1 / 25

Directory Service Continuity

Directory Service Continuity. Monitor Active Directory Manage the Active Directory Database Back Up and Restore AD DS and Domain Controllers. Understand Performance and Bottlenecks. Key system resources CPU Disk Memory Network Bottleneck: Resource that is currently at peak utilization

urania
Download Presentation

Directory Service Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Directory Service Continuity • Monitor Active Directory • Manage the Active Directory Database • Back Up and Restore AD DS and Domain Controllers

  2. Understand Performance and Bottlenecks • Key system resources • CPU • Disk • Memory • Network • Bottleneck: Resource that is currently at peak utilization • Tools • Task Manager • Event Viewer • Resource Monitor • Reliability Monitor • Performance Monitor • System Center Operations Manager

  3. Task Manager • Starting taskmgr.exe • CTRL+SHIFT+ESC • CTRL+ALT+DEL • Right-click taskbar • Start taskmgr.exe • Real-time performance • Applications • Processes • Services • Performance • High-level CPU, network, memory • No disk counters • Logged-on users • Entry point to Resource Monitor

  4. Resource Monitor • Full view of key system components • Click each graph to expand/collapse the component • Launching Resource Monitor • Task Manager  Performance  Resource Monitor • Start perfmon /res • Home view of Windows Reliability and Performance Monitor (WRPM) snap-in

  5. Event Viewer • What you see • Many more logs • Summary and custom views based on cross-log queries • Role-based views in Server Managers • More detailed events • What you can do • Integrate with Task Scheduler: E-mails or actions based on event • Subscribe to events from other computers

  6. Demonstration: Event Viewer In this demonstration, we will • Explore Event Viewer • Identify the Active Directory logs • Directory Service • Domain Name System (DNS) • Distributed File System Replication (DFSR) • Group Policy Operational log • Discover the new features in the Windows Server 2008 Event Viewer

  7. Custom Views • Aggregate events from multiple logs • Filter • Reuse • Export for import to other computers Event 1 Security log Event 2 System log Event Viewer Event 3 DFS log

  8. Subscriptions • Collect events from one or more computers • Store the events locally • Use Windows Remote Management (WinRM) • Require WinRM exceptions in firewall

  9. Windows Reliability and Performance Monitor (WRPM) • Track system changes (Reliability Monitor) • Display real-time or logged performance data(Performance Monitor) • Generate reports or graphical views of performance • Generate alerts • Take action when thresholds are reached • Collect data (Data Collector Sets and Reports) • Generate reports • Generate graphical views of logged performance

  10. Reliability Monitor • Tracks system changes • Software install/uninstall • Application failures • Windows failures • Hardware failures

  11. Performance Monitor • Useful counters in any server baseline • Memory \ Pages/sec • PhysicalDisk \ Avg. Disk Queue Length • Processor \ %Processor Time • Useful counters for monitoring Active Directory • NTDS\ DRA Inbound Bytes Total/sec • NTDS\ DRA Inbound Object • NTDS\ DRA Outbound Bytes Total/sec • NTDS\ DRA Pending Replication Synchronizations • NTDS \ Kerberos Authentications/sec • NTDS\ NTLM Authentications

  12. Data Collector Sets • Collections of data points • Performance counters • Event trace data • System configuration information (registry keys) • Use to • View real-time performance with Performance Monitor • Create a log (manually invoked or scheduled) and then view Reports • Generate alerts based on thresholds • Use by other applications • Create • Start from a template; role templates added by Windows • Save an existing set of counters in a Performance Monitor view • Manually specify and configure data collectors in a set • Export/import data collector set as XML

  13. Monitoring Best Practices • Monitor early to establish baselines! • Document performance when things are working well • Include server and role-related counters during idle and busy times • Monitor often to identify potential problems • Compare to baseline and watch for troublesome deviation • Know how to monitor and interpret performancebefore a meltdown • Establish Data Collector Sets • Build the skills to interpret performance counters • Capture appropriately • Don’t overcapture • Degrades performance • Creates “noise,” making it difficult to identify real problems

  14. Active Directory Database Files Description File NTDS.dit • The AD DS database file • All AD DS partitions and objects on the domain controller • Default location: systemroot\NTDS EDB*.log • Transaction log • Default transaction log: EDB.log • Overflow logs: Edb000x.log EDB.chk • Checkpoint file • Pointer into transaction log: which transactions have or have not been committed ebdres00001.jrs ebdres00002.jrs • Reserved transaction log files • Used if disk runs out of space, so that transaction logs do not crash

