Windows 2000 includes an option called Safe Mode . This is a recovery tool that was carried over from the Windows 9x product line that allows you to start your system with a minimal set of device drivers and services loaded. Safe Mode is useful for those situations in which you load a new driver or software program or make a configuration change that results in an inability to start your system. You can use Safe Mode to start your system and remove the driver or software that is causing the problem. To get into Safe Mode, restart your server and press F8 on the boot menu screen when you see the prompt, "Please Select The Operating System To Start." The following options are available on the Windows 2000 Advanced Options menu (as shown in Figure 5.15):
Figure 5.15. Windows 2000 Advanced Options menu showing Safe Mode option selected.
If your startup problem does not appear when you start the system in Safe Mode, you can eliminate the default settings and minimum device drivers as problems. Using Safe Mode, you can diagnose the problem and remove the faulty driver, or restore the proper configuration.
Recover System State Data by Using Directory Services Restore ModeOn a domain controller, the Active Directory files are restored as part of the System State. The System State on a domain controller consists of
The individual components cannot be backed up or restored separately; they can only be handled as a unit. When a single domain controller fails, and the other domain controllers are still operational, it can be repaired and the data restored using a current backup tape. After Active Directory is restored, the domain controller will replicate with the other domain controllers to synchronize any changes that were made on the other domain controllers since the backup tape was created. This process is called a non- authoritative restore . Windows 2000 assigns an Update Sequence Number (USN) to each object created in Active Directory. This allows Active Directory to track updates and prevents it from replicating objects that have not changed. When you perform a normal file restore of the Active Directory, all the data that is restored is considered "old" data and will not be replicated to the other domain controllers. This data is considered to be non-authoritative because it is considered to be old and out of date because the objects have lower USNs. All of the objects contained in the other copies of Active Directory on the other domain controllers that have higher USNs than the objects in the restored data will be replicated to the restored domain controller so that all copies of Active Directory will be consistent. A non-authoritative restore is the default restore mode for Active Directory and is used most often. However, in specific circumstances, it will be necessary to perform an authoritative restore. When performing an authoritative restore, the USNs on the objects in the copy of the Active Directory database that is restored to the domain controller are reset to a number higher than the current USNs so that all of the data that is restored is no longer considered old data. This allows the objects in the restore job to overwrite newer objects on the other domain controllers. When Active Directory is in a corrupted state on all of the domain controllers, it will be necessary to restore AD from tape and force the replication of the restored data to all of the other domain controllers. This type of operation is called an authoritative restore . An authoritative restore will cause the data that is restored from tape to overwrite the corrupted data that is stored on all of the domain controllers. This is accomplished by changing the USNs on all of the objects in the AD database to a higher number so that they are considered to be authoritative, and will overwrite the lower numbered objects. An authoritative restore cannot be performed while a domain controller is onlinethe domain controller must be restarted into Directory Services Restore Mode, which is an option available in Safe Mode. To perform an authoritative restore, perform the following steps:
An authoritative restore is used most often in situations where an Active Directory object such as a user, group , or organizational unit (OU) has been accidentally deleted and needs to be restored. If an Active Directory object is accidentally deleted, it is possible to restore the object from a backup tape by performing a partial authoritative restore. This is accomplished by restoring from the last backup before the object was deleted. The procedure to perform the restore is very similar to the full Active Directory authoritative restore that was shown in the previous section.
To restore a deleted Active Directory object:
To restore an object, you will need to know its common name (CN), the organization unit (OU), and the domain (DC) that the object was located in. For example, to restore the ABC St. Louis User OU, in the abc.com domain, you would enter the following command: Restore Subtree "OU=ABC St. Louis User,DC=abc,DC=com" This command restores all of the objects that have been deleted in the ABC St. Louis User OU since the backup tape was created. To restore a user, the command would be Restore Subtree "CN=JDoe,OU=ABC St. Louis User,DC=ABC,DC=com" To restore a printer, the command would be Restore Subtree"CN=DeskJet 3rdfloor,OU=ABC St. Louis User,DC=abc,DC=com" After the command has completed, enter quit and reboot the domain controller. The domain controller will now replicate the restored Active Directory object to the other domain controllers.
|