpensive
Stores large amounts of data
Using the Backup Wizard to Back Up Active Directory (6)
(Skill 1)
8.9 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the type of backup
There are five backup types from which you can choose
To choose one of these types, you must first understand the archive attribute or archive bit and how each backup type handles it
Using the Backup Wizard to Back Up Active Directory (7)
(Skill 1)
8.10 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the type of backup
Archive attribute
A property for files and folders that is used to identify them when they have changed
When a file has changed, the archive attribute, which is actually an attribute of the file header, is automatically selected
Using the Backup Wizard to Back Up Active Directory (8)
(Skill 1)
8.11 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the type of backup
Archive attribute
Some backup types
Remove the archive attribute to mark files as having been backed up, while others do not
Some backup types use the archive attribute to determine which files to back up
Others back up all files regardless of the status of the archive attribute
Using the Backup Wizard to Back Up Active Directory (9)
(Skill 1)
8.12 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Choose the type of backup
Archive attribute
Organizations use a blend of the different backup types
This optimizes the time spent on both the backup and the restore processes
Using the Backup Wizard to Back Up Active Directory (10)
(Skill 1)
8.13 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Notify users about the backup operation
Through e-mail or administrative messages
During the backup operation, users who are connected over the Internet will have their sessions terminated and may lose any unsaved data
Using the Backup Wizard to Back Up Active Directory (11)
(Skill 1)
8.14 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Make sure that the media device you have selected for storing the backup is listed in the Windows Server Catalog
The catalog contains a list of devices tested by Windows Hardware Testing Labs
These devices are supported by Windows Server 2003
Using the Backup Wizard to Back Up Active Directory (12)
(Skill 1)
8.15 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Tasks to perform before you start any backup operation
Make sure the backup media device is attached to the computer and the device is switched on
Make sure the backup media is loaded in the media device
Using the Backup Wizard to Back Up Active Directory (13)
(Skill 1)
8.16 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-2 The Backup or Restore Wizard
(Skill 1)
8.17 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-3 The Backup or Restore screen
(Skill 1)
8.18 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-4 The What to Back Up screen
(Skill 1)
8.19 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
The default settings in the Backup Wizard work well in most cases
Additional advanced settings
Specify a backup type other than Normal
Verify data after the backup operation to ensure its success
Using the Backup Wizard to Back Up Active Directory (14)
(Skill 1)
8.20 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Additional advanced settings
Append the backup data to an existing archive or create a new archive
Set a job name to identify the backup job
Schedule the backup process to occur at specified intervals
Using the Backup Wizard to Back Up Active Directory (15)
(Skill 1)
8.21 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-5 The Items to Back Up screen
(Skill 1)
8.22 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-6 The Backup Type, Destination, and Name screen
(Skill 1)
8.23 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-7 The Completing the Backup or Restore Wizard screen
(Skill 1)
8.24 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
To be prepared to recover from a hardware failure, system or disk failure, or a virus attack, it is best back up Active Directory daily, preferably after office hours
A typical schedule
Perform a Normal backup once a week
Perform an Incremental backup on each other day of the week
This method ensures the backup file occupies less disk space and that you have the most recent data in the event of a disaster
Scheduling Active Directory Backups
(Skill 2)
8.25 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Most production networks have ample backup capacity to perform a full Normal backup daily
Backing up servers can become time-consumingTo ease the burden, use the Backup utility to schedule
backups to run at specified dates and times
Ntbackup then uses the Task Scheduler to schedule the backup
Scheduling Active Directory Backups (2)
(Skill 2)
8.26 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Task Scheduler
Runs the Backup Wizard to carry out the backup operation at the scheduled date and time
This is also known as an unattended backup
Two ways to schedule an unattended backup
Use the Advanced settings on the Completing the Backup Wizard screen
Use the Schedule Jobs tab in the Backup Utility to schedule unattended backups
Scheduling Active Directory Backups (3)
(Skill 2)
8.27 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-8 Running Ntbackup from the Run dialog box
(Skill 2)
