Active Directory in Windows Server 2008. Multiple domain controllers, this is the golden rule that must be followed in all medium and large organizations. The principle of recovery in the presence of several controllers changes significantly. Let's try to understand why. Let's imagine that you have two domain controllers named DC1 and DC2 (these are controllers of the same domain). Both will have an identical Active Directory database and if you change it on one it will automatically update on the other, this is the replication process.
Now let's decide on a schedule. Reserve copy:
Sunday- full backup system partition(described in the first part of the article)
Monday - Saturday- creating a systemstate systemstate (described in the first part of the article)
Everything was fine, but on Thursday, due to problems, the DC1 domain controller stopped working. You have several ways to restore the controller, consider them.
- Way one: Restore the systemstate that was made on Wednesday. To do this, you will need to start the controller in DSRM (Directory Services Restore Mode) and use Windows program Server Backup restore state. But for this, the controller must boot into DSRM, this may not be possible.
- Way two: if the controller cannot be loaded into DSRM, the recovery procedure begins by starting the recovery of the system partition that was backed up on Sunday. After you restore DC1 from this archive, your computer will boot normally.
And here, with the first option, that with the second one, two controllers appear that do not have Active Directory databases synchronized. DC1 has the version of the database on the day of the backup, and DC2 has the current, newest version.
Which version will take precedence?
If you carry out the restoration in the manner described by me in the first part of the article, then the controller that remained working will have priority, in our situation it is DC2. Everything that is in Active Directory on DC1 after the restore will be updated to the state of DC2. This method is called a non-authoritative restore.
Or maybe this Windows Server Backup?
Recently, I came across the position of a Microsoft employee who, when asked how to restore a domain controller, answered “Why?”. At first, I wondered a little if he was joking, but then his arguments became clear to me. The idea is as follows. In medium-sized organizations, as a rule, there are 3-4-5 or more domain controllers and the chance of losing them all at once is close to 0. To avoid this chance, we back up only 2. In this case, backup takes place of one or those controllers that own FSMO roles and are of particular value. All the rest just live their lives, and if one of them fails, we simply install a new OS and raise a new domain controller, it should be noted that in time these will be equivalent procedures.
You may want to stop making copies altogether, maybe we won’t lose everything, and you can capture the FSMO roles if you wish. Desire is absolutely harmful, and here's why. The loss of Active Directory objects is not only an accidental deletion of a user, you can accidentally delete an organizational unit with all its contents with a script and just return it from the container of deleted objects, you will not be able to do everything in its original form. And the changes have already been replicated. And every controller knows about the delete. In this situation, you will need a backup.
Follow the rule - "There are no extra backups"
Replication Priority
Since the standard restore to the “repaired” controller replicates Active Directory from working controllers, this method will not work for us. We need to force a change in replication priority and replicate information from the restored controller to the rest. This is called a forced restore.
In Windows Server 2003, we could perform an authoritative restore in three ways:
Force restore of the entire database.
This procedure was done using the ntdsutil utility. In Windows Server 2008, the ntdsutil utility remains, but now we cannot forcefully restore the entire database.
Only:
Force Restore of an Organizational Unit with Content
Force restore of a single object
Therefore, we always need to know which objects have been deleted. Naturally, you will not be able to keep such information in your head. To do this, in Windows 2008, the Active Directory database mounting tool was created.
The Active Directory database mounting tool is designed to improve, and specifically simplify, the process of restoring a directory service. In Windows 2003, if we had a lot of archives and did not know which one contains the information needed for recovery, we had to play roulette, restoring one or another archive and checking its contents.
In Windows 2008 the situation is different. Using the Database Mounting Tool, we can view the contents of the database for a particular time process.
Unfortunately, we cannot view the contents of AD for any period of time of interest, but only at those moments when the Snapshot was created. I will say right away that Snapshot is not the Snapshot that we are used to using VmWare. It contains information about the presence of objects in the database, but in no way participates in the restoration of these objects.
