Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to Active Directory recovery", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to carry out Active Directory recovery" this article.

Bare Metal recovery of Domain Controller

One of the most exciting improvements to backup and recovery is the way WinRE is incorporated into the installation process. When starting Windows Server 2008 from the installation media, you can select the "Repair your computer" option, as shown in figure 7. As this option is easy to miss, I would like to make a special reminder here.

Figure 7 The Repair your computer option is available on the installation screen (click the image for a larger view)

After selecting the repair option on the installation screen, Windows asks me to select a recovery option, as shown in figure 8. In this case, I choose "Windows Complete PC Restore" (Windows full PC restore), which invokes the Windows recovery environment.

Figure 8 Specifying system recovery options (click the image for a larger view)

After selecting the operating system to repair (usually only one choice), WinRE allows you to select the backup from which you want to restore. By default, WinRE selects the most recent full system backup, but you can specify other backups that are stored on your local disk, or search the network for backups stored in file shares on other servers.

In my example, I chose the most recent full system backup. The next dialog box (shown in figure 9) lets me format all the disks and repartition them before restoring them. This is an appropriate option if you are recovering from a problem caused by a disk failure, or if you have replaced one or more disk drives in the server.

Figure 9 You can easily format and repartition disks before they're restored (click the image for a larger view)

After two confirmation dialogs, WinRE starts the restore process and the server restarts. This method is ideal for performing bare metal recovery on the server.

System State recovery of Domain Controller

If you need to recover from some Active Directory-related problem (such as restoring a deleted OU from a backup), you should restore the Active Directory Domain Services (ADDS) database to an earlier state instead of the entire system. Although you can stop ADDS like the service in Windows Server 2008, you still need to boot the server into the directory service restore mode (DSRM) to perform a system state restore on the domain controller.

Changing boot options to boot Windows Server 2008 into DSRM is not as easy as it used to be. The entire Windows boot environment has been redesigned to support the new Extensible firmware Interface (EFI), while the old boot.ini file no longer exists. Instead, Windows Server 2008 uses boot configuration data (BCD) to manage the boot process.

The easiest way to manage BCD is to use the BCDEDIT command line program. Explaining that all BCDEDIT commands and options require an entire article, I'll show you only some useful examples here.

To reboot the Windows Server 2008 DC into DSRM, use the following command:

C:\ > bcdedit / set safeboot dsrepair

This sets the secure boot option for the default boot loader item. In a new Windows Server 2008 installation, there is only one boot loader item, WINLOAD.EXE. To remove the safe boot option and reboot to normal mode, use the following command:

C:\ > bcdedit / deletevalue safeboot

You can configure two boot loader items on DC-one for normal boot and one for DSRM boot, which is more convenient. You can also use the "Startup and Recovery" settings dialog box provided under "System Settings" to change the boot options. To add a new boot loader item, use the following command:

C:\ > bcdedit / copy {default} / d "Directory Service Repair Mode"

This creates a new boot loader item by copying the default boot loader item. BCDEDIT will display something similar to the following:

The entry was successfully copied to {c50d4710-a1f0-11dc-9580-0003ff402ae9}

GUID recognizes the new item. Then, set the safe boot options for the new boot loader item in BCD using the following command:

C:\ > bcdedit / set {} safeboot dsrepair

You can now switch from normal boot mode to DSRM boot mode using the "Startup and Recovery" (boot and restore) setting (shown in figure 10).

Figure 10 Disable incremental backups on busy volumes

Before you start a system state restore using WBADMIN, you must determine the backup from which you want to restore. WBADMIN can perform a system state restore from a full system backup, a backup that contains only critical system volumes, or a system state backup. In either case, you must specify the backup version to use. The easiest way to determine the available backup versions is to use the following WBADMIN command:

C:\ > wbadmin get versions

WBADMIN then displays the backup version in a form similar to the information shown in figure 11. Note that each backup has a backup time, backup target, version identifier (which, by the way, is the time and date on which the backup started with General mean time), and a list of types that can support restore operations.

