09-Implementing an Active DirectoryM Domain Services Maintenance Plan
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (462.08 KB, 26 trang )
<span class='text_page_counter'>(1)</span><div class='page_container' data-page=1>
Module 9:
Implementing an
Active Directory
M</div>
<span class='text_page_counter'>(2)</span><div class='page_container' data-page=2>
Module Overview
•
Maintaining the AD DS Domain Controllers
•
Backing Up Active Directory Domain Services
</div>
<span class='text_page_counter'>(3)</span><div class='page_container' data-page=3>
Lesson 1: Maintaining the AD DS
Domain Controllers
•
The Active Directory Domain Services Database and
Log Files
•
How the AD DS Database Is Modified
•
Managing the Active Directory Database Using
NTDSUtil Tool
•
What Is an AD DS Database Defragmentation?
•
What Are Restartable Active Directory Domain Services?
•
Demonstration: Performing AD DS Database
Maintenance Tasks
</div>
<span class='text_page_counter'>(4)</span><div class='page_container' data-page=4>
The Active Directory Domain Services Database
and Log Files
<b> Description</b>
Ntds.dit
Edb*.log
Edb.chk
<b>File </b>
• <b>Is the Active Directory database file</b>
• <b>Stores all Active Directory objects on the </b>
<b>domain controller </b>
• <b>Uses the default location </b>
<i><b>systemroot\NTDS folder</b></i>
• <b>Is a transaction log file</b>
• <b>Uses the default transaction log file </b>
<b>Edb.log</b>
• <b>Is a checkpoint file</b>
• <b>Tracks data not yet written to Active </b>
<b>Directory database file</b>
ebdres00001.jrs
ebdres00002.jrs
</div>
<span class='text_page_counter'>(5)</span><div class='page_container' data-page=5>
How the AD DS Database Is Modified
<b>Write Request</b>
<b>Write Request</b>
<b>Transaction </b>
<b>is initiated</b> <b>Write to the transaction </b>
<b>buffer</b>
<b>Write to the </b>
<b>database on </b>
<b>disk</b>
<b>Ntds.dit on Disk</b>
<b>Ntds.dit on Disk</b>
<b>EDB.log</b>
<b>EDB.log</b>
<b>Write to the </b>
</div>
<span class='text_page_counter'>(6)</span><div class='page_container' data-page=6>
Managing the Active Directory Database Using
NTDSUtil Tool
<b>Ntdsutil.exe is a command-line tool used to manage some </b>
<b>Active Directory components</b>
<b>Use Ntdsutil.exe to:</b>
<b> </b>
<b>Perform Active Directory database maintenance </b>
<b> </b>
<b>Manage and control single master operations</b>
<b> </b>
<b>Move the Active Directory database files </b>
<b> </b>
<b>Remove metadata left behind by domain controllers that </b><b> were removed from the network without being properly uninstalled </b>
</div>
<span class='text_page_counter'>(7)</span><div class='page_container' data-page=7>
What Is an AD DS Database Defragmentation?
<b> </b>
<b>The new file may be considerably smaller, depending on how </b><b> fragmented the original database file was </b>
<b> </b>
<b>Active Directory performs online database defragmentation </b><b> automatically every 12 hours</b>
<b> </b>
<b>Use the NTDSUtil command-line tool to perform offline </b><b> defragmentation on a dismounted database </b>
<b> </b>
<b>Online defragmentation optimizes data storage in the database </b><b> and reclaims space in the directory for new objects, but does not </b>
<b> reduce the size of the database file </b>
</div>
<span class='text_page_counter'>(8)</span><div class='page_container' data-page=8>
What Are Restartable Active Directory
Domain Services?
