Professional Documents
Culture Documents
Monitoring, Managing, and Recovering AD DS: Contents
Monitoring, Managing, and Recovering AD DS: Contents
Module 9
Monitoring, managing, and recovering AD DS
Contents:
Module Overview 13-1
Module Overview
As an IT professional responsible for supporting the Windows Server operating system and Active Directory
Domain Services (AD DS), maintaining the health of your domain is a critical aspect of your job. In this
module, you will learn about the technologies and tools that are available to help you ensure the health
and reliability of AD DS. You will explore tools that help you monitor performance in real time, and you will
learn to record performance over time to spot potential problems by observing performance trends. You
also will learn how to optimize and protect your directory service and related identity and access solutions,
so that if a service does fail, you can restart it as quickly as possible.
Objectives
After completing this module, you will be able to:
Monitor AD DS.
Describe the backup and recovery options for AD DS and other identity and access solutions.
MCT USE ONLY. STUDENT USE PROHIBITED
13-2 Monitoring, managing, and recovering AD DS
Lesson 1
Monitoring AD DS
Performance problems are common in real-world environments. Therefore, you must know how to analyze,
evaluate, and remediate those problems. In this lesson, you will learn how to use performance and event
monitoring tools in Windows Server to monitor the health of your domain controllers and AD DS.
Lesson Objectives
After completing this lesson, you will be able to:
Processor. Processor speed is one important factor in determining your server’s overall processor
capacity. The number of operations a CPU can perform in a measured period determines processor
speed. Servers with multiple processors or processors with multiple cores generally perform processor-
intensive tasks with greater efficiency and typically are faster than single processor or single-core
processor computers. Domain controllers do not typically require higher processor performance, but
processor performance can be important if your domain controller is performing other roles too.
Disk. Hard disks store programs and data. Consequently, the throughput (the total amount of data that
the disk subsystem processes for each time unit) of disks affects the speed of a workstation or server.
This is especially true when the server is performing disk-intensive tasks such as restoring the AD DS
database or replicating large amount of AD DS data to the database. Hard-disk drives have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve
information.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-3
Note: Workload is the amount of disk requests that the disk subsystem processes in a
measured time.
You can reduce potential disk subsystem bottlenecks by selecting faster disks and by using collections
of disks such as RAID arrays or Storage Spaces that optimize access times. Remember that information
on the disk moves into memory before the operating system uses it. If there is a surplus of memory, the
Windows Server operating system creates a file cache for items recently written to or read from the
disks. If you install additional memory in a server, you often can improve disk subsystem performance,
because accessing the cache is faster than moving information into memory.
Memory. Programs and data load from the disk into memory before the program manipulates data.
You can increase the amount of memory to help improve server performance in servers that run
multiple programs, or where datasets are extremely large.
Windows Server uses a memory model in which excessive memory requests are not rejected, but are
managed by a process known as paging. During paging, data and programs in memory that processes
are not currently utilizing are moved into an area on the hard disk known as the paging file. This frees
up physical memory to satisfy the excessive requests, but because a hard disk is comparatively slow, it
has a negative effect on workstation performance. By adding more memory, you can reduce the need
for paging.
Network. It is easy to underestimate the effect of a poorly performing network because it is more
difficult to see or measure than the other three components. However, the network is a critical
component for performance monitoring because AD DS is a network-based service, which requires
reliable network connectivity between servers and clients.
Task Manager
Task Manager provides information to help you
identify and resolve performance-related
problems in Windows Server. The Task Manager
user interface (UI) has the following tabs:
Processes. The Processes tab displays a list of running programs, subdivided into background and
internal Windows-based processes. For each running process, this tab displays a summary of processor
and memory usage.
Performance. The Performance tab displays a summary of CPU and memory usage, and network
statistics.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
MCT USE ONLY. STUDENT USE PROHIBITED
13-4 Monitoring, managing, and recovering AD DS
Details. The Details tab lists all the running tasks on the server, providing statistics about the CPU,
memory, and other resource consumption. You can use this tab to manage the running tasks. For
example, you can stop a process, stop a process and all related processes, or change the processes’
priority values. By changing a process’s priority, you determine how much of the CPU resources the
process can consume. By increasing the priority, you allow the process to request more CPU resources.
Services. The Services tab provides a list of Windows services with related information, such as
whether a service is running, and the process identifier (PID) value of the corresponding service. You
can start and stop services by using the list on the Services tab.
