AD Authoritative vs Non-Authoritative Restoration
BACK UP TYPE
System state data:
The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as
Components of SSD:
- Disk quotas (Live Vault Service treats this as part of System State; it is not part of the System State as defined by Microsoft)
- Active Directory service (if the computer has Active Directory installed
- COM+ Class Registration database
- Boot files and system files (including the System File Protection database, all other system file protection files, Internet Information Services (IIS) database, and Performance Counter Configuration)
- Certificate Services database (if the Certificate Service is running on the computer)
- SYSVOL directory (if the computer is running the SYSVOL service)
- Registry
- Cluster info
- I.I.S.
- Services
Restore system state data
Three types of Active Directory restores exist for Windows 2000/2003 Server: Authoritative, Non-Authoritative, and Primary.
1. Primary Restore System State Restore:
A primary restore is performed when restoring the first domain controller in a domain that is being entirely recreated, and when no other domain controllers are present on the network. This type of restore is also used when restoring the only functioning server in a replicated data set. The primary restore is completed in almost exactly the same manner as a non-authoritative System State restore. The one difference is that the “Primary Restore (Domain Controllers Only)” option must be checked in the “Restore Options” screen. Follow the instructions for restoring non-authoritatively, but ensure the primary restore option is checked, and reboot after the restore is complete.
2. Normal restore (or) Non-authoritative System State:
If we have a problem with hardware or software then we are suppose to perform non-authoritative restore, so that we can restore full active directory from Backup (using system state back) or from command line (using NTDS Utility)
3. Authoritative restore:
An authoritative restore pushes active directory out to other domain controllers, and a non-authoritative restore synchronizes changes to the domain controller being booted.
By mistake if we delete an AD Object (user/OU) and later we released that particular object is required then we are suppose to perform authoritative restore, so that we can restore only that particular object which was deleted, authoritative restore can be done using Backup or from command line (using NTDS Utility)
Running NTDSUTIL after the restore updates the USN (Updated Sequence Numbers) to be greater than any other member domain controller to which the machine formerly replicated. This will cause the restored domain controller to replicate its Active Directory information to all other domain controllers.
Explanation of where you can use the authoritative & non authoritative restore usage Scenario:
An authoritative restore pushes active directory out to other domain controller, and a non-authoritative restore synchronizes changes to the domain controller being booted.
Performing a Non-Authoritative restore
1. Boot the domain controller into DSRM mode.
2. Enter the DSRM password.
3. Type Ntbackup.
4. Choose restore wizard.
5. Follow the prompt, selecting to restore the system state data.
6. When the restore process completes, verify that it was completed without errors and restart the domain controller.
Performing a Authoritative restore:
1. Shut down and restart the server.
2. Boot into DSRM mode.
3. Enter the DSRM password.
4. Type Ntbackup.
5. Choose restore wizard.
6. Follow the prompt, selecting to restore the system state data.
7. After the restore operation completes, view the report to verify that the operation completed successfully.
8. Close the backup utility for windows.
9. Open the command prompt.
10. From the command prompt, type ntdsutil and press enter.
11. from the ntdsutil prompt, type authoritative restore and press enter.
12. From the authoritative restore prompt, type restore database and press enter.
(Notice that the ntdsutil increments all objects by 100,000)
13. Close the command prompt and reboot the server.
System state backup taken from command prompt:
Windows 2003 System state backup in command prompt method syntax:
C:\>ntbackup backup systemstate /f “c:\test.bkf”
Windows 2008 System state backup in command prompt method syntax:
C:\>wbadmin start systemstatebackup -backuptarget:e:
Importance of Active Directory: is a technology provides a variety of network services, including:
- Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
- Kerberos-based authentication
- DNS-based naming and other network information (Guts of DNS, Stable DNS is needed for AD to work properly)
- Central location for network administration and delegation of authority
- Information security and single sign-on for user access to networked based resources
- The ability to scale up or down easily
- Central storage location for application data
- Synchronization of directory updates amongst several servers
- Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization.
- Active Directory stores information and settings in a central database.
Backup and Restore Active Directory on Server 2008
How to Backup and Restore Active Directory on Server 2008
Have you ever accidentally deleted a user account or an OU in Active Directory and wished you could restore it?
I recently had a client call me after they installed updates and rebooted their server. They noticed after the reboot that there was a message that said “Active Directory is rebuilding indices. Please wait”.
Their Active Directory database had become corrupted from the updates. So what do you do? How can you restore AD?
Let’s talk about how to backup AD in Windows Server 2008 and how to restore it. Today I’ll show you:
- what you need to do to get your Server 2008 ready for backup
- how to backup Active Directory on Server 2008
- how to perform an Authoritative Restore of Active Directory
- how to perform Active Directory Snapshots
Prerequisites: Getting Server 2008 Ready for Backup
Before you can backup Server 2008 you need to install the backup features from the Server Manager.
1. To install the backup features click Start → Server Manager.
2. Next
click Features → Add Features
3. Scroll
to the bottom and select both the Windows Server Backup and
the Command Line Tools
4. Click Next, then click Install
Backing up Server 2008 Active Directory
Now that we have the backup features installed we need to backup Active Directory. You could do a complete server backup, but what if you need to do an authoritative restore of Active Directory?