From the above, we can conclude:
In order to have an up-to-date idea of the contents of the backup made, a Snapshot should be created before it. The text of the batch file that is run before creating the backup should be the following:
ntdsutil.exe "activate instance NTDS" snapshot create quit quit
The finished batch file can be downloaded "here". Be sure to make sure the Snapshot has time to finish before the backup starts.
Rice. one. Create an Active Directory Snapshot
The process of authoritatively restoring a domain controller using System State. (system state)
The background is as follows, one of the administrators deleted the BetaTesters organizational unit, which contained the account or records. We don't know for sure. Information about the removal managed to replicate to all domain controllers. We have several Systemstate archives from previous days. When exactly the organizational unit was removed, we do not know.
First, we need to choose what state of the system we will restore. We do not know the date of removal. To do this, we will use Snapshots, which are created shortly before the backup. By running the ntdsutil utility, we look at the list of snapshots of our AD.
Rice. 2. Viewing Available Active Directory Snapshots
For this in command line recruiting ntdsutil -> snapshot -> Activate Instance NTDS -> list all . As a result, we will get a list of created Active Directory snapshots. The first picture was taken on April 13th. I'll start with him.
In the same place I mount the command mount with ID substituted first snapshot of Active Directory. An example is in Figure 3. After this operation, you will have on drive C: a reference object called $SNAP_date. Entering it, you will see the structure of your system disk at the time of making the copy.
Rice. 3. Mounting an Active Director snapshot
The picture has been mounted. I open a second command prompt window and run the dsamain utility. We execute a tricky command that allows you to connect a snapshot as an LDAP server. In the command, specify the path to the ntds.dit file in the mounted snapshot and the port of the LDAP server (I recommend 50001)
Rice. 4. Using dsamain.
Without closing the window, launch the Active Directory Users and Computers snap-in. Select a connection to another domain controller.
Rice. five. Change domain controller.
In the menu that appears, specify the connection to " Server Name:specified port in dsamain', in my situation it is ' DC:50001»
Rice. 6. Selecting an LDAP server
By clicking "OK" we get to the "Active Directory Users and Computers" snap-in, which contains data to read as of the moment the snapshot of Active Directory was created. I find the OU "BetaTesters" and it has a user "Rud Ilya". The conclusion can be drawn as follows: since the snapshot was created on April 13 and contains a deleted unit, we need to restore the system state to April 13.
Rice. 7. View AD snapshot information.
Don't forget to unmount the snapshot before you reboot into directory service restore mode. This is done with the unmount command with a snapshot ID.
Rice. 8. Unmounting a snapshot
We are now ready to reboot one of the domain controllers into Directory Services Restore Mode. How to do this I wrote in the first part of the article. Please note that when uploading to DSRM, you must use the administrator's DSRM, not the domain's.
Rice. nine. Login to DSRM. Specify Computer_Name\Administrator
Rice. 10. List of system states (SystemStates)
We need to restore the system state to April 13th, so the following command would be: wbadmin start systemstaterecovery -version:archive_time
Rice. 12. The process of restoring the system state.
Each Active Directory object has a version number, and if the same object has different version numbers on two controllers, then the correct (newer) object is the one with the higher version. After the recovery process is completed, you must run the utility ntdsutil and raise the version number for the remote Active Directory branch. That is, for our container.
This is done as follows: ntdsutil -> Activate Instance NTDS -> Authoritative restore -> restore subtree" And indicate what should be restored forcibly ”. An example is in Figure 13.
Rice. 13. The choice of what will be restored forcibly.
Outcome: We authoritatively restored the OU with all contents using system state and Active Directory snapshots. In Windows Server 2008, we can force restore either organizational units with all content, or specific objects. The "restore database" command from ntdsutil has been removed, so we won't be able to forcibly restore the entire Active Directory database.
If you are restoring an archive of the system disk of a domain controller and want to achieve a forced restore of some part of AD, then immediately after the restore, preventing the controller from booting in normal mode, we enter the directory service restore mode. And using ntdsutil, we specify which part of AD should be forced to recover.