You might consider using Task Manager when a performance-related problem first manifests itself. For
example, you might examine tasks that are running to determine if a program is using excessive CPU
resources. Always remember that Task Manager displays a snapshot of current resource consumption. You
also might need to examine historical data to determine a true picture of a server’s performance and
response under load.
Resource Monitor
Resource Monitor provides an in-depth look at your server’s real-time performance. You can use Resource
Monitor to monitor the use and performance of CPU, disk, network, and memory resources in real time.
With Resource Monitor, you can identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify processes that use specific
resources. Furthermore, you can use Resource Monitor to track a process or processes by selecting their
check boxes. When you select a process, it remains selected at the top of the screen in every pane of the
Resource Monitor, which provides the information that you require regarding that process, no matter
where you are in the interface.
Event Viewer
Event Viewer provides access to Windows Server event logs. Event logs are logs that provide information
about system events that occur within the Windows operating system. These events include information,
warnings, and error messages about Windows components and applications.
Event Viewer provides categorized lists of essential Windows log events, including application, security,
setup, system events, and log groupings, for individual applications and specific Windows-based
component categories. Individual events provide detailed information regarding the type of event that
occurred, when the event occurred, the source of the event, and detailed information to assist in
troubleshooting the event.
Additionally, Event Viewer allows you to consolidate logs from multiple computers onto a centralized
computer by using subscriptions. Finally, you can configure Event Viewer to perform an action based on a
specific event or the occurrence of multiple events. This might include sending an email message, starting
an application, running a script, or another maintenance action (or actions) that could notify you or
attempt to resolve a potential issue.
The ability to view multiple logs. You can filter for specific events across multiple logs, thereby making
it simpler to investigate issues and troubleshoot problems that might appear in several logs.
The inclusion of customized views. You can use filtering to narrow searches only to events in which you
are interested, and you can save these filtered views.
The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. Event Viewer integrates with Task Scheduler to perform these tasks.
The ability to create and manage event subscriptions. You can collect events from remote computers
and then store them locally.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-5
Note: To collect events from remote computers, you must create an inbound rule in
Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs. These logs provide detailed information that
includes:
An event ID number.
Event Viewer has many built-in logs, including those in the following table.
Application log This log contains errors, warnings, and informational events that
pertain to the operation of applications such as Microsoft
Exchange Server.
Security log This log reports the results of auditing, if you enable it. It reports
audit events as successful or failed, depending on the event. For
instance, the log would report success or failure regarding
whether a user could access a file.
System log Windows components and services log general events, which
are classified as error, warning, or information. Windows
predetermines the events that system components log.
Forwarded Events By default, this log stores events that are collected from remote
computers. To collect events from remote computers, you must
create an event subscription.
Performance Monitor
With Performance Monitor, you can view report-based or graphical displays of system performance. It can
monitor both software and hardware components in real time and historically. The next topic will provide
more detail about this tool.
Windows PowerShell
You can use cmdlets in the Windows PowerShell command-line interface to monitor server performance.
For example, you can use the following command to retrieve the current % Processor Time combined
values for all processors on the local computer every two seconds until it has 100 values and displays the
captured data:
Additional Reading: For more information, refer to: “Using PowerShell To Gather
Performance Data” at: http://aka.ms/F8mxnr
A real-time snapshot.
An average of values.
A maximum value.
A minimum value.
Performance Monitor works by providing you with a collection of objects and counters that record data
about computer resource usage. There are many counters that you can research and consider to meet your
specific requirements.
Processor > % Processor Time. This counter measures the percentage of elapsed time the processor
spends executing a non-idle thread. In other words, this counter displays the percentage of elapsed
time that a given thread uses the processor to run instructions (an instruction is the basic unit of
execution in a processor, and a thread is the object that executes instructions). A percentage of greater
than 85 percent overwhelms the processor, and the server might require a faster processor. Included in
this count is code that handles some hardware interrupts and trap conditions.
Processor > Interrupts/sec. This counter displays the rate, in incidents per second, at which the
processor received and serviced hardware interrupts. This value is an indirect indicator of the activity of
devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication
lines, network interface cards, and other peripheral devices. These devices normally interrupt the
processor when they have completed a task or require attention, which suspends normal thread
execution.
