Microsoft® Windows® 2000:
Active Directory Disaster Recovery

Paige Verwolf

Support Professional

What Is the Active Directory?

Microsoft® Active Directory™ is Microsoft’s implementation of Directory Services

Database Files

Ntds.dit

Log files

Circular versus non-circular logging

Defaults to circular logging

HKEY_LOCAL_MACHINE\CurrentControlSet
Services\NTDS\Parameters\CircularLogging=1

Two Res.log files – Res1.log, Res2.log

Edb.chk

Database Write Operation

1. Write to log

2. Write to memory

3. Confirm transaction

4. Write to Ntds.dit

Database and Log Files

Performance recommendation:

Put system, database, and log files on three different hard disk drives.

Keep database (DIT) and logs on different drives. This is important to ensure that recoverability is possible.

Always use mirrored drives.

System Failure and Recovery

After restarting, the system performs a soft recovery

Goes through log files, starting at the checkpoint and replays the transactions (ending with those in Edb.log).

If Edb.chk is not available, it starts at the first available log file and compares the transactions.

Deleting Objects

Deleting object creates a tombstone.

Object moved to a specific container

Used to replicate deletion process

Object still in the database

Physically deleted after tombstone lifetime expires

Enterprise-wide setting
CN=Directory Service, CN=Windows NT, CN=Services, and so on.

Remember: Tombstone lifetime = backup lifetime

How does the database release space again?

Garbage Collection

Housekeeping process that frees up space

Tombstones

Deletes unnecessary log files

Based on last checkpoint

Database defragmentation

Runs on each domain controller independently

Interval configurable (12 hours by default)

Database Fragmentation

Defragmentation is moving data to fill database pages more efficiently

Two ways to defragment

Online defragmentation

Runs as part of garbage collection

Does not shrink database file

Offline defragmentation

Run Ntdsutil.exe

Shrinks database file

DC has to be taken offline

Only recommended after converting GC server DC to normal DC

Online Defragmentation

Performed automatically every 12 hours by default.

Pages are defragmented leaving room for new data.

Does not reduce the size of the DIT file.

Offline Defragmentation

Use NTDSUTIL Files Compact option to defragment and compress Active Directory database

New DIT files results

Data from old DIT written to new DIT

Parameter to this procedure is the directory (do not include file name) to store compacted DIT

Example: compact to c:\compacted

Requires either copying the compacted DIT file over existing DIT, or changing the current path

New Database Signature Created

Using NTDSUTIL

Boot into Directory Services Restore Mode. (Remember Administrator account from local SAM is now in use, not Active Directory.)

Backend is ESENTUTL

Use Files Info to get general directory information.

Using NTDSUTIL (2)

Use Files Header to view backup, restore, general data:

dbTime – USN concept (also associated with each change)

State – Consistent when last shut down?

Previous Full Backup – time/date of last backup

DB Signature – matched to log files

Repair Count – Clue as to history of DIT

Using NTDSUTIL (3)

Integrity

Checks checksums for pages/tables in DIT file and rebuilds indexes in a temporary file (Temp.edb) and compares it to actual DIT

Backing Up the
Active Directory Database

The Active Directory can be backed up and restored using Windows 2000 Backup system tool.

System State

Active Directory can be backed up and restored using the system state option in the Windows 2000 Backup tool.

State Data includes the following:

Registry

COM+ Class Registration Database

System Boot Files

Certificate Server (if installed)

Active Directory

System Volume folder

Note: All of the components of the system state are backed up and restored together. There is no option to choose individual components.

Online Backup

Windows NT® Backup provides only full online backup of the Active Directory

No partial backups (only backing up incremental log files to bring the database up to date)

Changes made while backup is occurring are recorded in a patch file (raw data)

Offline Backup

Extensible Storage Engine (ESE/Jet) is shut down and the database will be in a consistent state

Only required to copy DIT file

All data is already committed

Jet will automatically create log files when initialized next

Backup Process

Must be an administrator or backup operator

Use the wizard

Select Backup the Active Directory

Verifying Backup

Why verify?

How do I verify?

