Server Labs: April 2014

How to do a Authoritative restore in server 2008- Restore before deletions have Replicated

Understanding the concept

An authoritative restore is most commonly used when you want to revert the changes that is made within the directory. Consider the scenario you have deleted an organization unit or any of the objects by mistake and you want to get it back. This process restores the DC from the backup and then overwrites all other domain controllers in the network to match the restored DC (through replication). Even if the authoritatively restored replica set is older than the current replicas, the older data is replicated to all of its replication partners. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all other DC’s in the network and then use all other information from other DC’s to update to the newly restored server.

You can perform authoritative restore depending on your network status,

A) Restore Before Deletions Have Replicated

B) Restore After Deletions Have Replicated

If the deleted object and its status is replicated to another DC, you need to perform slightly different method. That is from the recent backup you need to perform non-authoritative restore and authorize the deleted object. For more information please follow the below link,
http://serverlabs.blogspot.in/2014/04/how-to-do-authoritative-restore-in.html

In this article I will describe about restoring the object before replication has occurred across the domain. In this case you do not want to initiate the non- authoritative restore but need to turn off the inbound replication and make the deleted object as authoritative.

Let us consider the scenario that I have accidently delete one user, named as 'Livin' which is under the default container 'Users' and I want to restore this object to the domain. Note that my domain name is 'serverlabs.com'.

1. Make sure that the replication has not occurred after the deletion is occurred. Use the command repadmin /showrepl in cmd to determine the date and time of the latest inbound replication of the domain directory partition where the deletions occurred(By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs). After confirming that the replication is not occurred we need to stop the inbound replication. It can be achieved by the command line repadmin /options <ServerName> +DISABLE_INBOUND_REPL. Whereas <Servername> is the NetBIOS name of domain controller.

2. Reboot the server in Directory Services Restore Mode

You can reboot the server in Directory Services Restore Mode using three methods.

If you can manually reboot the server, press F8 at the time of boot to get the advanced boot option and select directory service restore mode, press ENTER.

Edit the Boot Configuration Data (BCD). In order to edit the BCD open command prompt and type bcdedit /set safeboot dsrepair and press ENTER. Now restart the server and wait for this to come up.

Edit the boot option from System configuration. Type msconfig in run and press ENTER->Under the Boot tab tick the check box safe boot and select Active Directory repair->Appy->OK and on prompt to restart select restart.

You can select any one of the above option to reboot the server in directory service restore mode.(If the server is in remote location you can prefer to have ii or iii option). Remember that you will need to supply the DSRM password that you set when promoting the server to a DC. The username for DSRM is Administrator and you may have different DSRM password for different DC.

3. Once you are logged on, you need to mark the deleted object as authoritative. Perform the below steps to achieve it.

Open command prompt, here the command line tool ntdsutil will help you to go further. Now type ntdsutil and press ENTER.

4.Now you are at ntdsutil prompt, type activate instance ntds and press ENTER.

5.At ntdsutil prompt type authoritative restore and press ENTER.

Generally we will use two commands here that are restore object and restore subtree. The restore object comes in use, when you want to restore an object that is deleted (User, computer etc)and restore subtree is when you want to restore an entire OU or a container.

The syntax will be restore object <distinguished name of the object>(Eg: restore object CN=deleted object name,CN=deleted objects OU,DC=your domain name,DC=your DC extension)

The syntax will be restore subtree<distinguished name of the object>(Eg: restore subtreeCN=deleted OU,DC=your domain name,DC=domainroot)

6.As discussed earlier I want to recover one of my deleted user 'Livin' under the OU 'users'.

So type restore object CN=Livin,CN=Users,DC=serverlabs,CN=com and press ENTER.

7.Click YES on authoritative restore confirmation dialogue to start the process.

8.Once the process is completed you will have the success message and the windows will be as follows. The log files that indicates the restored object will be available in the current working directory specified in command prompt.