Material provided by the resource
One important aspect of using Active Directory is failover. To protect against failure, it is always worth having a reliable backup System State. Backing up the system state allows you to ensure that files that are critical to the functioning of the system are preserved.
These files include Active Directory, the system registry, and the contents of the SYSVOL folder, which contains logon scripts and templates group policies. When a domain controller fails the best way recovery is generally a failure to recover.
Whenever network bandwidth permits and there is a second domain controller in the domain, try to reinstall the Windows operating system (or restore it from an ASR backup) and rerun the DCPromo utility to promote the server to a domain controller. This will result in a clean system.
Because Active Directory can only be backed up as part of System State, when you restore Active Directory, you must also restore System State. If the server has completely failed, then restoring the system to different hardware can lead to problems.
If problems occur after recovery, perform a fix operating system to resolve any configuration errors.
Thus, if all other attempts to fix the problem have failed and you have a valid system state backup and you need to restore the Active Directory database, you can use one of three types of restore.
- Primary- Select this option if you are restoring the first domain controller and no more domain controllers are enabled in the domain. If you choose this option, restoring the rest of the domain controllers must be Nonauthoritative.
- Authoritative- is used only when the Active Directory database needs to be restored to the state it was in at the time of the backup. Such a restore should only be performed when serious errors occur, such as deleting an organizational unit, or if you need to roll back all previous actions. This restore option requires that you run the ntdsutil command after the restore to select the objects that are authoritative for replication.
- non-authoritative- this recovery option is used in 99% of the cases of restoring the Active Directory database. This option causes the data to be restored, after which the domain controller receives updates from other domain controllers within the forest (which allows restoration of synchronization).
When starting an Active Directory restore, the restore option is selected in the dialog box Advanced Restore Options in the Backup application. Once again, I emphasize that restoration should be considered only as a last resort.
If the domain controller is the only one DNS server and DNS uses AD-integrated zones, the DNS zone data will be inaccessible when the domain controller is booted into Directory Service Restore Mode.
If the system state is being restored over the network using a third-party backup utility, it may be necessary to make appropriate entries in the hosts file(this will provide name resolution for all computers participating in the recovery process).
Sergey Yaremchuk
Backing up and restoring objects
Active Directory in Windows Server 2008/2008 R2
Active Directory is the standard in corporate networks running Windows. While providing the administrator with effective tools, outwardly easy to use, it is nevertheless quite complex in its structure and composition. In addition, no one is immune from failures in the operation of the operating system, programs, hardware failure or human error. Therefore, one must always be prepared for the fact that measures will have to be taken to restoration of work in general or individual elements.
About the need for backup
In each new version Windows Server, there are new tools that simplify and automate the management process, which even a novice administrator can handle. One of the common opinions among such "specialists" is the general refusal to reserve domain controllers. The argument is simple. Medium-sized and large-sized organizations use multiple domain controllers, this is an axiom. The probability that in one day everything will fail is practically equal to zero. Unless they are taken out by order of the prosecutor or by taking advantage of an error in the organization of security, but this case, you see, is out of the ordinary. Therefore, if one domain controller fails, all the others work normally, and a replacement is prepared for it. new server. They are partly right, but reserving at least two controllers (in case of an error) with the roles of FSMO (Flexible single-master operations, operations with one executor) is still mandatory. That's what Microsoft and common sense recommend. And there is another main argument in favor of reservations. Ease of management leads to an increase in the percentage of errors. Deleting an Active Directory object by accident is pretty easy. And it may not necessarily be an intentional action, it may happen, for example, as a result of an error when executing the script. And to restore all the settings, you will need to make some efforts.
If the error is not immediately discovered and the change has already replicated to other controllers, in this situation you will need a backup. I'm not talking about small organizations with a single domain controller.
A document showing the backup and restore capabilities of Windows Server 2008 is Gil Kirkpatrick's "Backing Up and Restoring Active Directory in Windows Server 2008" in , which I recommend reading. But if the backup issues are fully described, then the restoration is shown, in my opinion, somewhat superficially and does not give a complete picture. This article, in fact, appeared from notes compiled for that extreme case.