Events logged to the application logs after backup:

8009 – informational

8009 - error

Backup logs

Restoring the Active Directory

Restore to the Active Directory must be done offline, booting into Directory Services Restore mode.

If any of the following conditions are not met, the system state is not restored. Backup attempts to restore the system state, but does not succeed.

The server name must be identical to the backed up server name.

The drive letter on which the %SystemRoot% folder is located must be the same as when it was backed up.

The %SystemRoot% folder must be the same folder as when it was backed up.

If Sysvol or other Active Directory databases are located on another volume, they must exist and have the same drive letters also. The size of the volume does not matter.

Restoring Active Directory from Backup

By default, circular logging is enabled

This means that only a full backup can be restored

Log files have probably wrapped and cannot be replayed out of sequence; this would require having the log files created since the time of the backup

This will recover changes to the time of the backup; the remainder of changes will get replicated in again from AD replication

Does not matter if log files are lost

How Does Restoring a
Backup Impact Replication?

The invocationID (database GUID) attribute on a server gets a new value after it is restored to identify that the computer does not have the same data as it did before.

This comes into play when other computers try to replicate from it. The restored database is treated as a different replica to other domain controllers.

Authoritative vs. Non-Authoritative Restores

Authoritative Restore with NTDSUTIL

After the data has been restored, use NTDSUTIL to perform the Authoritative Restore. The following options are available in the NTDSUTIL when you perform an Authoritative Restore on the database.

Restore Database - Authoritatively restore the entire database

Restore Database verinc %d - ... override version increase

Restore Subtree %s - Authoritatively restore a subtree

Restore Subtree %s verinc %d - ... and override version increase

Note: The default USN increase is 100,000 unless the override option is used..

Impact of Authoritative Restore on
Trusts and Computer Accounts

Trust relationships and computer account passwords are negotiated at a specified interval (every seven days by default, except for computer accounts that can be disabled by the administrator).

During an Authoritative Restore, a previously used password for the objects in the Active Directory that maintain trust relationships and computer accounts can be restored.

Trust Relationships - this may void communication with other domain controllers from other domains.

Computer Account Password - this may void communications between the member workstation or server and a domain controller of its domain.

Backup of the Active Directory
Has 60-Day Useful Life

Windows 2000 prohibits the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is identical to the “tombstone lifetime” setting for the enterprise. The default value for the tombstone lifetime entry is 60 days. This value can be set on the Directory Service (NTDS) config object.

Slide 28


	Microsoft® Active Directory™ is Microsoft’s implementation of Directory Services


	Ntds.dit
	Log files
		Circular versus non-circular logging
		Defaults to circular logging
		HKEY_LOCAL_MACHINE\CurrentControlSet Services\NTDS\Parameters\CircularLogging=1
		Two Res.log files – Res1.log, Res2.log
	Edb.chk


	1. Write to log
	2. Write to memory
	3. Confirm transaction
	4. Write to Ntds.dit


	Performance recommendation:
		Put system, database, and log files on three different hard disk drives.
		Keep database (DIT) and logs on different drives. This is important to ensure that recoverability is possible.
	Always use mirrored drives.


	After restarting, the system performs a soft recovery
		Goes through log files, starting at the checkpoint and replays the transactions (ending with those in Edb.log).
		If Edb.chk is not available, it starts at the first available log file and compares the transactions.


Deleting object creates a tombstone.
	Object moved to a specific container
	Used to replicate deletion process
	Object still in the database
	Physically deleted after tombstone lifetime expires
		Enterprise-wide setting CN=Directory Service, CN=Windows NT, CN=Services, and so on.
		Remember: Tombstone lifetime = backup lifetime
How does the database release space again?


Housekeeping process that frees up space
	Tombstones
	Deletes unnecessary log files
		Based on last checkpoint
	Database defragmentation
Runs on each domain controller independently
	Interval configurable (12 hours by default)


Defragmentation is moving data to fill database pages more efficiently
Two ways to defragment
	Online defragmentation
		Runs as part of garbage collection
		Does not shrink database file
	Offline defragmentation
		Run Ntdsutil.exe
		Shrinks database file
		DC has to be taken offline
		Only recommended after converting GC server DC to normal DC


	Performed automatically every 12 hours by default.
	Pages are defragmented leaving room for new data.
	Does not reduce the size of the DIT file.