Restartable AD DS services allows administrators to stop the
Active Directory Domain Services without stopping any
other services
Use restartable AD DS services when:
•
<b>Applying updates that modify Active Directory service </b>
<b>files on a domain controller</b>
•
<b>Performing tasks such as offline defragmentation of the </b>
<b>Active Directory database</b>
</div>
<span class='text_page_counter'>(9)</span><div class='page_container' data-page=9>
Demonstration: Performing AD DS Database
Maintenance Tasks
In this demonstration, you will see how to:
•
Start and stop AD DS Services
•
Move AD Database to a different drive using NTDSUtil
</div>
<span class='text_page_counter'>(10)</span><div class='page_container' data-page=10>
Locking Down Services on AD DS
Domain Controllers
<b>Services required for AD DS to function correctly:</b>
•
<b>Distributed File System</b>
•
<b>DNS Server</b>
•
<b>File Replication Service</b>
•
<b>Kerberos Key Distribution Center </b>
•
<b>Intersite Messaging</b>
•
<b>Remote Procedure Call (RPC) Locator</b>
<b> Minimize the number of server roles and applications </b>
<b> installed on domain controllers</b>
<b> Use the Security Configuration Wizard to lock down the </b>
<b> services on a domain controller</b>
</div>
<span class='text_page_counter'>(11)</span><div class='page_container' data-page=11>
Lesson 2: Backing Up Active Directory
Domain Services
•
Introduction to Backing Up AD DS
•
Windows Backup Features
</div>
<span class='text_page_counter'>(12)</span><div class='page_container' data-page=12>
Introduction to Backing Up AD DS
<b>To back up Active Directory, you must back up all critical volumes </b>
<b>Critical volumes include:</b>
•
<b>The system volume: the volume that hosts the boot files </b>
•
<b>The boot volume: the volume that hosts the Windows </b>
<b>operating system and the Registry </b>
•
<b>The volume that hosts the SYSVOL tree</b>
•
<b>The volume that hosts the Active Directory database </b>
<b>(Ntds.dit)</b>
•
<b>The volume that hosts the Active Directory database log files </b>
<b>All of these files may be stored in a single</b>
<b>volume or distributed </b>
</div>
<span class='text_page_counter'>(13)</span><div class='page_container' data-page=13>
Windows Backup Features
<b>Windows Server Backup is a Windows Server 2008 feature used to </b>
<b>back up and recover the operating system and data </b>
<b>With Windows Server Backup, you can:</b>
<b> Recover the server without using third-party backup</b>
<b> and recovery tools </b>
<b> Perform manual or automatic backups</b>
<b> Backup an entire server or selected volumes</b>
<b> Recover items or entire volumes</b>
<b> Use DVDs or CDs as backup media</b>
</div>
<span class='text_page_counter'>(14)</span><div class='page_container' data-page=14>
Demonstration: Backing Up AD DS
</div>
<span class='text_page_counter'>(15)</span><div class='page_container' data-page=15>
Lesson 3: Restoring Active Directory
Domain Services
•
Overview of Restoring AD DS
•
What Is a Nonauthoritative AD DS Restore?
•
What Is an Authoritative AD DS Restore?
•
What Is the Database Mounting Tool?
•
Demonstration: Using the Database Mounting Tool
</div>
<span class='text_page_counter'>(16)</span><div class='page_container' data-page=16>
Overview of Restoring AD DS
Options for restoring Active Directory Domain Services include:
•
<b>Normal Restore</b>
•
<b>Authoritative Restore </b>
•
<b>Full Server Restore </b>
</div>
<span class='text_page_counter'>(17)</span><div class='page_container' data-page=17>
What Is a Nonauthoritative AD DS Restore?
<b>A nonauthoritative or normal AD DS restore returns the directory </b>
<b>service to its state at the time that the backup was created</b>
<b> AD DS replication updates the domain controller with changes that </b>
<b> have occurred since the backup was created </b>
<b> Restart the domain controller in Directory Services Restore Mode </b>
<b> to perform a nonauthoritative restore </b>
<b> </b>
<b>Press F8 when restarting the server and choose Directory Services </b><b> Restore Mode or type the command bcdedit /set safeboot dsrepair </b>
and restart the server
<b>1</b>
<b>1</b>
<b> </b>
<b> </b>
Provide the Directory Services Restore Mode password<b>2</b>
</div>
<span class='text_page_counter'>(18)</span><div class='page_container' data-page=18>
What Is an Authoritative AD DS Restore?
