Académique Documents
Professionnel Documents
Culture Documents
Table of content
1. Introduction................................................................................................. 3
2. Overview of Active Directory 2003 ................................................................ 3
3. System Components of Active Directory ....................................................... 3
3.1 Domain Controllers (DCs) ................................................................ 4
3.2 Global Catalogs (GCs) ...................................................................... 4
3.3 Operations Masters (OMs)................................................................ 4
4. Active Directory Backup............................................................................... 5
4.1 Contents............................................................................................. 5
4.2 Age .................................................................................................... 6
4.3 Type of Backup ................................................................................. 6
4.4 To backup a domain controller using the W2K3 backup utility....... 7
5. Active Directory Restore .............................................................................. 7
5.1 Restore through re-installation Procedure ........................................ 7
5.2 Restore from Backup ........................................................................ 7
6. Steps to Recover Active Directory Forest ...................................................... 9
7. Post Recovery Steps – Active Directory Forest Restore ............................... 11
Appendix A … To clean up server metadata ............................................... 12
Appendix B … To disable a Global Catalog ................................................ 13
Appendix C … To seize an Operation Master role ...................................... 13
Appendix D … Useful Links ........................................................................ 13
1. Introduction
This document details best practices and procedures for recovering the Active Directory
2003 after forest wide failure has caused all the Domain Controllers in the forest failed to
function normally.
The DC that holds the schema master role is the only DC that can perform write
operations to the directory schema. Those schema updates are replicated from the schema
master to all other domain controllers in the forest.
3.3.2 Domain Naming Master
The DC that houses the domain naming master role is the only DC that:
• Adds new domains to the forest
• Removes existing domains from the forest
• Adds or removes cross-reference objects in external directories
• Contents
• Age
4.1 Contents
The first important aspect of a backup is its contents. A good backup will include at least
the System State, the contents of the system disk, and the SYSVOL folder (if not located
on the system disk).
On a Windows 2003 system acting only as a DC (running no services other than those
required for DC operation), system state data encompasses the:
• System Start-up Files (boot files): These are the files required for Windows
Server 2003 to start.
• System registry
• Class registration database of Component Services: The Component Object
Model (COM) is a binary standard for writing component software in a
distributed systems environment.
• SYSVOL: The system volume provides a default Active Directory location for
files that must be shared for common access throughout a domain. The SYSVOL
folder on a domain controller contains:
o NETLOGON shared folders: These usually host user logon scripts and
Group Policy Objects (GPOs).
o User logon scripts: for Windows 2000/XP based clients and clients that
are running Windows 95, Windows 98, or Windows NT 4.0.
o File system junctions
o File Replication Service (FRS): staging directories and files that are
required to be available and synchronized between domain controllers.
• Active Directory: Active Directory includes:
o Ntds.dit: The Active Directory database.
o Edb.chk: The checkpoint file.
o Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
o Res1.log and Res2.log: Reserved transaction logs.
Note: Since Active Directory-integrated DNS is used, the DNS zone data is backed up as
part of the Active Directory database. Also, if Windows Clustering or Certificate Services
are installed on the domain controller, they are also backed up as part of system state.
4.2 Age
If the backup is older than the tombstone age set in Active Directory, then it is not
considered to be a good backup. When an object is deleted in Windows Server 2003, the
DC from which the object was deleted informs the other DCs in the environment about
the deletion by replicating what is known as a tombstone.
A tombstone is a representation of an object that has been deleted but not fully removed
from the directory. The tombstone will eventually be removed based on the tombstone
lifetime setting, which by default is set to 60 days.
The only type of backup supported by Active Directory is normal. A normal backup
creates a backup of the entire system while the domain controller is online. When
backing up Active Directory using normal backup, the backup utility will automatically
back up all of the system components and all of the distributed services upon which
Active Directory is dependent. This dependent data, which includes Active Directory, is
known collectively as the system state.
1. Click Start, point to All Programs, point to Accessories, point to System Tools, and
then click Backup to start the Backup Utility Wizard.
2. Click Advanced Mode in the Backup Utility Wizard.
3. On the Backup tab, select the check box for any drive, folder, or file that you want to
back up.
4. Select the System State check box.
This will back up the System State data along with any other data you have selected
for the current backup operation.
1. Clean up server metadata to remove the NTDS Settings object of the failed
domain controller. Metadata cleanup procedure is explained in Appendix A.
2. Install Windows 2003 Operating System
3. Promote the server to domain controlled in the domain it exists by using
DCPROMO.
4. Verify the active directory installation
When you restore Active Directory from backup, you have three further options:
• Non-Authoritative Restore
• Authoritative Restore
• Primary Restore
Non-Authoritative Restore
What is it?
• Restore to known good point using Ntbackup
• Reboot into Active Directory mode to sync changes
When to use
• Recover from hardware failure
• Return to known good state on single domain controller
Options
• Rebuild server from scratch. Re-run Dcpromo.
• Restore machine to a known good point and sync deltas.
Authoritative Restore
What is it?
• Restore to known good point using Ntbackup
• Make objects on reference domain controller as “master copy” for Active
Directory
When to use
• Accidental deletion or modification of objects or containers in the Active
Directory
• Corruption of objects/attributes in the directory
Options
• Find a good domain controller that has the objects and make it
authoritative
• Restore from a backup that contains the objects and make it authoritative
Primary Restore
What is it?
• Restore to known good point using Ntbackup
• Make objects on reference domain controller as “master copy” for Active
Directory
When to use
• Restoring first of several domain controller
• Restoring DC is the only DC in the Domain
Options
• Mark the restored data as the primary data for all replicas
1. Determine the roles of the domain controllers in the Domain and select a single
domain controller which has the latest backup.
2. Switch off all other domain controller or disconnect the connectivity to all other
domain controller to avoid replications.
3. Install the operating system windows 2003
4. Reboot the server into Directory Service Mode by pressing the F8 key upon
system startup.
5. Log in as Administrator.
6. Run the Windows 20003 backup utility and select the Restore Wizard button
7. Select the appropriate backup location and ensure that at least the system disk and
system state are checked.
8. Click the advanced button and make sure you are restoring junctions and mark the
restored data as the primary data for all replica, because this is the first DC in the
Domain.
9. Click finish and once complete click NO to restart and close the backup
application.
10. Open a command prompt and type ntdsutil, and press enter
11. At the next prompt, type authoritative restore and press enter
12. At the next prompt, type restore database
13. At the “Authoritative Restore Confirmation Dialog” box, click OK
14. Type “Quit” and restart the server.
1. If the Active Directory has integrated DNS, local DNS service needs to be
installed and running on the restored DC. Server should be configured with its
own IP address as preferred DNS server. This is the first DNS server in the forest.
2. If the restored DC is enabled as global catalog, then disable the global catalog
flag. It is explained in Appendix B.
3. Seize the domain level Operational Master Roles (FSMO) to the restored DC.
4. Starting with the forest root DC, introduce the restored DCs to the network.
5. Install Active Directory on the remaining DCs in the forest using the Active
Directory Installation Wizard.
At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot be
found, Active Directory might have already removed the domain controller.
Where OperationsMaster is the type of operations masters you want to seize, for
example: seize schema master
2. http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips
/ActiveDirectory/ActiveDirectoryDisasterRecovery.html
3. http://support.microsoft.com/?id=263532