8.28 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-9 Scheduling a System State Backup
(Skill 2)
8.29 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-10 The How to Back Up screen
(Skill 2)
8.30 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-11 The Backup Options screen
(Skill 2)
8.31 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Task Scheduler
On the Schedule Jobs tab in the Backup window
Click the icon for a scheduled job to open the Scheduled Job Options dialog box
You can change the job name on the Schedule data tab
You can view the job details on the Backup details tab
Scheduling Active Directory Backups (4)
(Skill 2)
8.32 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Task Scheduler
On the Schedule Jobs tab in the Backup window
View details about the backup in the Job summary section
Displays the backup type
Displays the properties set for the backup job
Whether Verify data has been set
Whether hardware compression is to be used
Whether access is restricted to the owner or administrator
The media name used for the job and the set description
Scheduling Active Directory Backups (5)
(Skill 2)
8.33 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Using Ntbackup
You cannot back up individual components of the System State data because of the dependencies between components
Third-party utilities such as Veritas Backup Exec can back up individual components
You can use Ntbackup to restore System State data to an alternate location
Scheduling Active Directory Backups (6)
(Skill 2)
8.34 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
When you restore the System State to an alternate location, certain components are restoredSYSVOL directory
Cluster database data
System boot files
When you restore the System State to an alternate location, certain components are not restoredActive Directory database
Certificate Services database
COM+ Class Registration database
Schedule Active Directory Backups (7)
(Skill 2)
8.35 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-12 The Schedule Job dialog box
(Skill 2)
8.36 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-13 The Advanced Schedule Options dialog box
(Skill 2)
8.37 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-14 The Set Account Information dialog box
(Skill 2)
8.38 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-15 Scheduled jobs on the calendar on the Schedule Jobs tab
(Skill 2)
8.39 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Active Directory stores information about all of the objects in a domain
If the files that make up Active Directory become corrupt, users and applications cannot access Active Directory objects
In disaster recovery situations, you must restore the latest System State backup data to restore Active Directory objects
Examining Active Directory Restores
(Skill 3)
8.40 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Methods of restoring System State data
Nonauthoritative restore (Normal)
Authoritative restore
Primary restore
Examining Active Directory Restores (2)
(Skill 3)
8.41 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore (Normal)
When to use this method
You need to recover a domain controller from hardware failure or replacement
You are sure the data on the other domain controllers in the forest is correct
All you must do is restore the most recent System State backup of the domain controller
Restored data, including Active Directory objects, will have the USN they had when the System State backup was created
Examining Active Directory Restores (3)
(Skill 3)
8.42 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore (Normal)
Update sequence numbers (USNs)
Used to detect and propagate Active Directory changes among the servers on the network
Make multi-master replication possible
Used to track changes made to the database just like a version number in DNS
When you create an object, Active Directory assigns a unique USN to the object
When you make changes to the object, Active Directory increments the USN for the object by one
Examining Active Directory Restores (4)
(Skill 3)
8.43 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore (Normal)
Update sequence numbers (USNs)
The copy of the object that has the highest USN is considered to be the most up-to-date, and is replicated to the other domain controllers
Because the USNs in the System State backup will be lower than more recent versions of Active Directory objects, the Active Directory replication system views data that is restored non-authoritatively as old data
If more recent data is available on other servers, the Active Directory replication system uses it to update the restored data
Examining Active Directory Restores (5)
(Skill 3)
8.44 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore (Normal)After the nonauthoritative restore
Active Directory replication begins Changes that occurred on the other domain controllers are
automatically propagated to the domain controller that has come back online
You must use an authoritative restore to replicate restored data to other servers
Examining Active Directory Restores (6)
(Skill 3)
8.45 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore (Normal)
Unless you only have one domain controller, or are at an isolated remote location, a nonauthoritative restore is not very useful