  15. How the Database Is Modified EDB.chk Update the checkpoint Write Request Commit the transaction Write to the database on disk Write to the transaction buffer Transaction is initiated Write to the transaction log file NTDS.dit on Disk EDB.log

  16. NTDSUtil • Manage and control single master operations (Module 11) • Perform AD DS database maintenance (Module 13) • Perform offline defragmentation • Create and mount snapshots • Move database files • Clean domain controller metadata • Domain controller removal or demotion while not connected to domain • Reset Directory Services Restore Mode password • set dsrm

  17. Perform Database Maintenance • Garbage collection • Scavenging: Removing deleted items that have reached their tombstone lifetime • Defragmentation • Online defrag (part of garbage collection): reclaims unused space • Offline defrag (manual): releases unused space, reduces file size • Use NTDSUtil • Restartable AD DS • You can stop AD DS in Services just like any other service • For applying updates that affect AD DS files • Before performing offline defragmentation

  18. Active Directory Snapshots • Create a snapshot of Active Directory • NTDSUtil • Mount the snapshot to a unique port • NTDSUtil • Expose the snapshot • Right-click the root node of Active Directory Users and Computers and choose Connect to Domain Controller • Enter serverFQDN:port • View (read-only) snapshot • Cannot directly restore data from the snapshot • Recover data • Manually re-enter data or • Restore a backup from the same date as the snapshot

  19. Restore Deleted Objects • When an object is deleted • Stripped of almost every attribute except • SID, objectGUID, lastKnownParent, sAMAccountName • Moved to Deleted Objects container, marked as isDeleted • You can restore (“reanimate”) deleted (“tombstoned”) objects when • Domain functional level is Windows Server 2003 or greater • Deleted object has not yet been scavenged • Steps • LDP.exe • Modify isDeleted • Provide distinguished name (DN) • Repopulate all other attributes

  20. Backup and Recovery Tools • Windows Server Backup snap-in (use locally or remotely) • Back up a full server (all volumes) • Back up selected volume(s) • Back up system state (includes all critical volumes) • Recover volumes, folders, files, or system state • wbadmin.exe • Perform manual or automated backup • Back up to CD/DVD/HDD • No tape! • Use a dedicated HDD for backup: recommended or required

  21. Overview of AD DS and Domain Controller Backup • You must back up all critical volumes • System volume: The volume that contains boot files • Boot volume: The volume that contains the Windows operating system and the registry • Volume(s) hosting SYSVOL, AD DS database (NTDS.dit), logs • Do not store other data on these volumes as it will increase backup and restore times • Windows Server Backup (wbadmin.exe)

  22. Other Backup and Recovery Tools • Active Directory Snapshots • PowerShell cmdlets • Windows Recovery Environment • Boot to Windows Server 2008 DVD and choose System Recovery Options • Install locally as a boot option • Useful for full system recovery • Microsoft System Center Data Protection Manager 2007

  23. Active Directory Restore Options • Nonauthoritative (normal) restore • Restore domain controller to previously known good state of Active Directory • Domain controller will be updated using standard replication from up-to-date partners • Authoritative restore • Restore domain controller to previously known good state of Active Directory • “Mark” objects that you want to be authoritative • Windows sets the version numbers very high • Domain controller is updated from its up-to-date-partners • Domain controller sends authoritative updates to its partners • Full Server Restore • Typically performed in Windows Recovery Environment • Alternate Location Restore

  24. Nonauthoritative Restore • Restart the domain controller in DSRM • Locally: Press F8 on restart • Remotely using remote desktop: • Configure restart in DSRM: bcdedit /set safeboot dsarepair • Restart: shutdown -t 0 -r • Log on with the Administrator account and the DSRM password • Perform the nonauthoritative restore • Use Windows Server Backup (wbadmin.exe) to restore AD DS • Restart • Set normal restart: bcdedit /deletevalue safeboot dsarepair • Restart: shutdown -t 0 -r • Domain controller replicates all changes since date of backup from its partners

  25. Authoritative Restore • Restart the domain controller in DSRM • Log on with the Administrator account and the DSRM password • Perform the nonauthoritative restore • Use Windows Server Backup (wbadmin.exe) to restore AD DS • Mark selected objects as authoritative • restore [object|subtree] “objectDN" • Authoritative changes have a higher version number than on partners • Restart • Restored domain controller replicates changes since date of backup • Partners see authoritative changes with high version numbers • Partners pull the authoritative changes from the restored domain controller

More Related