Use NTDSUTIL Files Compact option to defragment and compress Active Directory database
	New DIT files results
		Data from old DIT written to new DIT
Parameter to this procedure is the directory (do not include file name) to store compacted DIT
	Example: compact to c:\compacted
	Requires either copying the compacted DIT file over existing DIT, or changing the current path
New Database Signature Created


	Boot into Directory Services Restore Mode. (Remember Administrator account from local SAM is now in use, not Active Directory.)
	Backend is ESENTUTL
	Use Files Info to get general directory information.


	Use Files Header to view backup, restore, general data:
		dbTime – USN concept (also associated with each change)
		State – Consistent when last shut down?
		Previous Full Backup – time/date of last backup
		DB Signature – matched to log files
		Repair Count – Clue as to history of DIT


	Integrity
		Checks checksums for pages/tables in DIT file and rebuilds indexes in a temporary file (Temp.edb) and compares it to actual DIT


	The Active Directory can be backed up and restored using Windows 2000 Backup system tool.


	Active Directory can be backed up and restored using the system state option in the Windows 2000 Backup tool.
	State Data includes the following:
		Registry
		COM+ Class Registration Database
		System Boot Files
		Certificate Server (if installed)
		Active Directory
		System Volume folder
	Note: All of the components of the system state are backed up and restored together. There is no option to choose individual components.


	Windows NT® Backup provides only full online backup of the Active Directory
		No partial backups (only backing up incremental log files to bring the database up to date)
		Changes made while backup is occurring are recorded in a patch file (raw data)


	Extensible Storage Engine (ESE/Jet) is shut down and the database will be in a consistent state
	Only required to copy DIT file
		All data is already committed
		Jet will automatically create log files when initialized next


	Must be an administrator or backup operator
	Use the wizard
	Select Backup the Active Directory


	Why verify?
	How do I verify?
	Events logged to the application logs after backup:
		8009 – informational
		8009 - error
	Backup logs


	Restore to the Active Directory must be done offline, booting into Directory Services Restore mode.
	If any of the following conditions are not met, the system state is not restored. Backup attempts to restore the system state, but does not succeed.
		The server name must be identical to the backed up server name.
		The drive letter on which the %SystemRoot% folder is located must be the same as when it was backed up.
		The %SystemRoot% folder must be the same folder as when it was backed up.
		If Sysvol or other Active Directory databases are located on another volume, they must exist and have the same drive letters also. The size of the volume does not matter.


	By default, circular logging is enabled
		This means that only a full backup can be restored
		Log files have probably wrapped and cannot be replayed out of sequence; this would require having the log files created since the time of the backup
		This will recover changes to the time of the backup; the remainder of changes will get replicated in again from AD replication
		Does not matter if log files are lost


	The invocationID (database GUID) attribute on a server gets a new value after it is restored to identify that the computer does not have the same data as it did before.
	This comes into play when other computers try to replicate from it. The restored database is treated as a different replica to other domain controllers.


	After the data has been restored, use NTDSUTIL to perform the Authoritative Restore. The following options are available in the NTDSUTIL when you perform an Authoritative Restore on the database.

		Restore Database - Authoritatively restore the entire database
		Restore Database verinc %d - ... override version increase
		Restore Subtree %s - Authoritatively restore a subtree
		Restore Subtree %s verinc %d - ... and override version increase

	Note: The default USN increase is 100,000 unless the override option is used..


	Trust relationships and computer account passwords are negotiated at a specified interval (every seven days by default, except for computer accounts that can be disabled by the administrator).
	During an Authoritative Restore, a previously used password for the objects in the Active Directory that maintain trust relationships and computer accounts can be restored.
		Trust Relationships - this may void communication with other domain controllers from other domains.
		Computer Account Password - this may void communications between the member workstation or server and a domain controller of its domain.


	Windows 2000 prohibits the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is identical to the “tombstone lifetime” setting for the enterprise. The default value for the tombstone lifetime entry is 60 days. This value can be set on the Directory Service (NTDS) config object.