This is because in order to perform a nonauthoritative restore on a failed domain controller, you must first reinstall Windows Server 2003 and promote the server to a domain controller
As part of this process, the Active Directory database is copied from the other servers onto your failed server, fully restoring Active Directory
Examining Active Directory Restores (7)
(Skill 3)
8.46 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Authoritative restore
Used when an Active Directory object, or group of objects, has been accidentally deleted
When an object is deleted in Active Directory, it is not truly deleted; it is tombstoned
Tombstoning essentially marks the object “dead,” which makes it unusable, and updates the USN for the object
This is done so that the “deletion” is properly replicated to all domain controllers
Examining Active Directory Restores (8)
(Skill 3)
8.47 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Authoritative restore
Once every night, a process known as Garbage Collection runs on all domain controllers
Any object that has been tombstoned for more than 60 days (by default) is actually deleted during this process
Because of the tombstoning process, to effectively restore a deleted object
You must increment the USN of that object subsequent to the actual restore process
This makes the restored copy the more up-to-date version
Examining Active Directory Restores (9)
(Skill 3)
8.48 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Authoritative restore
During an authoritative restore, the USN of the deleted object is increased by 100,000 for each day since the backup was performed so that it is higher than the USNs of the existing objects
You perform an authoritative restore by executing the Ntdsutil command on a domain controller
Examining Active Directory Restores (10)
(Skill 3)
8.49 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Authoritative restore
Using Ntdsutil
Ntdsutil is a command-line utility, which is stored in %Systemroot%\System32
It supplies a number of other directory management features not found in any of the graphical tools
You mark Active Directory objects for authoritative restore
This modifies the USN making it higher than any other update sequence number in the Active Directory replication system
Objects restored using this command are considered to be the most current copy of those objects, and are properly replicated to the other servers on the network
Examining Active Directory Restores (11)
(Skill 3)
8.50 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-16 Authoritative Restore
(Skill 3)
8.51 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-17 First level of commands for ntdsutil
(Skill 3)
8.52 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Primary restore
You do a primary restore when you must rebuild the domain from backup because all domain controllers in the domain have been lost
You perform a primary restore on the first domain controller and nonauthoritative restores on all of the other domain controllers
You only perform a primary restore when the server you are trying to restore is the only running server in a replicated data set
Examining Active Directory Restores (12)
(Skill 3)
8.53 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Active Directory actually performs attribute level replication in most cases
If you change a field in a user account, only the field is replicated, not the entire object
To provide full replication functionality, Active Directory actually assigns a USN
To the database
To each object in the database
To each attribute of each object
Examining Active Directory Restores (13)
(Skill 3)
8.54 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Nonauthoritative restore
Used to restore Active Directory in cases where no objects have been accidentally deleted and no other options are available
You use the backup of the System State data to restore Active Directory on a domain controller
To begin, start the computer in a special safe mode called Directory Services Restore Mode
Then use the Restore Wizard to restore Active Directory
Executing a Nonauthoritative Restore
(Skill 4)
8.55 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Directory Services Restore Mode
This mode ensures the domain controller remains offline while you restore the Active Directory database and the SYSVOL folder
In this offline mode, Active Directory services on the domain controller are stopped so that a successful restoration can occur
The computer is not disconnected from the network, but all Active Directory services are halted
Executing a Nonauthoritative Restore (2)
(Skill 4)
8.56 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Directory Services Restore Mode
After the Active Directory restoration process is complete and the server is restarted, the normal replication process updates the restored Active Directory database with the help of the replication partner domain controllers on the domain
Executing a Nonauthoritative Restore (3)
(Skill 4)
8.57 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-18 The Desktop message box
(Skill 4)
8.58 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-19 Restoring the System State
(Skill 4)
8.59 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-20 The Warning dialog box
(Skill 4)