System > Processor Queue Length. This counter displays an approximate number of threads that each
processor is servicing. If the value is more than two times the number of CPUs over a given time, then
the server does not have enough processor power. The processor queue length (sometimes referred to
as processor queue depth) that this counter reports is an instantaneous value that represents only a
current snapshot of the processor. Therefore, you must observe this counter over a period to notice
data trends. Additionally, the System > Processor Queue Length counter reports a total queue length
for all processors, not just a length for each processor.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-7
The Memory > Pages/sec counter measures the rate at which pages are read from or written to disk to
resolve hard page faults. An increase in this counter indicates that more paging is occurring, which in turn
suggests a lack of physical memory.
Physical Disk > % Disk Time. This counter indicates how busy a disk is, and it measures the percentage
of time that the disk was busy during the sample interval. A counter approaching 100 percent indicates
that the disk is busy nearly all the time, and a performance bottleneck is possibly imminent. You might
consider replacing the current disk system with a faster one.
Physical Disk > Avg. Disk Queue Length. This counter indicates how many disk requests are waiting to
be serviced by the input/output (I/O) manager in Windows Server at any given moment. If the value is
larger than two times the number of spindles, it means that the disk itself might be the bottleneck. The
longer the queue is, the less satisfactory the disk throughput is.
Workloads might require access to several different networks that must remain secure. Examples include
connections for:
By monitoring network-performance counters, you can evaluate your network’s performance. The primary
network counters include:
Network Interface > Current Bandwidth. This counter indicates the current bandwidth being consumed
on the network interface in bits per second (bps). Most network topologies have maximum potential
bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths
of 10 Mbps, 100 Mbps, 1 gigabit per second (Gbps), and higher. To interpret this counter, divide the
given value by 1,048,576 for Mbps. If the value approaches the network’s maximum potential
bandwidth, you should consider implementing a switched network or upgrading to a network that
supports higher bandwidths.
MCT USE ONLY. STUDENT USE PROHIBITED
13-8 Monitoring, managing, and recovering AD DS
Network Interface > Output Queue Length. This counter indicates the current length of the output
packet queue on the selected network interface. A growing value, or one that is consistently higher
than two, could indicate a network bottleneck, which you should investigate.
Network Interface > Bytes Total/sec. This measures the rate at which bytes are sent and received over
each network adapter, including framing characters. The network is saturated if you discover that more
than 70 percent of the interface is consumed.
NTDS\ DRA Inbound Object. This counter shows the number of Active Directory objects received from
neighbors through inbound replication.
NTDS\ DRA Outbound Bytes Total/sec. This counter shows the total number of bytes replicated out.
NTDS\ DRA Pending Replication Synchronizations. This is the number of directory synchronizations
that are in this server’s queue, waiting for processing.
Other counters
Security System-Wide Statistics\ Kerberos Authentications/sec. This counter tracks the number of times
that clients use a ticket to authenticate to this computer per second.
Security System-Wide Statistics\ NTLM Authentications. This counter tracks the number of NTLM
authentications processed per second.
Data collector sets can contain the following types of data collectors:
Event trace data. This data collector provides information about system activities and events, which
often is useful for troubleshooting.
System configuration information. This data collector allows you to record the current state of registry
keys and to record changes to those keys.
You can create a data collector set from a template, from an existing set of data collectors in a Performance
Monitor view, or by selecting individual data collectors and setting each individual option in the data
collector set properties.
Demonstration: Monitoring AD DS
In this demonstration, you will learn how to:
Demonstration Steps
Configure Performance Monitor to monitor AD DS
1. On LON-DC1, open Performance Monitor.
3. Watch the performance for a few moments. Then, in the counter list below the graph, select
DS Directory Searches/sec.
4. On the toolbar, click Highlight to highlight DS Directory Searches/sec in the graph. Then, click
Highlight on the toolbar again to turn off the highlight.
MCT USE ONLY. STUDENT USE PROHIBITED
13-10 Monitoring, managing, and recovering AD DS
3. Make a note of the default root directory in which the Data Collector Set will be saved.
Note: Notice that you can identify the individual data collectors in the data collector set.
In this case, the data collector set contains only one data collector—the System Monitor Log
performance counter. You also can identify where the output from the data collector is being
saved.
2. In the console tree, right-click the Custom ADDS Performance Counters data collector set, and then
click Stop.
Lesson 2
Managing the Active Directory database
At the core of the Active Directory environment is the Active Directory database. The Active Directory
database contains all the critical information required to provide Active Directory functionality. Maintaining
this database properly is a critical aspect of Active Directory management, and you should be aware of
several tools and best practices so that you can manage your Active Directory database effectively. This
lesson will introduce you to Active Directory database management, and it will show you the tools and
methods for maintaining it.