Wbadmin 1.0-Backup command-line tool (C) Copyright 2004 Microsoft Corp.Backup time: 11 Backup command-line tool 2007 3:47 PMBackup target: Fixed Disk labeled E:Version identifier: 11 Application 2007-22:47Can Recover: Application (s), System StateBackup time: 12 PMBackup target 2007 10:46 PMBackup target: Fixed Disk labeled Backup (E:) Version identifier: 12 05:46Can Recover 02 05:46Can Recover: Volume (s), File (s), Application (s), Bare Metal Recovery System StateBackup time: 12 PMBackup target: 5:58 PMBackup target: Fixed Disk labeled Backup (E:) Version identifier: 12 11:2***MBackup target 03-00:58Can Recover: Volume (s), File (s), Application (s), Bare Metal Recovery, System StateBackup time: 12 18:25Can Recover: 18:25Can Recover: Application (s), System State

In this example, I select the most recent backup and start the system state restore using the following WBADMIN command:

C:\ > wbadmin start systemstaterecovery-version:12/03/2007-18:25

This performs a non-authoritative restore. If you want to perform an authoritative restore of SYSVOL, simply mark the restored copy of SYSVOL as authoritative by adding the authsysvol option to the WBADMIN command. For more information about this process, see go.microsoft.com/fwlink/?LinkId=113152.

Take a snapshot of Active Directory

One of the most exciting changes in Active Directory backup is that it is no longer associated with Windows Server Backup at all. In Windows Server 2008, Active Directory can take full advantage of Volume Shadow copy Service snapshots. These snapshots are extremely lightweight point-in-time backups of running Active Directory services. Even more gratifying is that they can be created in just a few seconds! You can then mount these snapshots and access them using normal LDAP-based utilities such as the LDP tool.

Take a snapshot of ADDS or Active Directory lightweight Directory Services (ADLDS) using the NTDSUTIL command shown below:

Ntdsutil: snapshotsnapshot: activate instance ntdsActive instance set to "ntds" .snapshot: createCreating snapshot...Snapshot set {42c44414-c099-4f1e-8bd8-4453ef2534a4} generated successfully.snapshot: quitntdsutil: quit

This NTDSUTIL command sequence creates a Volume Shadow copy Service snapshot of volumes containing Active Directory DIT, logs, and SYSVOL. Even if the Active Directory is still being updated, the Volume Shadow copy Service uses the copy-on-write policy to ensure that snapshots that have been taken are properly maintained. Note that the snapshot is not a complete copy of DIT. They are really just a collection of disk blocks that have been modified after snapshots in DIT. By combining these blocks with the current copy of DIT, the Active Directory DIT rendered by VSS is exactly what it was like at the time of the snapshot. Figure 12 shows how to delete old or unneeded snapshots.

C:\ > ntdsutilntdsutil: snapshotsnapshot: list all 1: 2007 ntdsutilntdsutil 03GV 23V 18 {42c44414-c099-4f1e-8bd8-4453ef2534a4} 2: C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} 3: d: {2bbd739f-905a-431b-9449-11fba01f9931} snapshot: delete 1Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as C:\ $SNAP_200712032318_VOLUMEC$\ Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as C:\ $SNAP_200712032318_VOLUMED$\ snapshot: quitntdsutil: quitC:\ >

Mount Active Directory Snapshot

In order to use one of these snapshots, you must first instruct the Volume Shadow copy Service to make snapshots available to the file system. To do this, use the ntdsutil command to list the available snapshots, and then mount the snapshots of interest (see figure 13).

C:\ > ntdsutilntdsutil: snapshotsnapshot: list all 1: 2007 ntdsutilntdsutil 03GV 23V 18 {42c44414-c099-4f1e-8bd8-4453ef2534a4} 2: C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} 3: d: {2bbd739f-905a-431b-9449-11fba01f9931} snapshot: mount 1Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as C:\ $SNAP_200712032318_VOLUMEC$\ Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as C:\ $SNAP_200712032318_VOLUMED$\ snapshot: quitntdsutil: quitC:\ >

The list all command lists all available Active Directory snapshots currently maintained by Volume Shadow copy Service. The "mount 1" command mounts selected snapshots of Active Directory DIT and log volumes and makes them available in the file system. They are located in C:\ $SNAP_200712032318_VOLUMEC$\ and C:\ $SNAP_200712032318_VOLUMED$\.

If you look at these folders, you will see that the entire contents of these volumes are the same as when you took the snapshot. Note, however, that the mounted snapshot is read-only, that is, you cannot modify any files that have been mounted in the snapshot.