8.60 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Directory Services Restore Mode
You can also use Ntdsutil to reset the Directory Services Restore Mode password
At the ntdsutil prompt, type Set DSRM and press [Enter]
At the Reset DSRM Administrator Password prompt, type Reset Password on server %s where %s is the name of the server
After you press [Enter], you are prompted to type the password and re-enter the password
Executing a Nonauthoritative Restore (4)
(Skill 4)
8.61 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-21 The Restore Progress dialog box
(Skill 4)
8.62 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-22 The Backup Utility warning dialog box
(Skill 4)
8.63 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
You use an authoritative restore to recover selected Active Directory objects
Preliminary tasks
Copy the Policies folder in the SYSVOL folder to an alternate location
Copy the Policies folder from the alternate location back to its original location
After you perform an authoritative restore
After the SYSVOL share has been published
Executing an Authoritative Restore
(Skill 5)
8.64 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Preliminary tasks
Perform a nonauthoritative restore of the System State dataYou can then use Ntdsutil to perform an authoritative
restore to recover the deleted object
Executing an Authoritative Restore (2)
(Skill 5)
8.65 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Run the Ntdsutil command-line utility to perform an authoritative restore
Ntdsutil marks an object for authoritative restore by increasing the USN by 100,000 for each day since the backup was performed so that it is higher than the USNs of the existing object
To restore a deleted object, you must specify the distinguished name of the object
Executing an Authoritative Restore (3)
(Skill 5)
8.66 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Distinguished name (DN)
Uniquely identifies an object on a network
It is an LDAP component that includes the name of the domain that holds the object and the complete path to the object through the container hierarchy
It identifies an object throughout the LDAP hierarchy because it refers to the relative distinguished name, domain name, and the container where the object is stored
Executing an Authoritative Restore (4)
(Skill 5)
8.67 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Distinguished name (DN)
Can consist of the common name (cn), the organizational unit name (ou), and the domain component name (dc)
The common name for a user object is the full user name, not the logon name
For user names and OUs that contain spaces, the DN must be enclosed in quotation marks
Executing an Authoritative Restore (5)
(Skill 5)
8.68 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
To restore an OU and all objects in it, use the command Restore subtree %s, where %s represents the server name
To restore an object, use Restore object %s
To override the version (USN) increaseAdd the parameter verinc %d, where %d represents the
variable by which you want to increment the version number
Use this parameter only to authoritatively restore over an incorrect authoritative restore
Executing an Authoritative Restore (6)
(Skill 5)
8.69 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Just like a nonauthoritative restore, an authoritative restore requires that the domain controller be running in Directory Services Restore Mode
Run the Ntdsutil command
After you have restored the System State data
Before you have restarted the server from Active Directory Restore mode
You cannot restart normally between the nonauthoritative restore and the authoritative restore
Executing an Authoritative Restore (7)
(Skill 5)
8.70 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
After the restoration is complete, the domain controller is brought back online by restarting the computer normally
If the Active Directory database has changed on the replication partner domain controllers, the replication process updates their databases using the restored Active Directory database
The replication process also distributes information about the restored object to other domain controllers
Executing an Authoritative Restore (8)
(Skill 5)
8.71 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-23 Copying the Policies folder to an alternate location
(Skill 5)
8.72 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
If you accidentally delete a large number of objects, manually recovering each object would be a cumbersome task
Instead you can authoritatively restore the entire database
To do this, type the restore database command at the authoritative restore prompt
Executing an Authoritative Restore (9)
(Skill 5)
8.73 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Do not perform an authoritative restore of the entire database on servers holding the RID master or schema master FSMO roles
The schema cannot be authoritatively restored, and authoritatively restoring the RID master can lead to SID conflicts
Executing an Authoritative Restore (10)
(Skill 5)
8.74 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-24 Confirming an authoritative restore
(Skill 5)
8.75 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 8: Backing Up and Restoring Active Directory
Figure 8-25 Using Ntdsutil to recover a deleted object
(Skill 5)