Archiving system Windows Data server
In Windows Server 2008, NT Backup was replaced by a completely new component Windows Server Backup System (Windows Server Backup, WBS), based on VSS (Volume Shadow Copy Service, volume shadow copy service). WBS is a fairly powerful application that allows you to restore the system, including to another computer, supporting some services, the list of which includes AD.
Installing WBS is simple, you just need to activate the component "Windows Server Backup Features" plus the sub-item "Windows Server Backup". The latter includes the MMC management console and the new Wbadmin command line tool. Additionally, the item "Command Line Tools" is available, which includes PowerShell scripts that allow you to create and manage backups.
On the command line, installation is even easier:
> servermanagercmd -install Backup-Features
Or in Server Core:
> ocsetup Windows Server Backup
Reservations can be managed from the MMC console or from the command line. So, to back up critical volumes, you would type:
> wbadmin Start Backup -backupTarget:E: -allCritical
With a full copy, I think everything is clear. In the context of the article, we are more interested in backing up the system state using the SystemStateBackup parameter. By the way, this feature was not available in the first builds of Windows Server 2008, and it is not available via MMC:
> wbadmin Start SystemStateBackup -backupTarget:E:
In this case, file-by-file copying of the system state and some services, including AD, is performed. The most inconvenient in this case is that each time you have to create a full copy (freshly installed system is approximately 7 GB), and the process is somewhat slower than a normal backup. But on the other hand, you can restore such a copy to another computer with an identical configuration.
The command copies to another volume. But KB944530 tells you how to enable the ability to backup to any volume. To do this, add a DWORD value named AllowSSBTo AnyVolume with a value of 1 to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup registry branch.
With redundancy, there are usually no problems here, everything is simple and clear, difficulties begin when it is necessary to restore the health of AD or accidentally deleted objects. Using SystemState copies allows you to do without restoring the entire system, but simply restore the previous state of AD services. The graphical console designed for data recovery does not see SystemState copies (they are located on the disk in another SystemStateBackup directory). If you try to start the recovery process in working system, we get a message stating that since the archive contains the Active Directory domain service, the operation must be performed in Directory Services Restore Mode (DSRM). This is one of the disadvantages, since the domain controller will be unavailable at this time.
The new BCD boot mechanism introduced in Windows since Vista, which removed the good old boot.ini, forces us to take a few more steps to get into DSRM. The OS has a special utility designed to edit the bootloader parameters (you can find graphical utilities on the Internet, but I think they have no place on the server). We create a new copy records:
> bcdedit /copy (default) /d "Directory Service Repair Mode"
When finished, check:
> bcdedit /enum
The new item should appear in the list.
We reboot, select the Directory Service Repair Mode item and, by clicking
> wbadmin get versions
And restore using the received version identifier as a parameter:
> wbadmin start systemstaterecovery --version:05/21/2009-21:02
If you are restoring from a local drive, the BackupTarget parameter that tells wbadmin where to get the backup is optional. If the copy is located on a network resource, we write it like this:
BackupTarget:\\computer\backup-machine:server-ad
Despite the warning that:
Restoring the directory service usually happens without problems. After the reboot, we encounter a message stating that the initiated recovery operation has been successfully completed.
Going to the Active Directory management console, we find that everything is in its place ... except for new objects created after the backup was made. In principle, such a result is expected. And to restore individual objects, there is a completely different way (even several).
Force Restore of Objects with NTDSUTIL
Windows Server includes the NTDSUTIL command-line utility for maintaining, managing, and controlling Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). The utility becomes available on the system after the AD DS role is installed. In Windows Server 2008, its functionality has changed somewhat. So, in Windows Server 2003, it was possible to restore the entire database with its help, but in 2008, wbadmin does an excellent job with this, which is probably why its recovery capabilities were slightly reduced. Now, using NTDSUTIL, you can restore the organizational unit with all the contents and a single object.
