1 / 46

Module 14 Directory Service Continuity

Module 14 Directory Service Continuity. Module Overview. Monitor Active Directory Manage the Active Directory Database Active Directory Recycle Bin Back Up and Restore AD DS and Domain Controllers. Lesson 1: Monitor Active Directory. Understand Performance and Bottlenecks

moke
Download Presentation

Module 14 Directory Service Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 14 Directory Service Continuity

  2. Module Overview • Monitor Active Directory • Manage the Active Directory Database • Active Directory Recycle Bin • Back Up and Restore AD DS and Domain Controllers

  3. Lesson 1: Monitor Active Directory • Understand Performance and Bottlenecks • Monitoring Tools Overview • Performance Monitor • Data Collector Sets • Demonstration: Monitor AD DS • Monitoring Best Practices • Active Directory Best Practices Analyzer • Demonstration: Using Active Directory Best Practices Analyzer

  4. Understand Performance and Bottlenecks • Key system resources • CPU • Disk • Memory • Network • Bottleneck: A resource that is currently at peak utilization

  5. Monitoring Tools Overivew • Task Manager • Real-time monitoring of key system components • Event Viewer • Logged monitoring for various system services • Resource Monitor • Detailed realtime monitoring of resource usage • Reliability Monitor • Tracks system reliability over time • Performance Monitor • Real-time and historical monitoring of system performance

  6. Performance Monitor • Useful counters in any server baseline • Memory \ Pages/sec • PhysicalDisk \ Avg. Disk Queue Length • Processor \ %Processor Time • Useful counters for monitoring Active Directory • NTDS\ DRA Inbound Bytes Total/sec • NTDS\ DRA Inbound Object • NTDS\ DRA Outbound Bytes Total/sec • NTDS\ DRA Pending Replication Synchronizations • NTDS \ Kerberos Authentications/sec • NTDS\ NTLM Authentications

  7. Data Collector Sets • Collections of data points: • Performance counters • Event trace data • System configuration information (registry keys) • Usage scenarios: • View real-time performance with Performance Monitor • Create a log (manually invoked or scheduled) and then view Reports • Generate alerts based on thresholds • Used by other applications • To create a Data Collector Set: • Start from a template; role templates added by Windows • Save an existing set of counters in a Performance Monitor view • Manually specify and configure data collectors in a set • Export/import data collector set as XML

  8. Demonstration: Monitor AD DS In this demonstration, you will see how to: • Configure AD DS monitoring by using Data Collector Sets

  9. Monitoring Best Practices • Monitor earlyto establish baselines • Document performance when things are working well • Include server and role-related counters during idle and busy times • Monitor often to identify potential problems • Compare to baseline and watch for troublesome deviation • Know how to monitor and interpret performancebeforea meltdown • Establish Data Collector Sets • Build the skills to interpret performance counters • Capture appropriately • Do not overcapture • Degrades performance • Creates “noise,” making it difficult to identify real problems

  10. Active Directory Best Practices Analyzer • New tool in Windows Server 2008 R2 that helps administrator detect best practices violations and helps implement best practices for : • AD DS • AD CS • DNS Server • Terminal Services

  11. Demonstration: Using Active Directory Best Practices Analyzer • In this demonstration, you will see how to use Active Directory Best Practices Analyzer

  12. Lab A: Monitor Active Directory Events and Performance • Exercise 1: Monitor AD DS with Performance Monitor • Exercise 2: Work with Data Collector Sets Logon information Estimated time: 30 minutes

  13. Lab Scenario • Last month, the only domain controller in the branch office failed, causing the call center of Contoso to be offline for an entire day. Because redundant authentication or monitoring had not been configured, this failure caused the company a significant amount of money in lost revenue. You were asked to configure monitoring to ensure that performance and reliability can be watched regularly for any signs of trouble.

  14. Lab Review • In which situations do you currently use, or plan to use event subscriptions as a monitoring tool? • To which events or performance counters would you consider attaching email notifications or actions? Do you use notifications or actions currently in your enterprise monitoring?