This operation increments the update sequence number (USN) of this object so that all other DCs consider it the most recent change.

9.If you were initiated the server to reboot into directory service restore mode(DSRM) as per the steps 1ii and 1iii the server will again boot into DSRM mode. In order to boot the server as normal, after initial reboot login with DSRM user name and password. You will have the below prompt now, press ENTER to close the window.

Now change the boot option of your server to normal.

If your option was as per the steps mentioned in 1ii.

Open a command prompt and type bcdedit /deletevalue safeboot and press ENTER. You will have a success message as below and you can reboot the server once again. Now it will boot the server in normal mode.

If your option was as per the steps mentioned in 1iii.

Type msconfig in run and press ENTER->Under the Boot tab tick the uncheck box safe boot ->Appy->OK and on prompt to restart select restart.

10. Once the server is rebooted in normal mode you can synchronize this DC with its replication partners. So open command prompt and type repadmin /syncall< DCName> /e /d /A /P /q and press ENTER, whereas <DCName> is the name of the domain controller on which you want synchronize replication with all partners. Make sure that the synchronization is completed successfully(You can get mode help on http://technet.microsoft.com/en-us/library/cc778969(v=ws.10).aspx).

11. Now we need to run the LDIF file to recover back-links in this domain(This file is automatically generated after authorizing the deleted object, here we have done that on step 8. It will be available on the current working directory of command prompt). So in order to restore group membership, on command prompt type ldifde -i -k -f <file name> and press ENTER. Whereas <file name> is the LDIF file that is generated in your network(More help: http://technet.microsoft.com/en-us/library/cc786564(v=ws.10).aspx)

Note: Remember to locate your command prompt to the directory where your LDIF file is available and you must specify the LDIF with its extension(ldf).

12. As we have initially disabled the inbound we need to enable that.

On the command prompt type repadmin /options <ServerName> -DISABLE_INBOUND_REPL and press ENTER. Whereas <ServerName> is your current domain controller name.

So that’s it the operation of authoritative restore before deletion have replicated.

How to do a non-authoritative restore in windows server 2008

Understanding the concept

Non-authoritative restore method is used commonly when a DC failed because of a hardware or software related reasons and this is the default directory services restore mode selection. By default, the Backup tool operates in non-authoritative restore mode, that is when you restore data by using the any of the backup tools(Windows backup,NTBackup, Symantec BackupExec, Veritas etc) you are restoring data non-authoritatively. When the domain controller is brought online after a non-authoritative restore, it detects that the restored data hasn't been updated since the backup was performed, and then it begins receiving and applying updates through normal replication with its replication partners. Therefore, any directory updates that occurred after the backup was created are applied after restore as part of the normal replication process. Replication reconstructs the replication metadata for the updates that originated on the restored domain controller between the time the server was last backed up and the time at which it is restored from backup.

Important: Make sure that you have the latest System state and full server backup is available before performing this operation.

Performing non-authoritative backup.

1.Reboot the server in Directory Services Restore Mode

You can reboot the server in Directory Services Restore Mode using three methods.

If you can manually reboot the server press F8 at the time of boot to get the advanced boot option and select directory service restore mode, press ENTER.

Edit the Boot Configuration Data (BCD). In order to edit the BCD open command prompt and type bcdedit /set safeboot dsrepair and press ENTER. Now restart the server and wait for this to come up.

Edit the boot option from System configuration. Type msconfig in run and press ENTER->Under the Boot tab tick the check box safe boot and select Active Directory repair->Appy->OK and on prompt to restart select restart.

You can select any one of the above option to reboot the server in directory service restore mode.(If the server is in remote location you can prefer to have ii or iii option).

2.Wait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password that you set when promoting the server to a DC. The username for DSRM is Administrator and you may have different DSRM password for different DC.

3.Once you logged on you can use the utility Wbadmin to manage the backup and restore operations. It enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt. Each backups that you have created using Windows server backup will have its own unique ID and its generally named based on the date and time that the backup has completed. You will restore the data based on the version of these backups.