Its work is based on Active Directory snapshots taken using the VSS service. A snapshot is a compact backup of a running Active Directory with all directories and files. Creating such a copy, unlike SystemState, is very fast and takes a few seconds.
> ntdsutil
Go to the snapshot context:
ntdsutil:snapshot
Run the snapshot command (short form is “ac i ntds”):
snapshot: activate instance ntds
snapshot: create
After a while, we get information about the created snapshot, exit:
snapshot: quit
ntdsutil: quit
Now, to restore the Active Directory database, it is enough to enter "ntdsutil files repair" at the DSRM command line, but we are interested in a single object.
You can view the list of deleted objects using LDP.exe using the Get-ADObject and Restore-ADObject PowerShell cmdlets (there are other options).
In LDP, for example, you should connect to the server, select "Options (Options) -\u003e Controls (Controls)" and in the drop-down list "Load Predefined" set the Return deleted objects parameter. Then go to "View -> Tree", select the domain context. As a result, the CN=Deleted Object object will appear in the tree on the right, where we find all the deleted objects.
Now the important thing is that when deleting an object, it loses a large and important part of its properties (in particular, the password, managedBy, memberOf), so after restoring it, it will not be exactly the way we wanted it to be. All this is clearly visible in LDP. But there are several options here:
- increase the number of attributes that will not be overwritten when an object is deleted in the deleted object storage;
- restore the object and return its attributes;
- and the best is to block the object from accidental deletion.
There are several ways to restore a deleted object. The most convenient is Mark Russinovich's AdRestore utility. Download and enter:
> adrestore -r user
We get an object with some attributes.
The remaining methods are described in KB840001, they are not so simple, so I will not dwell on them.
Restoring object attributes
A snapshot taken with ntdsutil has an object and its attributes. The image can be mounted and connected as a virtual LDAP server that exports objects. We call ntdsutil:
> ntdsutil
ntdsutil:snapshot
See the list of available images:
snapshot: list all
The picture has been mounted. Now you can navigate using Explorer to the specified directory and see what is inside. Exit ntdsutil by typing quit twice, the image will still be mounted. Now, using the dsamain utility, we create a virtual LDAP server, specifying as a parameter the path to the ntds.dit file, which is located in the mounted snapshot. I chose 10000 as the LDAP server port:
> dsamain -dbpath C:\$SNAP_200904230019_VOLUMEC$\Windows\NT DS\ntds.dit -ldapPort 10000
Startup of Microsoft Active Directory Domain Services version 6.0.6001.18000 completed
You can connect to the virtual LDAP server using the Active Directory Users and Computers console, specifying port number 10000 as a parameter, and view the objects inside.
We export the parameters of the desired object to an ldf file, more about ldifde is written in KB237677 .
> ldifde -r "(name=user)" -f export.ldf -t 10000
In the resulting ldf file, change the changetype: add parameter to changetype: modify and then import the new file into the directory:
> ldifde -i -z -f import.ldf
There are other import/export options using DSGET/DSMOD, PowerShell, and so on.
> dsget user cn=user,ou=ou1,dc=domain,ds=ru -s localhost:10000 -memberof | dsmod group -c -addmbr cn=user,ou=ou1,dc=domain,ds=ru
Another method is based on the fact that each Active Directory object has a version number. If the version numbers on two domain controllers differ, the object with the higher version number is considered the new and valid object. This is what uses the “authoritative restore” mechanism, when the object restored using ntdsutil is assigned a higher number and it is accepted by AD as new. For the authoritative restore mechanism to work, the server also reboots into DSRM.
