The standard Backup utility (NTBackup.exe) allows you to back up and restore both critical data and Active Directory. Operations with Active Directory can only be done locally for each domain controller. A backup operation is performed while a DC is online. To restore Active Directory on a DC, you must boot this DC into Directory Service Restore Mode (press <F8> at the computer startup).
Backing up Active Directory is a part of the process of saving the System State data of a DC. You cannot back up (or restore) individual items of the System State. On a member server or a workstation, the System State includes the following:
COM+ Class Registration Database
On a domain controller, two other items are added (Fig. 8.9):
Fig. 8.9: Components of a domain controller's System State
Active Directory (the ntds.dit, edb.chk, edb*.log, and resl.log and res2.log files)
SYSVOL (System Volume) (by default, the %SystemRoot%\SYSVOL\sysvol folder)
If the Certificate Services are installed on a server or DC, there is one more item:
From the foregoing, it is possible to draw two very important conclusions:
Modifications of the schema are irreversible, so you cannot restore an older version of the schema. Created attributes and classes cannot be deleted, and it is only possible to deactivate them. When restoring Active Directory, you cannot mark the Schema partition as authoritative.
A recovery plan should take into account the lifetime of the Active Directory tombstones (60 days, by default; minimal value is 2 days). This parameter is stored (if it is defined) in the tombstoneLifetime attribute of a directory object named N=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<ForestRoot>. Tombstone is a deleted object that is maintained in Active Directory during its lifetime, before the system eventually destroys it. The age of the backup tape should not exceed this period of time, otherwise the outdated data will be rejected.
To reduce the amount of replicated data while promoting a Windows .NET-based server to additional domain controller, you can use a backup file that contains the System State of an existing DC. Therefore, you first need to save current Active Directory information. This operation will be the same the System State backup discussed below. Chapter 5, "Installing Active Directory," covers information on how to restore a backup file and use it for the promotion of a server.
To back up the System State:
Run the Backup utility: click Start | All Programs | Accessories | System Tools | Backup or enter ntbackup in the Run window.
Click the Backup tab and check the System State box in the tree pane. (You can include some files in the backup as well.)
Enter the name of the backup file in the Backup media or file name field (keep the file extension BKF) and click Start Backup.
In the Backup Job Information window (Fig. 8.10), enter the necessary data and click Advanced.
Fig. 8.10: Configuring a backup operation
The next window (Fig. 8.11) will allow you to set backup options. The System State should always be saved as a normal backup. You might want to clear the Automatically backup System Protected Files with the System State box set by default if you need a compact backup file without all system files. Usually, it is enough to have such a compact file (40–50 MB for small domains) for many operations related to saving/restoring Active Directory. A full backup of the System State will be about 300 MB in size.
Fig. 8.11: Defining additional backup parameters
Close the Advanced Backup Options window and click Start Backup — the backup process will begin.
Only the full backup will allow you to safely restore a crashed DC. It is possible to repair the system from scratch in about 30–40 minutes. Restore a domain controller image from a CD or network drive by using an image-duplicating tool like Norton Ghost. Boot the server, and restore the full backup file. You will get a fully operational DC retaining its SID, GUID, and other mandatory Active Directory parameters.
Restore is a more complicated process than back up. Generally, you have two options:
Reinstall the system on the damaged computer, promote it to a domain controller, and copy Active Directory information from other DCs through replication. You will get an entirely new DC, and, therefore, need to delete any references to the old DC from Active Directory.
Restore Active Directory from backup media, retaining the DC identity (SID, GUID, etc.).
There are three different methods of restoring the System State from the backup media:
Perform a primary restore when you have the only DC in the domain and want to rebuild this domain. A primary restore builds a new FRS database; therefore, the restored data will be replicated to other controllers in the domain.
If there is at least one operational DC in the domain, perform a non-authoritative (normal) restore. The repaired DC will receive current data from other DCs through normal replication. The restored data will never be replicated to other DCs. This is the most used type of restore.
If you want to restore inadvertently deleted Active Directory data and to replicate these data to the other DCs, perform an authoritative restore. You cannot perform a "true" rollback, since authoritative restore does not affect changes made in the directory after the backup was created. These new data will be replicated to the restored DC.
It is possible to authoritatively restore any directory partitions excluding the Schema partition.