  15. Lesson 2: Manage the Active Directory Database • Active Directory Database Files • NTDSUtil • Restartable Active Directory Domain Services • Perform Database Maintenance • Demonstration: AD DS Database Maintenance • Active Directory Snapshots • Restore Deleted Objects

  16. Active Directory Database Files Description File NTDS.dit • The AD DS database file • All AD DS partitions and objects on the domain controller • Default location: systemroot\NTDS EDB*.log • Transaction log • Default transaction log: EDB.log • Overflow logs: Edb000x.log EDB.chk • Checkpoint file • Pointer into transaction log: which transactions have or have not been committed ebdres00001.jrs ebdres00002.jrs • Reserved transaction log files • Used if disk runs out of space so that transaction logs do not crash

  17. How the Database Is Modified EDB.chk Update the checkpoint Write Request Commit the transaction Write to the database on disk Write to the transaction buffer Transaction is initiated Write to the transaction log file NTDS.dit on Disk EDB.log

  18. NTDSUtil • Manage and control single master operations • Perform AD DS database maintenance • Perform offline defragmentation • Create and mount snapshots • Move database files • Clean domain controller metadata • Domain controller removal or demotion while not connected to domain • Reset Directory Services Restore Mode password • set dsrm

  19. Restartable Active Directory Domain Services • New feature in Windows Server 2008 • AD DS can be started or stopped by using Services console • AD DS can be in three states : • AD DS Started • AD DS Stopped • Directory Services Restore Mode (DSRM) • It is not possible to perform system state restore while AD DS is in Stopped state

  20. Perform Database Maintenance • Garbage collection • Scavenging: Removing deleted items that have reached their tombstone lifetime • Defragmentation • Online defragmentation (part of garbage collection): Reclaims unused space • Offline defragmentation (manual): Releases unused space and reduces file size • Use NTDSUtil • Must be done in DSRM or by stopping AD DS

  21. Demonstration: AD DS Database Maintenance In this demonstration, you will see how to: • Stop the AD DS service • Simulate compacting the database • Simulate moving the database to a new volume • Restart the AD DS service

  22. Active Directory Snapshots • Create a snapshot of Active Directory • NTDSUtil • Mount the snapshot to a unique port • NTDSUtil • Expose the snapshot • Right-click the root node of Active Directory Users and Computers and choose Connect to Domain Controller • Enter serverFQDN:port • View (read-only) snapshot • Cannot directly restore data from the snapshot • Recover data • Manually reenter data or • Restore a backup from the same date as the snapshot

  23. Restore Deleted Objects • When an object is deleted • Stripped of almost every attribute except • SID, objectGUID, lastKnownParent, sAMAccountName • Moved to Deleted Objects container, marked as isDeleted • You can restore (“reanimate”) deleted (“tombstoned”) objects when • Domain functional level is Windows Server 2003 or newer • Deleted object has not yet been scavenged • To restore deleted objects: • LDP.exe • Modify isDeleted • Provide distinguished name (DN) • Repopulate all other attributes

  24. Lab B: Manage the Active Directory Database • Exercise 1: Perform Database Maintenance • Exercise 2: Work with Snapshots and Recover a Deleted User Logon information Estimated time: 15 minutes

  25. Lab Scenario • You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, 65 days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. You now want to compact your Active Directory database to reclaim the space released by that many deleted objects. In addition, you were notified that yesterday, one user account, Adriana Giorgi, was deleted by accident. You want to recover that account with a snapshot you have scheduled to run each night at 1:00 A.M.

  26. Lab Review • In which other situations should you mount a snapshot of Active Directory? • What are the disadvantages of restoring a deleted object with a tool such as LDP?

  27. Lesson 3: Active Directory Recycle Bin • Delete and Restore Objects from Active Directory • What Is Active Directory Recycle Bin? • Active Directory Recycle Bin Requirements • Demonstration: Restore Deleted Objects with Active Directory Recycle Bin

  28. Delete and Restore objects from Active Directory • Deleted objects are recovered through tombstone reanimation • When object is deleted, most of attributes are cleared • Authoritative restore requires AD DS downtime

  29. What Is Active Directory Recycle Bin? • New feature of Windows Server 2008 R2 Active Directory • Provides a way to restore deleted objects without AD DS downtime • Uses the LDP.exe utility or Windows Power Shell with Active Directory Module

  30. Active Directory Recycle Bin Requirements • Feature is disabled by default; it must be manually enabled • Forest functional level must be Windows Server 2008 R2 • Adprep /forestprep and /domainprep might be neccessary • Enabled by executing : • Enable-ADOptionalFeature–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

  31. Demonstration: Restore Deleted Objects with Active Directory Recycle Bin • In this demonstration, you will see how to restore deleted objects from Active Directory by using Active Directory Recycle Bin and ldp.exe utility

  32. Lab C: Using Active Directory Recycle Bin • Exercise 1: Enable the Active Directory Recycle Bin Feature • Exercise 2: Restore Deleted objects with Active DirectoryRecycle Bin Logon information Estimated time: 20 minutes

  33. Lab Scenario • You are an administrator at Contoso, Ltd, which is an online university. At the end of the semester, few days ago, you deleted 835 user accounts for students who graduated or will no longer return to the program. However, two user accounts, Aaron Lee and Terri Chudzik, are deleted by mistake and must be restored as soon as possible with minimum downtime.