Restore data from an Active Directory snapshot

The task of mounting snapshots of volumes containing Active Directory seems a bit mysterious. How do you access the Active Directory data contained in these snapshots? The DSAMAIN command is the key. It is an executable program that runs ADLDS. It is essentially a stand-alone LDAP server that shares almost all its code with ADDS. You can use DSAMAIN to make mounted snapshots look like read-only LDAP servers (including Active Directory data when snapshots are taken).

Consider the following command:

C:\ > dsamain-dbpathc:\ $snap_200712032318_volumed$\ ntds\ dit\ ntds.dit-ldapport 10000

This loads the ntds.dit file located in the c:\ $snap_200712032318_volumed$\ ntds\ dit folder and makes it available for LDAP operations on TCP port 10000 (or any open port you specify). DSAMAIN opens the LDAPS port (for LDAP over SSL) on the specified number plus one port (in this case, 10001), the GC port (for global catalog connections) on the specified number plus two port (10002), and the GCS port (global catalog over SSL) on the specified number plus three port (10003).

You can use any LDAP program, such as LDP, to access the DIT loaded on a specified port. However, in Windows Server 2008, Active Directory users and computers (ADUC), sites and services, domains and trust relationships, and ADSIEDIT have all been modified to allow you to connect them to the mounted DIT using DSAMAIN. If you right-click the top-level node in any ADUC navigation pane and select "Change Domain Controller" (change Domain Controller), you will see the dialog shown in figure 14. If you type only the name or IP address and port of the server hosting the mounted snapshot (localhost:10000 in my example), ADUC attaches the mounted snapshot, allowing you to browse the contents of the directory (the same as when you took the snapshot). It's amazing, isn't it?

Figure 14 Connecting Active Directory users and computers to a mounted snapshot (click the image for a larger view)

Being able to access catalog data in this way makes a variety of data recovery tasks much easier than before. For example, to restore deleted objects from a backup, you previously needed to perform an unauthoritative restore of an existing DC backup, and then perform an authoritative restore of deleted objects. If you restore a backup that does not have the correct data, you must start it all again with a different backup. Now, using logical deletion restores and snapshots, you can quickly find and recover deleted data without even taking the domain controller offline.

However, there are some restrictions. "for example, each active snapshot increases the disk Icano associated with the write to directory operation, so the production DC should not have more than one or two active snapshots at any point in time." In addition, the longer the snapshot stays active, the greater the Volume Shadow copy Service change storage-which also affects performance. Of course, simply restoring deleted objects is only part of the recovery problem. You may also have to restore the link properties of the object, such as group membership, and so on. However, even in this case, snapshots can help you determine all groups to which the deleted object belongs.

Reliable Active Directory backup and recovery strategy

Windows Server 2008 brings a whole new backup and recovery system. Some changes may be unsatisfactory at first. However, once the IT organization accepts these changes and integrates new backup technologies into day-to-day operations, a more effective backup and recovery implementation will give it a boost.

Even though many changes have taken place in the method of backing up servers in Windows Server 2008, the basic strategy for backing up and restoring Active Directory has not changed much. Therefore, when planning your strategy, be sure to keep these practices in mind:

Plan to make regular full backups of the system so that you can restore DC after a hardware failure. The frequency with which DC full backups are scheduled depends on the frequency of data updates, downtime, and / or tolerance for data loss, and the amount of work that may be required to rebuild the DC from scratch.

Schedule regular system state backups to back up changes in Active Directory. How often system state backups are performed depends on the tolerance of lost Active Directory data. However, you should perform such backups at least once a day. If you have hardware, maintain at least one or two system state backups on your local disk and copy the old system state version to the DVD or network share.

Ensure that system state backups are performed for at least two DC in each domain. This will provide some assurance if one of the backups is incorrect or unavailable.

Be sure to use application partition copies (if they are defined) to back up DC. At the same time, consider creating a Windows recovery environment on DC so that you can quickly boot to WinRE in the event of a critical system drive failure.

Is the CTO of NetPro, who has been involved in developing Active Directory software since 1996. Together with Guido Grillenmeier from HP, he founded the popular Active Directory disaster recovery course. Gil is also the founder of the directory expert meeting (see www.dec2008.com).

The above is all the contents of the article "how to perform Active Directory recovery". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.