Lesson Objectives
After completing this lesson, you will be able to:
Schema. The schema partition defines the object classes and their attributes for the entire directory.
Application. Domain controllers also can host application partitions. You can use application partitions
to limit replication of application-specific data to a subset of domain controllers. Active Directory–
integrated Domain Name System (DNS) is a common example of an application that utilizes
application partitions. Application partitions are not a mandatory component of the AD DS database.
Each domain controller maintains a copy (or replica), of several partitions. The configuration partition
replicates to every domain controller in the forest, as does the schema partition. The domain partition for a
domain replicates to all domain controllers within a domain, but not to domain controllers in other
domains. As an exception, the domain partition does replicate to global catalog servers in the same forest.
MCT USE ONLY. STUDENT USE PROHIBITED
13-12 Monitoring, managing, and recovering AD DS
Therefore, each domain controller has at least three replicas: the domain partitions for its domain,
configuration, and schema.
AD DS database files
The AD DS database is stored as a file named Ntds.dit. When you install and configure AD DS, you can
specify the location of the file. The default location is %SystemRoot%\NTDS. Within Ntds.dit are all the
partitions that the domain controller hosts: the forest schema and configuration; the domain-naming
context; and, depending on the server configuration, the partial attribute set and application partitions.
In the NTDS folder are other files that support the AD DS database. The Edb*.log files are the transaction
logs for AD DS. When a change occurs in the directory, it is first written to the log file. The change is
committed to the directory as a transaction. If the transaction fails, AD DS rolls back the changes.
The following table describes the different file-level components of the AD DS database.
File Description
Edbres00001.jrs Reserve transaction log file that allows the directory to process
Edbres00002.jrs transactions if the server runs out of disk space
The Edb.chk file acts like a bookmark in the log files, marking the location before which transactions have
been successfully committed to the database, and after which transactions remain to be committed.
If a disk drive runs out of space, it is highly problematic for the server. It is even more problematic if that
disk is hosting the AD DS database, because transactions that might be pending cannot write to the logs.
Therefore, AD DS maintains two additional log files, Edbres00001.jrs and Edbres00002.jrs. These are
empty files of 10 megabytes (MB) each. When a disk runs out of space for normal transaction logs, AD DS
recruits the space used by these two files to write the transactions that are in a queue currently. After that, it
safely shuts down Active Directory services, and dismounts the database. Of course, it will be important for
an administrator to remediate the issue of low disk space as quickly as possible. The files provide a
temporary solution to allow the directory service to continue processing new transactions.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-13
What is NtdsUtil?
NtdsUtil.exe is a command-line executable file that
you can use to perform database maintenance,
including creating snapshots, relocating database
files, and offline defragmentation. You also can use
NtdsUtil.exe to clean up domain-controller
metadata. If you remove a domain controller from
the domain while it is offline, the domain
controller is unable to remove important
information from the directory service. However,
you can use NtdsUtil.exe to clean out the remnants
of the domain controller. It is very important that
you do so to protect your data from being
compromised.
In addition, you can use NtdsUtil.exe to reset the password used to sign in to the Directory Services Restore
Mode (DSRM). You configure this password initially during the configuration of a domain controller. If you
forget the password, you can use the NtdsUtil.exe set dsrm command to reset it.
Note: You also can use graphical tools such as Active Directory Users and Computers and
Active Directory Sites and Services to manage Active Directory objects and to clean up metadata
automatically.
Understanding restartable AD DS
In most scenarios that require Active Directory
management, you should restart the domain
controller in DSRM. Windows Server enables
administrators to stop and start AD DS just like any
other service—without restarting a domain
controller—to perform some management tasks
quickly. This feature is called restartable AD DS.
You can use the Services console, the command
prompt, or Windows PowerShell to restart AD DS.
Restartable AD DS reduces the required time to
perform certain operations. For example, you can
stop AD DS so that you can apply updates to a
domain controller. In addition, administrators can stop AD DS to perform tasks, such as offline
defragmentation of the AD DS database, without restarting the domain controller. Other services running
on the server that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol
(DHCP), remain available to respond to client requests while AD DS is stopped. Restartable AD DS is
available by default on all domain controllers that run Windows Server or later. There are no functional-
level requirements or any other prerequisites for using this feature.