  34. Lab Review • Will it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled? • In which scenarios is Windows PowerShell a more appropriate method for object restoration?

  35. Lesson 4: Back Up and Restore AD DS and Domain Controllers • Backup and Recovery Tools • Overview of AD DS and Domain Controller Backup • Demonstration: Backing Up AD DS • Additional Backup and Recovery Tools • Active Directory Restore Options • Nonauthoritative Restore • Authoritative Restore

  36. Backup and Recovery Tools • Windows Server Backup snap-in (use locally or remotely) • Back up a full server (all volumes) • Back up selected volumes • Backup individual files (Windows Server 2008 R2 only) • Back up system state (includes all critical volumes) • Recover volumes, folders, files, or system state • wbadmin.exe • Perform manual or automated backup • Back up to CD/DVD/HDD • No tape • Use a dedicated HDD for backup: Recommended or required

  37. Overview of AD DS and Domain Controller Backup • You must back up all critical volumes • System volume: The volume that contains boot files • Boot volume: The volume that contains the Windows operating system and the registry • Volumes hosting SYSVOL, AD DS database (NTDS.dit), logs • Do not store other data on these volumes as it will increase backup and restore times • Windows Server Backup (wbadmin.exe)

  38. Demonstration: Backing Up AD DS In this demonstration, you will see how to: • Back up a domain controller

  39. Additional Backup and Recovery Tools • Active Directory Snapshots • Windows PowerShell cmdlets • Windows Recovery Environment • Boot to Windows Server 2008 DVD and choose System Recovery Options • Install locally as a boot option • Useful for full system recovery

  40. Active Directory Restore Options • Nonauthoritative (normal) restore • Restore domain controller to previously known good state of Active Directory • Domain controller will be updated by using standard replication from up-to-date partners • Authoritative restore • Restore domain controller to previously known good state of Active Directory • “Mark” objects that you want to be authoritative • Windows sets the version numbers very high • Domain controller is updated from its up-to-date-partners • Domain controller sends authoritative updates to its partners • Full Server Restore • Typically performed in Windows Recovery Environment • Alternate Location Restore

  41. Nonauthoritative Restore • Restart the domain controller in DSRM • Locally: Press F8 on restart • Remotely using remote desktop: • Configure restart in DSRM: bcdedit /set safeboot dsarepair • Restart: shutdown -t 0 -r • Log on with the Administrator account and the DSRM password • Perform the nonauthoritative restore • Use Windows Server Backup (wbadmin.exe) to restore AD DS • Restart • Set normal restart: bcdedit /deletevalue safeboot dsarepair • Restart: shutdown -t 0 -r • Domain controller replicates all changes since date of backup from its partners

  42. Authoritative Restore • Restart the domain controller in DSRM • Log on with the Administrator account and the DSRM password • Perform the nonauthoritative restore • Use Windows Server Backup (wbadmin.exe) to restore AD DS • Mark selected objects as authoritative • restore [object|subtree] “objectDN" • Authoritative changes have a higher version number than on partners • Restart • Restored domain controller replicates changes since date of backup • Partners see authoritative changes with high version numbers • Partners pull the authoritative changes from the restored domain controller

  43. Lab D: Back Up and Restore Active Directory • Exercise 1: Back Up Active Directory • Exercise 2: Restore Active Directory and a Deleted OU Logon information Estimated time: 15 minutes

  44. Lab Scenario • As an administrator in Contoso, Ltd, it is your responsibility to ensure that the directory service is backed up. Today, you noticed that last night's backup did not run as scheduled. You therefore decided to perform an interactive backup. Shortly after the backup, a domain administrator accidentally deletes the Contractors OU. Luckily, you are able to restore the OU with the backup you just made.

  45. Lab Review • What type of domain controller and directory service backup plan do you have in place? What do you expect to put in place after having completed this lesson and this lab? • When you restore a deleted user (or an OU with user objects) using authoritative restore, will the objects be exactlythe same as before? What attributes might not be the same?

  46. Module Review and Takeaways • Review Questions • Common Issues Related to Directory Service Continuity • Best PracticesRelated to Directory Service Continuity • Tools • Windows Server 2008 R2 Features Introduced in this Module

More Related