> ntdsutil "authoritative restore" "restore object cn=user,ou=group,dc=domain,dc=ru" q q
The subdivision is restored in the same way:
> ntdsutil "authoritative restore" "restore subtree ou=group,dc=domain,dc=ru" q q
Protecting objects from deletion
To begin with, with Windows Server 2008 R2, administrators received another functional level of the domain, and as a result, such a server can be configured in one of four levels - Windows 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2. It can be specified during installation using dcpromo or raised if a lower level has been selected using the menu Reise the domain (forest) functional level in Active Directory Admin Center, about which a little further. Moreover, the reverse operation is also possible - lowering the functional level of the domain and forest, if they are at the level of Windows Server 2008 R2, it can be returned to the level of Windows Server 2008, lower - to 2003 or 2000 - it is impossible. Most of the new features will only be available if the domain is at the R2 level. So, starting with Windows Server 2008, an additional item appeared in the property of an object, allowing it to be protected from accidental deletion. More precisely, it was before, but here it is no longer necessary to look for it.
In Windows Server 2008, it is available when creating a subdivision (OU, Organizational Unit) and is called "Protect object (container) from accidental deletion". This flag appears only when a new OU is created. For existing OUs, as well as newly created groups, computers and accounts, it can be activated in the "Object" tab of the properties window (visible when "View -> Additional components (Advanced)" is active).
In R2, the necessary Protect from accidental deletion item is available in the properties of an individual account, computer, group, and department, in the most prominent place. It is enough to check the box here and when trying to delete an object, the administrator receives a warning about the impossibility of performing the required operation. It should be remembered that the checkbox protects only the object in which it is set from deletion. That is, if it is activated for a group, this setting does not apply to individual elements included in its composition. That is, it will still be possible to delete any object inside if it is not protected by a personal flag. Slightly different situation when deleting an unprotected OU. If it contains no protected objects, the OU will be completely deleted. But if there are such objects, then in the window that appears, check the box "Use delete subtree server control" (Use delete subtree server control). Otherwise, instead of deleting the OU itself with all the elements, an attempt will actually be made to clean up the OU from objects that do not have protection. Moreover, as experiments show, this cleaning will be incomplete, since, when faced with the first protected object, the program stops working, issuing a warning. This is true for both Windows Server 2008 and R2 RC.
The object is protected from accidental deletion
Active Directory Recycle Bin
Windows Server 2008 R2 introduced new feature Active Directory Recycle Bin (AD RB) automatically activated when the domain is at the Windows Server 2008 R2 level. In its essence, it is similar to the basket used in Windows, in which deleted files, and an accidentally deleted object can be restored quickly and without problems. Moreover, the object restored from AD RB immediately receives all its attributes. By default, the lifetime of a deleted object in AD RB is 180 days, after which it enters the Recycle Bin Lifetime state, loses attributes, and after a while is completely deleted. You can change these values using the msDS-deletedObjectLifetime parameter. If, during the installation of AD, a level below R2 was selected, and then raised with the command:
PS C:\> Set-ADForestMode –Identity domain.ru -ForestMode Windows2008R2Forest
then AD RB must be activated separately. To do this, use the cmdlet Enable-ADOptionalFeature PowerShell:
PS C:\> Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, /
CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=ru' –Scope Forest –Target 'domain.ru'
Restoring a deleted object is now very simple:
PS C:\> Get-ADObject -Filter (displayName -eq "user") -IncludeDeletedObjects | Restore-ADObject
The Get-ADObject and Restore-ADObject cmdlets have many options, such as allowing you to find the OU that the deleted account belonged to and then restore the entire OU. Document Restore a Deleted Active Directory Object everything is very detailed.
Conclusion
Despite the capabilities of the new server operating systems from Microsoft, backups of Active Directory controllers must be carried out systematically and constantly, without which it is impossible to restore individual objects or OUs. Moreover, in addition to Windows Server Backup, you should create snapshots using ntdsutil. The backup process is simplified and data volumes are reduced if the domain controller does not perform other functions.
- Jill Kirkpatrick. Backing up and restoring Active Directory in Windows Server 2008 - http://technet.microsoft.com/en-us/magazine/cc462796.aspx .
- Article KB944530. Error message when you try to perform a system state backup in Windows Server 2008 - http://support.microsoft.com/kb/944530 .
- Utility AdRestore - http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx .
- Document KB840001. How to restore deleted user accounts and their group memberships in Active Directory - http://support.microsoft.com/kb/840001 .
