Friday, August 9, 2013

Active directory 2003 - Backup and restore

Backing up Active Directory

The most important thing to accomplish when backup Active Directory is to create backup for 
the System State that contains many AD configuration


System State data

   ·         Registry
   ·         COM+Class Registration Database
   ·         System boot files(boot.ini,NTLDR)
   ·         File protected by Windows File Protection (OS files)
   ·         Certificate Services database
   ·         IIS met abase
   ·         AD components and SYSVOL folder(on a DC backup only)

Restoring Active Directory

  1.      Restart Domain-Controller

  2.      Lunch the system in “Directory Services Restore Mode” – we chose this option because 
  we need to remember that Active directory is a Database and when you try to restore the 
  backup you created you cannot do it in the regular mode because you cannot restore a 
  database when the Database file is already open!

  3.     Now we need to choose the type of the restore :

     Noneutoretive Restore Used most commonly in cases when a DC because of a hardware or software related reasons .The default method of restoring an active directory is Non-Authoritative. This method will restore an active directory to the server in question and will then receive all of the recent updates from its replication partners in the domain. For example, a server that has a System State backup from two days ago goes down. A restore of the two-day old active directory would be performed and it would then be updated from the other domain controllers when the next replication takes place. No other steps would be required.

Note!
In that case all changes made on the other DC will apply, if the backup contained User object and we delete this object on the other DC, after we restore the object we cannot see him because the server receive the current replica that more updated since the backup and for that reason we cannot see the object we just recovered!

     Autoretive Restore - This method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC's to match the restored DC, thereby removing any changes made since backup. Authoritative restores do not have to be made of the entire directory, to restore only parts of the directory. When only parts of the active directory are restored, say an organizational unit, this information is pushed out to the remaining DC's and they are overwritten. However, the rest of the directory's information is then replicated to the restored DC's directory and it is updated.

To perform this kind of restore we do exactly the same thing like we did in the UNOTORETIVE but the main difference here is that we don’t restart the server until we finished the following commands:

Note!
Each dc have UNC number on is objects, every changes made in AD object will rise the object UNC (and the other DC can know he is more updated) and then other servers will replicate the most updated objects. This command will raise the UNC number of the users in the Backup to the highest level so they will win when the replica will happens

Open CMD
Ntdsutil
Ntdsutil: authoritative restore
Authoritative restore:  restore subtree “”CN=David Tzhmach,OU=Sales,OU=Chicago,DC=idi,DC=com"(Here we will raise only one object for a single use) 

Restart...! 

No comments:

Post a Comment

My Presentations