Note: To restore a domain controller’s System state, you must start in DSRM.
Restartable AD DS requires minor changes to the existing Microsoft Management Console (MMC) snap-ins.
By using the snap-in, an administrator can stop and restart AD DS more easily, as they would any other
service that is running locally on the server.
MCT USE ONLY. STUDENT USE PROHIBITED
13-14 Monitoring, managing, and recovering AD DS
AD DS Started. In this state, AD DS is started. The domain controller can perform AD DS–related tasks
normally.
AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique to Windows Server 2012
or later, the server has some characteristics of both a domain controller in DSRM and a domain-joined
member server.
DSRM. In this state, the AD DS database (Ntds.dit) on the local domain controller is offline. Another
domain controller can be contacted for sign-in, if one is available. If no other domain controller can be
contacted, you can do one of the following, by default:
o Sign in to the domain controller locally in DSRM by using the DSRM password.
Stop AD DS.
Start AD DS.
Demonstration Steps
Stop AD DS
1. On LON-DC1, open the Services console.
NtdsUtil.exe
activate instance NTDS
files
compact to C:\
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-15
Integrity
quit
quit
Start AD DS
1. Open the Services console.
3. Confirm that the Status column for Active Directory Domain Services lists a status of Running.
NtdsUtil.exe
activate instance ntds
snapshot
Create
list all
Note: The list all command returns a message that indicates that the snapshot set
generated successfully.
The GUID that displays is important for commands in later tasks, so make note of the GUID or
copy it to the clipboard.
Mounting an AD DS snapshot
To view the contents of a snapshot, you must mount the snapshot as a new instance of AD DS. You can
accomplish this by using NtdsUtil.exe.
NtdsUtil.exe
activate instance ntds
snapshot
list all
mount <GUID>
quit
quit
dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000
Note: You will see the dbpath property when you execute the mount <GUID>
command. Port number 50000 can be any unused Transmission Control Protocol (TCP) port
number.
5. Do not close the Command Prompt window. Leave the command that you just ran, Dsamain.exe,
running while you continue to the next step.
Viewing an AD DS snapshot
After mounting the snapshot, you can use tools to connect to and explore the snapshot. Active Directory
Users and Computers is one of the tools that you can use to connect to the instance.
To connect to a snapshot with Active Directory Users and Computers, perform the following procedure:
3. In the Change Directory Server dialog box, click <Type a Directory Server name[:port] here>.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-17
Note: LON-DC1 is the name of the domain controller on which you mounted the
snapshot, and 50000 is the TCP port number that you configured for the instance.
5. After you verify that you are now connected to the snapshot, click OK.
Note: Note that snapshots are read-only. You cannot modify the contents of a snapshot.
Moreover, there are no direct methods with which to move, copy, or restore objects or attributes
from the snapshot to the production instance of AD DS.
Unmounting an AD DS snapshot
To unmount the Active Directory snapshot, perform the following procedure:
NtdsUtil.exe
activate instance ntds
snapshot
unmount <GUID>,
quit
quit
Lesson 3
Active Directory backup and recovery options for AD DS
and other identity and access solutions
It is important to maintain the reliability of the Active Directory data. Performing regular backups can play a
part in this process, but knowing how to restore or recover data after a failure is vital. Because restoring
deleted objects from AD DS often can cause AD DS downtime, Windows Server includes the Active
Directory Recycle Bin feature, which provides a much easier way to restore deleted objects with no AD DS
downtime. This lesson explores these Active Directory backup and recovery features.
Lesson Objectives
After completing this lesson, you will be able to:
To reanimate a deleted object, you can use the Ldp tool to perform the following procedure:
1. Click Start, and then in the Start Search text box, type Ldp.exe. Press Ctrl+Shift+Enter, which executes
the command as an administrator.
2. In the User Account Control dialog box, click Use another account.
3. In the User name text box, type the user name of an administrator.
4. In the Password text box, type the password for the administrative account, and then press Enter. Ldp
opens.
5. Click the Connection menu, click Connect, and then click OK.
6. Click the Connection menu, click Bind, and then click OK.
8. In the Load Predefined list, click Return Deleted Objects, and then click OK.
9. Click the View menu, click Tree, and then click OK.
13. In the Operation section, click Delete, and then press Enter.
16. In the Operation section, click Replace, and then press Enter.
17. Select the Extended check box, click Run, and then click Close.
19. Use Active Directory Users and Computers to repopulate the object’s attributes, reset the password for
a user object, and enable the object, if necessary.