Consider that I have to recover my secondary DC(second server) and I already have the latest backup of this server on my fist server(shared location: \\server-1\backuP of second server) or you may have the backup on the same server itself. If your backup is in a remote shared file make sure that there is no chances of network failures or copy the backup to local drive and perform the recovery, because the connection issues during this process makes the server become unusable.

On command prompt type wbadmin get versions and press ENTER.

I have only one backup of the server . From the list, note down the version identifier of the latest backup that you want to restore and for me the version identifier is 04/22/2014-15:40.

4.Now start the system state backup by the below command,

Wbadmin start systemstaterecovery -version:<backup version that you would like to restore> and press ENTER.

So in my case the command will be Wbadmin start systemstaterecovery -version:04/22/2014-15:40 and press ENTER.

This will prompt you to confirm if you want to start with restore, type Y and press ENTER.

Important: Never try to interrupt the system state recovery until it completes.

5.Wait for this process to complete. You will see the status on the same command prompt window itself. Type YES and press ENTER to reboot the server when it prompts.

6.If you were initiated the server to reboot into directory service restore mode(DSRM) as per the steps 1ii and 1iii the server will again boot into DSRM mode. In order to boot the server as normal, after initial reboot login with DSRM user name and password. You will have the below prompt now, press ENTER to close the window.

Now change the boot option of your server to normal.

If your option was as per the steps mentioned in 1ii.

If your option was as per the steps mentioned in 1iii.

Type msconfig in run and press ENTER->Under the Boot tab tick the uncheck box safe boot ->Appy->OK and on prompt to restart select restart.

Now that’s it the non-authoritative restore is completed.

How to do a Authoritative restore in windows server 2008-Restore after deletions have Replicated

Understanding the concept

An authoritative restore is most commonly used when you want to revert the changes that is made within the directory, consider the scenario you have deleted an organization unit or any of the objects by mistake and you want to get it back. This process restores the DC from the backup and then overwrites all other domain controllers in the network to match the restored DC (through replication). Even if the authoritatively restored replica set is older than the current replicas, the older data is replicated to all of its replication partners. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

You can perform authoritative restore depending on your network status,

A) Restore before deletions have Replicated.

B) Restore after deletions have Replicated.

If the deleted object and its status is not replicated to another DC, you can perform another method as well. For more information please follow the below link,
http://serverlabs.blogspot.in/2014/04/how-to-do-authoritative-restore-in_27.html

In this article I will describe about restoring the object after the replication has occurred. In this case you must first initiate the non- authoritative restore and once it is completed successfully, you can start authoritative restore.

1.Reboot the server in Directory Services Restore Mode

You can reboot the server in Directory Services Restore Mode using three methods.

If you can manually reboot the server press F8 at the time of boot to get the advanced boot option and select directory service restore mode, press ENTER.

Edit the Boot Configuration Data (BCD). In order to edit the BCD open command prompt and type bcdedit /set safeboot dsrepair and press ENTER. Now restart the server and wait for this to come up.

Edit the boot option from System configuration. Type msconfig in run and press ENTER->Under the Boot tab tick the check box safe boot and select Active Directory repair->Appy->OK and on prompt to restart select restart.

You can select any one of the above option to reboot the server in directory service restore mode.(If the server is in remote location you can prefer to have ii or iii option).

On command prompt type wbadmin get versions and press ENTER.

I have only one backup of the server . From the list, note down the version identifier of the latest backup that you want to restore. That is for me the version identifier will be 04/22/2014-15:40.

4.Now start the system state backup by the below command,

Wbadmin start systemstaterecovery -version:<backup version that you would like to restore> and press ENTER.

So in my case the command will be Wbadmin start systemstaterecovery -version:04/22/2014-15:40 and press ENTER.

This will prompt you to confirm if you want to start with restore, type Y and press ENTER.

Important: Never try to interrupt the system state recovery until it completes.