As
you’ll notice in Server 2008, there isn’t an option to backup the
System State data through the normal backup utility.
So what do we do? We need to go “command line” to backup Active Directory.
1. Open up your command prompt by clicking Start and type “cmd” and hit enter.
2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.
Note: You can use a different backup target of your choosing
3. Type
“y”
and press enter to start the backup process.
When
the backup is finished running you should get a message that the
backup completed successfully. If it did not complete properly you
will need to troubleshoot.
Now you have a system state backup of your 2008 Server!
Authoritative Restore of Active Directory
So now what if you accidentally delete an OU, group, or a user account and it’s already replicated to your other servers? We will need to perform an authoritative restore of the Active Directory object you accidentally deleted.
1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart.
2.Choose Directory
Services Restore Mode from
the Advanced Boot menu.
3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.
5. To
make sure you restore the correct backup it’s a good idea to use
the “wbadmin
get versions”
command and write down the version you need to use.
6. Now we need to perform a non-authoritative restore of Active Directory by typing “wbadmin start systemstaterecovery -version:04/14/2009-02:39“.
Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.
7. Go
grab some coffee and take a break while the restore completes.
8. You
can mark the sysvol as authoritative by adding the –authsysvol switch
to the end of the wbadmin command.
9. But
if you want to restore a specific Active Directory object then you
can use the ever familiarntdsutil.
For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local. So the commands would be:
ntdsutil
activate
instance ntds
authoritative restore
restore object “cn=Test
User,cn=Users,dc=home,dc=local”
Note: The
quotes are required
10. Reboot your server into normal mode and you’re finished. The object will be marked as authoritative and replicate to the rest of your domain.
Using Active Directory Snapshots
There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of backup. They are very quick to create and serve as another line of defense for your backup strategy.
With your server booted into normal mode open a command prompt by clicking Start, type “cmd“, and press enter.
We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands are:
ntdsutil
snapshot
activate
instance ntds
create
quit
quit
So now that you have a snapshot of AD, how do you access the data? First we need to mount the snapshot using ntdsutil. The commands are:
ntdsutl
snapshot
list
all
mount 1 —
(Note: You should mount the correct snapshot you need; for this
example there is only 1.)
quit
quit
Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to accomplish this. Then we need to select an LDAP port to use. The command is as follows:
dsamain
–dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit
–ldapport 10001
The
result should look like this:
Now we need to go to Start, Administrative Tools, then Active Directory Users andComputers.
Right
click Active
Directory Users and Computers and
select Change
Domain Controller.
In the area that says < Type a Directory Server name [:port] here > enter the name of your server and the LDAP port you used when running the dsamain command.
For my
example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001
Now you can browse the snapshot of Active Directory without affecting anything else negatively.
You’re AD Backup Strategy
It’s always good to have a solid backup plan for your Active Directory. You can use a combination of backup strategies or just one of these methods for backing up your Active Directory.
Make sure you tailor your Active Directory backup strategy to meet your company’s needs and make it easy to recover if disaster does strike.
******* ****** ******** *********
Group Scope:
1.
Domain Local Group:
Members
of Local Group can come from any domain but members
can access resources only in local domain.
Domain local groups assign access permissions to global domain groups for local domain resources.
2.
Global Group: (Default in server 2003 and 2008)
Members
of Global Group can come only from local domain but members
can access resources in any domain.
Global
groups provide trusted access to resources in other domains.
3.
Universal Group:
Members
can come from any domain and members can access resource in any
domain.
Universal groups grant access to resources in all trusted domains.
Note: Universal group require Global catalog server
Group Type:
- Security Group:
Security groups can be used to assign security rights on resources inside your Windows 2003 Active Directory network. By using a security group, we can collect a group of user accounts in a department and assign them access to a shared folder. We cannot use distribution groups for this purpose and a security group has all the capabilities of a distribution group.
- Distribution Group:
A distribution group can be used for sending emails to a group of users. We cannot use distribution group for assigning security permissions. A user’s membership in many security groups could result in slow logon performance. Therefore distribution groups should be used wherever possible.
| Group Scope | Can Contain | Usage |
| Domain Local | User account from any domain in forest | Resources in local domain |
| Global or universal from any domain in forest | ||
| User accounts, global or universal group from a trusted forest domain | ||
| Other domain local group from the same domain | ||
| Global | User account in same domain | Any domain in forest or trusted forest |
| Other global groups from same domain | ||
| Universal | Users, Global group, or Universal group from any domain in forest | Any domain in forest or trusted forest |
- Nesting
or combining groups can:
- Greatly reduce administrative overhead
- Reduce network traffic
AGDLP: Microsoft continues to recommend the same strategy for nesting groups that it has supported since Windows NT 4.0. The following list outlines the strategy:
| 1. | Place accounts (A) into global groups (G). |
| 2. | Add the global groups to domain local groups (DL). |
| 3. | Finally, assign permissions (P) to the domain local groups. |
AGUDLP:
- Adding domain users to Global groups
- Adding global groups to Universal groups
- Adding universal groups to Domain Local groups
- Assigning domain local groups Permissions on resources