Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to perform Active Directory disaster recovery

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

How to carry out Active Directory disaster recovery, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Perform a non-authoritative restore

Restoring deleted Active Directory objects from a backup is a two-step process: first, restart DC into directory service restore mode (DSRM), and then restore the entire Active Directory DIT from the system state backup using the Windows NTBACKUP utility or equivalent third-party product. This process will cover the entire DIT.

There are two ways to start DC to enter DSRM: if you have access to DC's system console, close and restart DC, and press F8 when prompted to bring up the Windows startup menu. Select Directory Service restore from the menu and enter the DSRM password.

If you manage the server remotely, you cannot access the Windows startup menu. Instead, change the system startup options by selecting Properties from my computer, clicking the Advanced tab, and then pressing the Settings button under Startup and restore. Press the Edit button in the system startup area to edit the boot.ini file, and then add the switch / SAFEBOOT:DSREPAIR to the end of the line, as shown in figure 3. (for more information about the boot.ini switch, see microsoft.com/technet/ sysinternals/information/bootini.mspx. )

Figure 3 sets the startup options for DSRM (click the image for a larger view)

When the server is restarted, it will appear in DSRM. Keep in mind that when you want to restart DC in normal mode, you must remove the / SAFEBOOT switch from boot.ini.

Once logged in with the DSRM password, you can use the NTBACKUP command again to restore the system state backup without specifying any parameters. (you cannot restore using NTBACKUP from the command line. When the wizard appears, select restore Files and Settings, and then click next. Then select the backup file and check the system status box, as shown in figure 4.

Figure 4 restore the system state using the backup or restore Wizard (click the image for a larger view)

If you want to start DC to return to normal mode at this time, the Active Directory replication process will bring the restored domain controller back to synchronization with other DC in the domain, and all restored data will be overwritten by the current data. Obviously, this is not your goal. Instead, you need a way to force the restored object to be copied to other domain controllers in the domain.

Perform an authoritative restore

NTDSUTIL also increases the version number of each attribute by 100000 every day between the backup date and the restore date. Unless the property is updated more than 100000 times a day (which is highly unlikely), the version number of the restored property will be much larger than that held by other DC, and the authoritative restored object will be copied to another DC. Other non-authoritative objects restored from the backup will eventually be overwritten by existing data from other domain controllers.

When the non-authoritative restore is complete, but before the restart enters normal mode, use the NTDSUTIL program to perform the authoritative restore of the object you want to restore. Regardless of the name, authoritative restore of an object does not "restore" the object, it just ensures that Active Directory copies the object to another DC. To do this, NTDSUTIL assigns the next available USN to the local USN of the object property. This causes the object to be sent to the replication partner on the next synchronization. To restore a single object, make sure that DC starts in DSRM mode and follow these steps:

Open a command window and type:

At the ntdsutil prompt, type:

At the authoritative restore prompt, type:

Restore object ""

For example, if you want to restore the Molly Clark account from Eng OU in the DRNET domain, you need to enter:

Restore object "CN=Molly Clark,OU=Eng,DC=DRNET,DC=com&rdquo

If you want to authoritatively restore an entire directory subtree (such as an OU), you need to enter the following:

Restore subtree "OU=Eng,DC=DRNET,DC=com"

NTDSUTIL also provides a restore database command for authoritative restore of the entire domain and configuration of NC and schema NC. Restoring the entire domain is fraught with dangers, and I do not recommend that you use this option. If you need to restore the entire domain, you should restore one domain controller, and then promote the other DC in the domain again, as described in "Planning Active Directory Forest recovery."

When prompted, confirm that authoritative restore should increase the version number of each object and its properties.

Exit ntdsutil (need to type quit twice).

Restart DC to enter normal Active Directory mode.

The next time DC replicates with its partner, the user you restored will be replicated. But restoring user objects solves only half the problem. The situation becomes more complicated when introducing object links, such as between groups and their members. You may have to face some basic problems during and after a restore, which I will continue to cover in the following sections.

First, let's review what happens when an object with a backward link is deleted. Suppose you delete a user object that is a member of one or more groups. Each domain controller that has a copy of the user object converts it to a tombstone and removes all references from the linked table, thus removing the user object from all group membership in the user domain. (keep in mind that removing a user from a group membership is not a replicated change because each DC updates the group membership locally. The version number and local USN of the group member property remain the same. After a short period of time, the phantom object is deleted from the linked table of other domains, and once again the replication metadata for the group member properties is not updated

When you restore the DIT on a domain controller in a user domain without authority, the user object and all group membership within the group in the domain are restored, so the restored DC is inherently consistent. When you restore a user using the NTDSUTIL utility authority, the user object is copied to all other DC in the domain.

However, because the replication metadata of the current group in the domain has not changed, the member properties of the groups on the restored DC are not consistent with those of the groups on other DC. There is usually no way to aggregate it. Therefore, the user's membership will not be restored on other DC in the domain.

After reading the above, have you mastered the method of Active Directory disaster recovery? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report