5.Wait for this process to complete. You will see the status on the same command prompt itself. Do not reboot the server since we need to perform authoritative restore.

6.Open command prompt, here the command line tool ntdsutil will help you to go further. Now type ntdsutil and press ENTER.

7.Now you are at ntdsutil prompt, type activate instance ntds and press ENTER.

8.At ntdsutil prompt type authoritative restore and press ENTER.

The syntax will be restore object <distinguished name of the object>(Eg: restore object CN=deleted object name,CN=deleted objects OU,DC=your domain name,DC=your DC extension)

The syntax will be restore subtree<distinguished name of the object>(Eg: restore subtreeCN=deleted OU,DC=your domain name,DC=domainroot)

9.As discussed earlier I want to recover one of my deleted user 'Livin' under the OU 'users'.

So type restore object CN=Livin,CN=Users,DC=serverlabs,CN=com and press ENTER.

10.Click YES on authoritative restore confirmation dialogue to start the process.

11.Once the process is completed you will have the success message and the windows will be as follows. The log files that indicates the restored object will be available in the current working directory specified in command prompt.

This operation increments the update sequence number (USN) of this object so that all other DCs consider it the most recent change.

12.If you were initiated the server to reboot into directory service restore mode(DSRM) as per the steps in 1ii and 1iii the server will again boot into DSRM mode. In order to boot the server as normal, after initial reboot login with DSRM user name and password. You will have the below prompt now, press ENTER to close the window.

Now change the boot option of your server to normal.

If your option was as per the steps mentioned in 1ii.

If your option was as per the steps mentioned in 1iii.

Type msconfig in run and press ENTER->Under the Boot tab tick the uncheck box safe boot ->Appy->OK and on prompt to restart select restart.

Note: Remember to locate your command prompt to the directory where your LDIF file is available and you must specify the LDIF with its extension(ldf).

Now you can check whether the object is restored in the your network.

How to do an AD offline defragmentation

Understanding the concept

As like previous versions of windows servers, there are two types of defragmentation online and offline. By default, online defragmentation automatically happens in every 12 hours as part of AD's garbage-collection process and this process runs independently on each DC(Read to know more: http://support.microsoft.com/?kbid=198793). However the online defragmentation will not reduce the size of database file(Ntds.dit) and in such cases you need to perform an offline defragmentation to achieve this. Performing an offline defragmentation creates a new, compacted version of the database file and depending on how the database is fragmented the original database file and the new file may be considerably smaller. Remember that because DCs only replicate changes, performing an offline defragmentation on ntds.dit on one DC won't affect ntds.dit on other DCs. Hence, you must manually perform an offline defragmentation on each DC. You can perform the below steps to determine whether offline defragmentation will help you to reduce the database size.

When to perform an offline defragmentation

If you are sure that performing offline defragmentation will reduce the database size or if there are errors which report to perform offline defragmentation skip this step and start from How to perform offline defragmentation.

1.The actual size of the ntds.dit could be easily studied through windows explorer. In windows server 2003 the location of AD database is 'C:\WINNT\NTDS' and windows server 2008 it will be 'C:\Windows\NTDS'. This will help us to determine if the database has any corruption before offline defragmentation.

Note: Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain.

2.We need to edit one of the registry key which will increase the logging from the Garbage Collection. Open registry editor from command prompt and locate the directory 'HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics'. Now double click on 6 Garbage Collection and edit the value from 0 to 1.

3.As like you know Garbage Collection process will occur twice a day. You need to wait for the next online defragmentation(happens as the part of Garbage collection) and check the Directory Service log in Event Viewer. After the online defragmentation time check for logs, Open Event viewer->Applications and services logs->Directory service.

When the online defragmentation is started you can see the event id 700, source Directory Service and when its finished you will see the event id 701, source Directory Service. In between these logs locate the log Event id 1646, source ActiveDirectory_DomainService. Read the description carefully and the size mentioned under Free hard disk space determines the MB that the offline defrag would recover. If the size is negligible then it is not necessary to perform offline defragmentation.