Remember that, in any case, Active Directory can be restored only when a DC has been booted into the Directory Service Restore Mode.
To restore a standalone domain controller:
Run the Backup utility and open the Restore and Manage Media tab (Fig. 8.12).
Fig. 8.12: Restoring the System State from a backup media
Select the necessary media and check the System State box. Files should be restored to the Original location.
Click Start Restore and confirm overwriting current System State in the Warning pop-up window.
Click Advanced in the Confirm Restore window.
Set the checkbox shown in Fig. 8.13. Close the window, and begin restore.
Fig. 8.13: This checkbox is only set for a primary restore
When the Backup utility will finish and propose you to reboot the computer, answer positively — reboot the computer into normal mode.
A non-authoritative restore is performed as a primary restore; the difference is that you should keep default settings of all options, i.e., the checkbox shown in Fig. 8.13 must be cleared. The restored DC will receive all changes from its replication partners.
To perform authoritative restore of Active Directory including the SYSVOL volume, carry out the following operations:
Run the Backup utility and perform non-authoritative restore (see the previous section). When the Backup utility completes its work, it proposes that you restart the computer (Fig. 8.14). You must click No.
Fig. 8.14: Click No if you perform an authoritative restore
Restore the System State to an alternative location. See an example in Fig. 8.15.
Fig. 8.15: Selecting an alternative location for a restore operation
This second restore operation as well as Steps 5 and 6 below are only necessary if you need to authoritatively restore the entire System State or directory objects along with corresponding Group Policy Objects. If you restore a single object, skip this step and go directly to Step 3.
When the System State is restored to an alternative location, the current System State (e.g., Registry or Active Directory data) will stay intact. That is why you should carry out restore twice.
On Windows .NET-based servers, the following folders will appear in the specified folder or on the disk (Fig. 8.16):
Fig. 8.16: Structure of the SYSVOL folder in alternative location (for domain net.dom)
Active Directory (ntds.dit, edb*.log; these files can be used later to promote a server to additional DC)
COM+ Class Registration Database (ComReg.Db.bak)
Registry (default, SAM, SECURITY, software, system)
SYSVOL (this folder reflects the structure of the SYSVOL volume)
When you restore data to an alternative location, the program does not offer to reboot the computer. Close the Backup program.
Run NTDSutil.exe from the command prompt. A sample dialog for the authoritative restore command is placed below (a subtree is restored in this example):
C:\>ntdsutil ntdsutil: Authoritative restore authoritative restore: Restore subtree OU=Staff,DC=net,DC=dom [Confirm the restore operation — click Yes in the pop-up window.}
Opening DIT database... Done. The current time is 06-04-02 20:41.05. Most recent database update occured at 06-03-02 17:52.23. Increasing attribute version numbers by 200000. Counting records that need updating... Records found: 0000000038 Done. Found 38 records to update. Updating records... Records remaining: 0000000000 Done. Successfully updated 38 records. Authoritative Restore completed successfully. authoritative restore: Quit ntdsutil: Quit
Reboot the computer into normal mode and wait until the SYSVOL volume will be published (look for event ID 13516 in the File Replication Service log and use the net share command to monitor when the process will be completed).
Copy contents of the SYSVOL volume from the alternative location to an existing one. These changes of the SYSVOL volume will be the most recent and, therefore, will be replicated to other DCs as the authoritative data.
In the example shown, an OU object has been restored. You can mark an individual object (in the Windows .NET environment), subtree, or entire directory partition as authoritative. This, however, does not extend to the Schema partition.
Use authoritative restore with necessary directory objects only. Be very selective and do not restore excessive objects. Be especially careful with the Configuration partition. Do not use the restore database command unless you completely understand how restore operations work.
Notice the line in bold that indicates an increment of the attribute version numbers, and two previous lines. The version numbers increase by 100,000 for each day after the original backup has been performed. You can view changes of metadata by using ReplMon.exe. In our case, for example, the following command will be used:
repadmin /showmeta OU=Staff, DC=net, DC=dom netdc4.net.dom
By using this command on different DCs, you can verify whether the authoritative restore was successful, and trace the replication's propagation.
If objects in your Active Directory installation have very low volatility, you might wish to override the default value of the version increment. Use a command similar to the following:
restore subtree OU=Staff, DC=net,DC=dom verinc 1000