Note: Ldp.exe is a command-line tool that you use to perform Lightweight Directory Access
Protocol (LDAP) searches against AD DS. You also can use it to perform maintenance on AD DS or
Active Directory Lightweight Directory Services (AD LDS).
MCT USE ONLY. STUDENT USE PROHIBITED
13-20 Monitoring, managing, and recovering AD DS
After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system
preserves all the object's link-valued and non–link-valued attributes, and the object becomes logically
deleted. A deleted object moves to the Deleted Objects container, and its distinguished name is obscured.
A deleted object remains in the Deleted Objects container in a logically deleted state throughout the
duration of the deleted object lifetime. Within the deleted object lifetime, you can recover a deleted object
with Active Directory Recycle Bin and make it a live AD DS object again.
The value of the msDS-deletedObjectLifetime attribute determines the deleted object lifetime. For an
item deleted after you enable Active Directory Recycle Bin (or a recycled object), the value of the legacy
tombstoneLifetime attribute determines the recycled object lifetime. By default, this value is null, which
means that the deleted object lifetime is set to the value of the recycled object lifetime.
By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, also is null. This
means that the recycled object lifetime defaults to 180 days. You can modify these two values at any time.
When you set msDS-deletedObjectLife to some value other than null, it no longer assumes the value of
tombstoneLifetime.
To modify these values, you can use Windows PowerShell. For example, to set tombstoneLifetime to 365
days, run the following command, pressing Enter at the end of each line:
To set the deleted object lifetime to 365 days, run the following command, pressing Enter at the end of
each line:
You also can use the Ldp.exe command-line tool to configure these values.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-21
To enable Active Directory Recycle Bin, you can perform one of the following:
From the Active Directory module for Windows PowerShell command prompt, use the
Enable-ADOptionalFeature cmdlet.
From Active Directory Administrative Center, select the domain, and then click Enable Active
Directory Recycle Bin in the Tasks pane.
You can use Active Directory Recycle Bin to restore only items deleted after you turn on Active
Directory Recycle Bin.
Note: Once you have enabled Active Directory Recycle Bin, you cannot disable it.
Demonstration Steps
o Test1
o Test2
4. Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
Selected volumes.
Perform a bare-metal recovery. A bare-metal backup contains all critical volumes, and it allows you to
restore without first installing an operating system. You do this by using the product media on a DVD
or USB key, and the Windows Recovery Environment (Windows RE). You can use this backup type
together with the Windows RE to recover from a hard-disk failure, or to recover the whole computer
image to new hardware.
Use System state. The backup contains important information for rolling back a server to a specific
time. However, you must have an operating system installed prior to recovering the System state.
Recover individual files and folders or volumes. The Individual files and folders option enables you to
select to back up and restore specific files, folders, or volumes. Alternatively, you can add specific files,
folders, or volumes to the backup when you use an option such as Critical volume or System state.
Exclude selected files or file types. For example, you can exclude temporary files from the backup.
Select from more storage locations. You can store backups on remote shares or nondedicated volumes.
Use Microsoft Azure Backup. Azure Backup is an offsite, cloud-based backup solution for Windows
Server that enables files and folders to back up to and recover from the public or private cloud.
If there are disasters such as hard-disk failures, you can perform system recovery by using a full server
backup and Windows RE—this will restore your complete system onto the new hard disk.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-23
Azure Backup
Azure Backup is a subscription service that you can use to provide offsite protection against critical data
loss due to disasters. You back up files and folders and recover them from the public or private cloud as
required.
Azure Backup is built on the Microsoft Azure platform and uses Azure Blob Storage for storing customer
data. You can use the downloadable Azure Backup Agent to transfer file and folder data securely to Azure
Backup from Windows Server. After you install the Azure Backup Agent, the agent integrates its
functionality through the Windows Server Backup interface. You can download Azure Backup Agent from
the Microsoft website.
The key features that Azure Backup provides in Windows Server include:
Simplified configuration and management. Integration with the Windows Server Backup tool provides
a seamless way to back up and recover data to a local disk or cloud platform. Other features include:
o Integrated recovery experience to recover files and folders from a local disk or from a cloud
platform.
o Easy data recoverability for data that was backed up to any server.
