Professional Documents
Culture Documents
Securing Windows 2000 Active Directory
Securing Windows 2000 Active Directory
In this article I will focus on the active directory process. As part of securing your active directory you
need to ensure that as a contingency plan you are able to restore your active directory in event of disaster.
(For those that missed the first two articles in this series may click here to be taken to Part 1 and here to be
taken to Part 2).
When backing up active directory Microsoft only supports one type of backup, you can only perform a full
backup on active directory. Incremental and differential backups tend not to work correctly on active
directory it is recommended that these options are not used. AD uses an advanced Jet database that exports
a backup interface similar to Exchange 5.5. The reason for dropping support for incremental and
differential backups is that most backup applications bind to the local client-side DLL that have entry
points defined in ntdsbcli.h.
1. Boot files, including the system files, and all files protected by Windows File Protection (WFP).
2. Active Directory (on a domain controller only).
3. Sysvol (on a domain controller only).
4. Certificate Services (on certification authority only).
5. Cluster database (on a cluster node only).
6. The registry.
7. Performance counters configuration information.
8. Component Services Class registration database.
1. The backup and restore of the system store can not be set to backup or restore individual
components due to dependencies among the system state components.
2. System state data restores can be redirected alternate locations in which only the registry files,
Sysvol directory files, and system boot files are restored (the remote redirection is not complete
restore).
3. The Active Directory database, Certificate Services database, and Component Services Class
Registration database are not restored to the alternate location. This means that if you need to test
restore you will run into issues when restoring in a lab environment.
It is recommended that you backup the system disk as well as the system state as backing up the system
disk will incorporate the DNS zone data. Backing up active directory will prove to be very spread spectrum
as good practice dictated that database files and log files be placed on separate disks. Note: you will not
have to specify where these files are even if they are on separate disks as backing up the system state
automatically consolidates the files into one location for backup purposes.
Warning!
If the last backup you have is older than the tombstone lifetime set in Active Directory, your backup is
considered to be ineffective. It is recommended that you perform at least two backups within the tombstone
lifetime; this means that every 29 days a backup should be made as the tombstone life time is 60 days. If
this method is not followed you will find inconsistency within your active directory I strongly recommend
that a weekly backup should be the absolute minimum backup horizon considered.
1. click on start then click on run then type in ntbackup and click ok.
2. You should be presented with the ntbackup utility; click on tools, then click on backup wizard, then
click next.
3. Select only back up the system state.
4. Select the location of where you would like to backup your system state to. If you backup to a hard
disk ensure that the disk is formatted with NTFS.
5. Check you settings and then click Finish. If you would like to configure scheduling, hardware
compression, media labels, data verification, or append it to a different job you can do this by clicking on
the advanced button on this screen. Data verification can be viewed in the event viewer.
Directory service
The directory service is the mechanism that AD uses to trace and classify users and resources existing in a
distributed system. The directory service should be considered within your overall AD backup and restore
strategy. Directory service information can be replicated to other domain controllers in the same domain
environment. It is vital that a recovery plan is in place before attempting a restore. All changes encountered
during backup are stored in a temporary log and appended to the end of the backup set when the backup is
complete.
Summary
Windows 2000 stores all its security information is stored in the Active Directory. This article has
described the process that needs to take place in order to backup the active directory, ensuring that it
remains secure.