- Document KB237677. "Using the LDIFDE Tool to Import and Export Directory Objects in Active Directory" - http://support.microsoft.com/kb/237677/en .
- Windows Server 2008 R2 page - http://www.microsoft.com/windowsserver2008/ru/ru/default.aspx .
- Document Step 2: Restore a Deleted Active Directory Object – http://technet.microsoft.com/en-us/library/dd379509.aspx .
- Active Directory database and transaction logs;
- system files and startup files protected by Windows;
- domain controller system registry;
- all DNS zone information integrated with Active Directory;
- Sysvol folder
- COM+ class registration database;
- certificate service database (if domain controller is also a certificate service server);
- cluster service information;
- Microsoft Internet Information Services (IIS) metadirectories (if IIS is installed on the computer).
All of these components must be backed up and restored as a whole due to their tight integration. For example, if a certificate was created on the Certificate Services server that was assigned to an Active Directory object, then the Certificate Services database (containing the entry that the object was created) and the Active Directory object (containing the entry that the certificate was assigned to the object) must be preserved. .
Backup programs can make various types of backups, including normal, incremental, differentiated, etc. Backup The system state of a domain controller is always a normal copy when all files related to the System State ( State of the system) are copied and marked as copied.
The general practice is that all domain controllers should participate in a regular backup cycle. One exception to this rule can be made if there are multiple domain controllers located in the same office. In this case, you can perform such a procedure for restoring domain controllers, which will first install a new domain controller, and then populate its directory by replication. However, even in this scenario, at least some of the domain controllers should be backed up in case of a disaster that would take out all the domain controllers in the office. In either case, the operations master must be backed up.
Another issue to consider in connection with backing up a domain controller is the frequency of the backup. Active Directory assumes that a backup cannot be older than the lifetime of the tokens. By default, the lifetime of a monument object is 60 days. The reason for this limitation has to do with the way Active Directory uses tokens. When an object is deleted, it is not actually removed from the directory until the tombstone's lifetime has expired. Instead, the object is marked as a commemorative object and most of its attributes are removed. The token object is then copied to all other domain controllers. After the tombstone's lifetime expires, it is finally removed from the directory on each domain controller. If restored domain controller from a backup that is older than the lifetime of the token, you might find information in the directory that is inconsistent between domain controllers. Let's say that a user was deleted from the directory one day after the backup was taken, and the corresponding monument remained in the directory for 60 days. If the backup were restored to a domain controller more than 60 days after the object became a monument object, then the restored domain controller would have this custom object, and since the monument object no longer exists, then domain controller would not delete it. In such a scenario, the restored domain controller would have a copy of an object that doesn't exist in any other directory. For this reason, the backup system and restore program prevent attempts to restore a directory from a backup that is stored longer than the tombstone deletion period.
Although the lifetime of monuments imposes a hard limit on the frequency of backups, it is clearly better to back up domain controllers much more frequently than every 60 days. There will be many problems if you restore domain controller from a backup older than a couple of days. Because Active Directory recovery involves restoring all system state information, this information will be restored to a previous state. If the server is also a CS server, then any identities issued before the backup was created will not be included in the CS database. If drivers have been updated or any new applications have been installed, they will not be able to run because they will be rolled back system registry to the previous state. Almost all companies support a backup mode in which some servers are backed up every night. Domain controllers must be included in this redundancy mode.
Recovery process
There are two reasons why you might need to restore Active Directory [ 13 ] .
- The first reason will occur when the database becomes unusable because one of the domain controllers has failed. hard drive or the database is corrupted to such an extent that it can no longer be loaded.
- The second reason will arise when, as a result of an error, someone deleted organizational unit, containing several hundred user and group accounts. In this case, it is more desirable to restore the information than to re-enter it.
If you are planning to restore Active Directory because the database on one of the domain controllers is no longer usable, then there are the following two process options [ 13 ] .