Note: By default a newly created DC will have a database size of 12MB.

How to perform offline defragmentation

Important: It is highly recommended to have latest backup of your server before performing this operation. If anything goes wrong during this operation we can restore it back from our system state backup.

In my case I am defragmenting the database to 'c:\windows\ntds\temp'. You can have the same scenario or can defragment to another location.

Note: Make a copy of the folder NTDS and its content to another directory before starting offline defragmentation.

If the compaction of the database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you have at least verified that the domain controller starts properly.

1.As the initial stage we need to stop the AD DS services.

From Windows server 2008 onwards these services are restartable during the normal operation and it can be achieved by a single command or stop the services from services console.

Open command prompt and type : net stop ntds and press ENTER. Type Y to agree to stop additional services, and then press ENTER(Refer the link to know more : http://technet.microsoft.com/en-us/library/cc732714(v=ws.10).aspx).

For server 2003 you cannot manually stop those services, we need to boot the server in Directory service restore mode. Reboot the domain controller, select the appropriate installation from the boot menu, and press F8 to display the Advanced boot menu options. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process. Log on using the directory service restore account that is defined during the ADDS installation(This will automatically stop the ADDS services and its related services).

2.At the command prompt, type ntdsutil, and then press ENTER.

3.At the ntdsutil prompt, type activate instance ntds, and then press ENTER. This will set "NTDS" or a specific AD LDS instance as the active instance, here we have set to NTDS.

4.At the ntdsutil prompt, type files, and then press ENTER . This will cause NTDSUTIL to switch to the File Maintenance prompt which will help us to manage AD DS/LDS database files.

5.At the file maintenance prompt you need to type info and press ENTER. This will display information about the size and location of the Active Directory database.

You should make sure that the information that is displayed coincides with the size that you recorded earlier by window explorer. Otherwise, some corruption may exist.

6.In order to start the defragmentation at the file maintenance prompt type Compact to c:\Windows\NTDS\temp (which will create the defragment database to 'c:\Windows\NTDS\temp' ).

Note : When you compact the database to a local drive, you must provide a path. If the path contains any spaces, enclose the entire path in quotation marks (for example, compact to "c:\server labs"). If the directory does not exist, Ntdsutil.exe creates the directory and then creates the file named Ntds.dit in that location.

7.A new database named Ntds.dit is created in the path you specified. Here it will be on 'C:\Windows\NTDS\Temp'

8.Type q twice on command prompt to exit . Next, verify that Windows has created a copy of the Active Directory database in the 'C:\Windows\NTDS\Temp' folder. This copy is the defragmented version of the database. To use it, you must either delete or rename the original database, and then copy the defragmented database from 'C:\Windows\NTDS\Temp' to 'C:\Windows\NTDS'.

9.You must also either rename(If space allows) or delete the log files located in the C:\Windows\NTDS folder.

On the command prompt type del <drive>:\<pathToLogFiles>\*.log. Here considering fact that NTDS database and its log files are under the location 'C:\Windows\NTDS', the command will be del C:\Windows\NTDS\*.log and press ENTER.

10.The above steps will complete the NTDS offline defragmentation. Now restart the NTDS service that we have stopped at step 1. Type net statrt ntds and press ENTER.

11.If you have done the above operations in windows server 2003 you need to reboot the server normally and if it is in server 2008 you can continue with normal operations after starting the AD services.

If the offline defragmentation does not help you to reduce the NTDS database size, you can move this database to another disk drive. Read the below article to know more.

http://serverlabs.blogspot.in/2014/04/how-to-move-directory-database-and-log.html

How to move the Directory database and Log files to another drive

Understanding the concept

There are instances that the size of the AD database and log files cannot be accommodated by the system drives since the size is small(permanently) or you need to reformat the preset hard disk because of any issues(temporarily ). If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current. The registry entries that Ntdsutil.exe updates when you move the database file is under the location 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\' and the parameters Database backup path, Directory System Agent (DSA) database file and DSA working directory and for log files the parameter is Database log files path.