Block-level incremental backups. The Azure Backup Agent performs incremental backups by tracking
file and block-level changes, and only transfers the changed blocks. This reduces storage and
bandwidth usage. Different point-in-time versions of backups use storage efficiently by storing only
the changed blocks between these versions.
Data compression, encryption, and throttling. The Azure Backup Agent compresses and encrypts data
on the server before sending it to Azure Backup on the network. Therefore, Azure Backup only stores
encrypted data in cloud storage. The encryption passphrase is not available to Azure Backup, and
therefore, data is never decrypted in the cloud. In addition, users can set up throttling and configure
how Azure Backup uses network bandwidth when backing up or restoring information.
Data integrity verified in the cloud. In addition to the secure backups, Azure Backup checks backed-up
data automatically for integrity after the backup completes. Therefore, you can quickly identify any
corruptions that might arise because of the data transfer. Azure Backup fixes these corruptions
automatically in the next backup.
Configurable retention policies for storing data in the cloud. Azure Backup accepts and implements
retention policies to recycle backups that exceed the desired retention range. This helps with meeting
business policies and managing backup costs.
Backup centralization. DPM uses a client/server architecture where the client software is installed on all
the computers that require backing up. Those clients stream backup data to the DPM server. This
allows each DPM server to support entire small to medium-sized organizations. You also can manage
multiple DPM servers from one centralized Microsoft System Center Operations Manager console.
15-minute recovery point objective (RPO). DPM allows 15-minute snapshots of supported products.
This includes most of the Microsoft enterprise suite of products, including Windows Server with its roles
and services, Exchange Server, Microsoft Hyper-V, and Microsoft SQL Server.
MCT USE ONLY. STUDENT USE PROHIBITED
13-24 Monitoring, managing, and recovering AD DS
Support for Microsoft workloads. Microsoft designed DPM specifically to support Microsoft
applications such as Exchange Server, SQL Server, and Hyper-V. However, DPM does not support other,
non-Microsoft server applications that do not have consistent states on disk, or that do not support
Volume Shadow Copy Service (VSS).
Disk-based backup. DPM can perform scheduled backups to disk arrays and storage area networks
(SANs). You also can configure DPM to export specific backup data to tape for retention and
compliance-related tasks.
Remote site backup. DPM uses an architecture that allows it to back up clients that are located in
remote sites. This means that a DPM server in a head office site can perform backups of servers and
clients that are located across wide area network (WAN) links.
Support for backup-to-cloud strategies. DPM supports backup of DPM servers to a cloud platform. This
means that you can use a DPM server at a cloud-based hosting facility to back up the contents of a
head office DPM server. For disaster redundancy, you also can configure DPM servers to back up each
other.
When you start a domain controller in DSRM, you will sign in as Administrator with the DSRM password.
You then can use Windows Server Backup to restore the directory database. After completing the
restoration, you must restart the server. The domain controller will ensure that its database is consistent
with the rest of the domain by pulling from its replication partners the changes to the directory that have
occurred since the date of the backup.
Nonauthoritative restore
In a normal restoration, you restore a backup of AD DS as of a known good date. Essentially, you roll the
domain controller back in time. When AD DS restarts on the domain controller, the domain controller
contacts its replication partners and requests all subsequent updates. In other words, the domain controller
catches up with the rest of the domain by using standard replication mechanisms.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-25
Normal restoration is useful when the directory on a domain controller has been damaged or corrupted,
but the problem has not spread to other domain controllers. However, for certain situations a normal
restoration is not sufficient. For example, normal restoration will not work where damage has replicated,
such as when you delete one or more objects, and that deletion has replicated. If you restore a known good
version of AD DS and restart the domain controller, the deletion—which happened after the backup—will
simply replicate back to the domain controller.
Authoritative restore
An authoritative restore is necessary when you have restored a known good copy of AD DS and it contains
objects that must override existing objects in the AD DS database. In an authoritative restore, you restore
the known good version of AD DS just as you do in a normal restore. However, before you restart the
domain controller, you mark the accidentally deleted or previously corrupted objects that you wish to
retain as authoritative, so that they will replicate from the restored domain controller to its replication
partners. When you mark objects as authoritative, Windows increments the version number of all object
attributes to be so high that the version is virtually guaranteed to be higher than the version number on all
other domain controllers.
When the restored domain controller restarts, it replicates from its replication partners all the changes
made to the directory. It also notifies its partners that it has changes, and the version numbers of the
changes ensure that partners take the changes and replicate them throughout the directory service.