- The first option is not to restore Active Directory on the failed server at all, but to create another one domain controller, by designating another server running Windows system Server 2003, domain controller. This restores the functionality of the domain controller, not the Active Directory on the specific domain controller.
- The second option is to recover the failed server and then restore the Active Directory database on that server. In this case, a non-authoritative restore will be performed. In this restore, the Active Directory database is restored to the domain controller, and then any changes made to Active Directory since the backup was created are replicated to the restored domain controller.
If you plan to restore Active Directory because someone deleted a large number of objects from the directory, then you must restore the Active Directory database on one of the domain controllers using a backup that contains the deleted objects. Then you need to do an authoritative restore, which marks all restored data so that it replicates to all other domain controllers, overwriting the deleted information.
Restoring Active Directory requires backing up service state data [ 4 ] , [ 6 ] : the registry, the COM+ registration database, system boot files, and the Certificate Services database (if it is a Certificate Services server). When you restart your computer in Directory Services Restore Mode, you must be logged on as an administrator using the correct Security Accounts Manager account name and password. However, you cannot use the Active Directory administrator account because Active Directory is disabled and cannot be used to authenticate the account. This is done using an account database.
Data supporting most popular file systems(FAT12, FAT16, FAT32, NTFS, NTFS5, NTFS + EFS). Works with hard drives: IDE, ATA, SCSI, flash drives, memory cards and floppy disks, as well as RAID arrays, which is especially important for system administrators. But it will not be difficult for a simple user to recover deleted or damaged files.
The program is capable of recognizing 28 types of files based on their signatures. These can be documents, photographs or images, music, videos, archives, etc. For professional and amateur photographers, it is possible to search for RAW photos used by the manufacturer of their camera (Leica, Canon, Nikon, Sony, etc.), which will narrow the search and reduce the recovery time of images.
Two recovery options: QuickScan (fast) and SuperScan (slow), as well as a search filter, including part of the file name, will help reduce the search and recovery time for the files you need. In any case, the program's algorithms allow you to quickly recover data even from large HDDs, which is often unattainable for competing utilities.
The interface of the program will be clear even to an inexperienced user, but even experienced users who encounter information recovery for the first time may have questions and difficulties. We have written a manual for using Active File Recovery, which will help you go through the recovery process from launching the application to joy after you get back the lost data.
Instructions for using File Recovery
For visual examples, we took four files: video (mp4), audio (mp3), word document(doc) and picture (jpg). Threw these files on the card microSD memory and formatted it. Now let's try to recover these files after formatting and make sure the program works.
Image #1: Recovery files
Image #2: Formatting a memory card
After unpacking the archive with the program, run the file " file recovery.exe". The start window for Windows OS has opened (See from No. 4), where we see all connected storage devices, among which there is a memory card formatted by us (ChipBnk Flash Disk). Select it and click "SuperSkan" for a more accurate slow scan of the memory card.
Image #4: Choosing a device to scan
A small window will open with scan settings. In it, you can set the search for deleted sections, if there were any, and below select the types of files that the program will search for by signatures. If you need to find and restore everything that was on the drive before formatting or deleting, then just leave "All (Slow)", but remember that then the scan will take much longer.
Image #5: Scan Settings
If you know exactly what types of files you need to recover, then select "Some" and click "Select ...". By ticking only those file extensions that we are interested in, we will reduce the search time. In our case, I specified four types of files (See from. No. 6).
Image #6: Selecting the file type
Now click "OK" and "Start". The scanning process is running, and we see the progress visually in the lower left corner as a percentage.
Image #7: Scanning process
After the scan is completed, the “SuperScan” folder with the date and time will appear on the left side of the program under all devices. We open it and on the right we see the types of files found by the program. Select them and click on the icon with the inscription "Recover" at the top. To restore our files, we will be prompted to specify the location where they will be saved. After selecting the save location, click "Recover", which will start the recovery process.
Image #8: Data Recovery
After the data recovery is completed, we go to the folder that we indicated where our files are saved, each in its own section. We check the performance and rejoice! The only negative is that the program could not restore the file names after formatting, but this does not always happen.