Important: Make sure that you have the full latest backup and there are enough space

Moving the Active Directory Database Files

Note: Manually determine the size of the NTDS folder under C:\windows\NTDS and make sure that you have enough space on system drive where you would like to move the database file and log files.

1.Open Command Prompt as an administrator: On the Start menu->click Command Prompt.

2.As the initial stage we need to stop the AD DS services.

For Windows server 2008 onwards these services are restartable during the normal operation and it can be achieved by a single command or stop the services from services console.

For server 2003 you cannot manually stop those services, we need to boot the server in Directory restore mode. Reboot the domain controller, select the appropriate installation from the boot menu, and press F8 to display the Windows 2000 Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process. Log on using the Administrator account with the password defined for the local Administrator account or directory service restore account that is defined during the ADDS installation(This will automatically stop the ADDS services and its related services).

3.At the command prompt, type ntdsutil, and then press ENTER.

4.At the ntdsutil prompt, type activate instance ntds, and then press ENTER. This will set "NTDS" or a specific AD LDS instance as the active instance, here we have set to NTDS.

5.At the ntdsutil prompt, type files, and then press ENTER . This will cause NTDSUTIL to switch to the File Maintenance prompt which will help us to manage AD DS/LDS database files.

6.To move the database file, at the file maintenance: prompt, use the following command and press ENTER.

move db to<drive>:\<directory>

7.To move the log files, type the following command, and then press ENTER:

move logs to<drive>:\<directory>

where <drive>:\<directory> specifies the path to the new location. If the directory does not exist, Ntdsutil.exe creates it and if the directory path contains any spaces, the entire path must be surrounded by quotation marks, for example, move db to"E:\new folder".

In my case the default NTDS database and its log files are under the location 'C:\windows\NTDS' and I would like to move the NTDS files to 'E\NTDS'. So the command to move the database NTDS.dit become,

move db to E:\NTDS

Once the database is moved successfully you will have the message Move database is successful and the directories are updated in the DS path information(You can observe it in the square box of above picture). And for log files command will be,

move logs to E:\NTDS

Now you can verify the same that the log files also moved and the success message has appeared.

8.If you are moving the database file or log files temporarily, you can now perform any required updates to the original drive at this time. After you update the drive, repeat steps 3 through 9 to move the files back to the original location and continue from step 10.

9.If you want to move the NTDS files permanently to new location it is necessary to make sure that we have set the necessary permission as well.

In Windows Explorer, right-click the folder to which you have moved the database file or log files, and then click Properties(Here for me the folder is E:\NTDS).

Click the Security tab, and then click Advanced. Verify that the permissions are set as follows:

Administrators group and SYSTEM have Full Control over the folder.
If Administrators, SYSTEM or both are not in the Name list, click Edit, and then click Add. In From this location, be sure that the name of your domain is selected, else you will not be able to locate and add these users. Type the object name as System, if necessary, and then click OK. Repeat to add Administrators and make sure both have full permission.
iii. In the Group or user names box, click any name that is not SYSTEM or Administrators and then click Remove. Repeat until the only remaining accounts are Administrators and SYSTEM and then click OK.
The Include inheritable permissions from this object’s parent check box is cleared(If this option is selected, click Edit and clear the setting, and then click OK).

No Deny permissions are selected.

10.Now at the file maintenance prompt type integrity, and then press ENTER(If you are not on file maintenance prompt follow step 1 to 5 to achieve this).

If the relocation of NTDS database and log files are success you will have success message on the command prompt.

11.Type q twice to exit the file maintenance prompt and ntdsutil.

12.Assumes every thing is working for you as well. Now restart the ntds services if the server is server 2008 by the command net start ntds at command prompt. If it is server 2003 restart the server in normal mode.