In forests with Active Directory Recycle Bin enabled, you can use Active Directory Recycle Bin as a
simpler alternative to an authoritative restore.
Note: You cannot use Active Directory Recycle Bin to recover corrupted objects.
3. Restore the directory with Windows Server Backup, as the previous topic described. Before restarting
the domain controller, you must first mark as authoritative the objects that you wish to persist after
restart—that is, the deleted objects that you are trying to restore. To mark an object as authoritative, at
the command prompt, type the following commands, pressing Enter at the end of each line:
NtdsUtil.exe
authoritative restore
restore object <object DN>
Object DN is the distinguished name of the object that you are restoring. For example, if you want to
restore user object Candy Spoon, which was in the IT OU, you would type:
To mark an OU or container and all its subobjects as authoritative, at the command prompt, type the
following commands:
NtdsUtil.exe
authoritative restore
restore subtree <object DN>
MCT USE ONLY. STUDENT USE PROHIBITED
13-26 Monitoring, managing, and recovering AD DS
4. Restart the domain controller. The domain controller will replicate from its partners all the changes that
have occurred to the directory since the date of the backup. However, for the objects that were marked
authoritative, every attribute of those objects has a very high version number. Therefore, these objects
will replicate from the restored domain controller to the rest of the directory service.
Finally, you can restore a backup of the System state to an alternate location. This allows you to examine
files, and to mount the Ntds.dit file, potentially. You should not copy the files from an alternate restoration
location over the production versions of those files. In addition, do not perform a piecemeal restore of
AD DS. However, you can use these copied files to support the Install From Media option for creating a
new domain controller. Most of the procedures involved in performing an authoritative restore are
identical to those of a nonauthoritative restore.
MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 13-27
It is your responsibility to ensure that the directory service is backed up. Today, you notice that last night's
backup did not run as scheduled. You therefore decide to perform an interactive backup. Shortly after the
backup, a domain administrator accidentally deletes the IT OU. You must recover this OU.
Objectives
After you complete this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machine: 20742B-LON-DC1
Password: Pa55w.rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V Manager, click 20742B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa55w.rd
o Domain: Adatum
MCT USE ONLY. STUDENT USE PROHIBITED
13-28 Monitoring, managing, and recovering AD DS
4. Delete an OU.
5. Restart in Directory Services Restore Mode (DSRM).
2. Open a command prompt, type the following, and then press Enter:
Note: This command is only required for the lab environment, and is not part of typical
backup procedures.
3. When the Windows Server Backup dialog box appears, informing you that all data on the disk will be
deleted, click Yes.
Note: You will cancel the process in the next step to avoid formatting drive E.
Note: The backup will take about 10–15 minutes to complete. After the backup
completes, close Windows Server Backup.
Task 4: Delete an OU
1. On LON-DC1, from Server Manager, open Active Directory Users and Computers.
2. At the command prompt, type the following command to configure the server to start in DSRM:
3. Restart LON-DC1.
4. Restore the System state information by typing the following command in the following format:
For example:
3. At the Windows PowerShell command prompt, use NtdsUtil.exe to perform an authoritative restore of
“OU=Research,DC=adatum,DC=com”
4. To restart the server normally after you perform the restoration operation, type the following
command, and then press Enter:
3. Verify the presence of the Research OU. Note that you might have to force a site replication in Active
Directory Sites and Services to see the change immediately.
Results: After completing this exercise, you should have successfully performed an interactive backup and
an authoritative restore of Active Directory Domain System (AD DS).
4. Perform object restoration with the Active Directory Module for Windows PowerShell.
2. Enable the Active Directory Recycle Bin feature by typing the following command, and then pressing
Enter:
Task 4: Perform object restoration with the Active Directory Module for Windows
PowerShell
1. Start the Active Directory Module for Windows PowerShell.
2. At the Windows PowerShell command prompt, type the following command, and then press Enter:
2. Make sure that Abbie Parsons exists within the Sales OU.
Results: After completing the exercise, you should have enabled and tested the Active Directory Recycle
Bin feature successfully.
2. In the Virtual Machines list, right-click 20742B-LON-DC1, and then click Revert.
Question: When you restore a deleted user or an OU with user objects by using authoritative
restore, will the objects be exactly the same as before? Which attributes might not be the
same?
Question: In the lab, would it be possible to restore the deleted objects if they were deleted
before you enabled Active Directory Recycle Bin?