<b>Authoritative restore is a four-step process: </b>
<b> </b>
<b>Start the domain controller in DSRM </b><b>1</b>
<b>1</b>
<b> </b>
<b>Use Ntdsutil.exe to mark desired objects, containers, or </b><b> partitions as authoritative </b>
<b>3</b>
<b>3</b>
<b> </b>
<b>Restart the domain in normal mode to replicate the changes </b><b>4</b>
<b>4</b>
<b> </b>
<b>Restore the desired backup, which is typically the most </b><b> recent backup </b>
<b>2</b>
<b>2</b>
<b>Authoritative restore provides a method to recover objects and containers </b>
<b>that have been deleted from AD DS</b>
<b>To mark an object as authoritative, use a command like</b>
<b>:</b>
</div>
<span class='text_page_counter'>(19)</span><div class='page_container' data-page=19>
What Is the Database Mounting Tool?
<b>The Database Mounting Tool can be used to: </b>
<b> </b>
<b>Create and view snapshots of data that is stored in AD DS</b>
<b> </b>
<b>Improve recovery processes for your organizations by </b>
<b> providing a means to compare data as it exists in snapshots </b>
<b> that are taken at different times</b>
<b> </b>
<b>Eliminate the need to restore multiple backups to compare </b>
<b> the Active Directory data that they contain </b>
<b> </b>
<b>View, but not restore, deleted objects and containers</b>
</div>
<span class='text_page_counter'>(20)</span><div class='page_container' data-page=20>
Demonstration: Using the Database Mounting
Tool
</div>
<span class='text_page_counter'>(21)</span><div class='page_container' data-page=21>
Reanimating Tombstoned AD DS Objects
<b>You can reanimate deleted objects manually in AD DS when:</b>
•
You do not have current AD DS backups in a domain where user
accounts or security groups were deleted
•
The deleted object has not yet been scavenged from the
Active Directory database
•
The deletion occurred in domains that contain only
<b>Windows Server 2003 or later domain controllers </b>
To reanimate tombstoned AD DS objects
<b>:</b>
•
Use LDP.exe to locate the deleted object
•
Modify the object’s isDeleted attribute and provide a
distinguished name
</div>
<span class='text_page_counter'>(22)</span><div class='page_container' data-page=22>
Lab: Implementing an Active Directory Domain
Services Maintenance Plan
•
Exercise 1: Maintaining AD DS Domain Controllers
•
Exercise 2: Backing Up AD DS
•
Exercise 3: Performing a Nonauthoritative Restore of the
AD DS Database
•
Exercise 4: Performing an Authoritative Restore of the AD
DS Database
•
Exercise 5: Restoring Data Using the AD DS Data
Mining Tool
Logon information
Virtual machine
<b>6425A-NYC-DC1, 6425A-NYC-DC2 </b>
User name
<b>Administrator</b>
Password
<b>Pa$$w0rd</b>
</div>
<span class='text_page_counter'>(23)</span><div class='page_container' data-page=23>
Lab Review
•
How could you apply the security policy you created in
Exercise 1 to multiple domain controllers? What concerns
would you have with doing this?
•
Why is a Nonauthoritative AD DS restore overwritten by
replication? How does an authoritative restore prevent this
from happening?
</div>
<span class='text_page_counter'>(24)</span><div class='page_container' data-page=24>
Module Review and Takeaways
•
Review questions
•
Considerations
</div>
<span class='text_page_counter'>(25)</span><div class='page_container' data-page=25>
Beta Feedback Tool
•
Beta feedback tool helps:
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
</div>
<span class='text_page_counter'>(26)</span><div class='page_container' data-page=26>
Beta Feedback
•
<b>Overall flow of module:</b>
Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
•
<b>Pacing:</b>
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
•
<b>Learner activities:</b>
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
</div>
<!--links-->
