Active Directory Maintenance, Active Directory Maintenance, Troubleshooting, and Troubleshooting, and

Disaster RecoveryDisaster RecoveryLesson 11

Skills MatrixSkills MatrixTechnology Skill Objective Domain Objective #

Backing Up Active Directory

Configure backup and recovery

5.1

Maintaining Active Directory

Perform offline maintenance

5.2

Using the Reliability and Performance Monitor

Monitor Active Directory 5.3

Maintaining Active DirectoryMaintaining Active Directory

• After successfully implementing a Microsoft Windows Server 2008 environment, it is important to develop maintenance procedures to keep it running smoothly.

• A solid monitoring and maintenance plan can prevent potential problems.

Maintaining Active DirectoryMaintaining Active Directory• Active Directory is a database based on

the Extensible Storage Engine (ESE) format. – Responsible for managing changes to

the Active Directory database. – Changes are referred to as transactions. – Active Directory writes the transaction

to the Transaction log file (edb.log).– Active Directory updates the edb.chk

checkpoint file (A reference for database information written to disk).

FragmentationFragmentation• Like any database, modifications and

changes to the Active Directory database can affect database performance and data integrity.

• As modifications are made to the database, fragmentation can occur.

• Fragmentation refers to the condition of a disk when data from the database is divided into pieces scattered across the disk.

• As the database becomes more fragmented, searches for database information slow down and performance deteriorates. – The potential exists for database corruption.

DefragmentationDefragmentation• Defragmentation is the process of taking

fragmented database pieces and rearranging them contiguously to make the entire database more efficient.

• Depending on the method used, the size of the database can be reduced, making room for additional objects.

• Active Directory has two defragmentation methods: – online defragmentation.– offline defragmentation.

Online DefragmentationOnline Defragmentation• Online defragmentation is an

automatic process that occurs during the garbage collection process. – The garbage collection process runs by

default every 12 hours on all domain controllers in the forest.

– When the garbage collection process begins, it removes all tombstones from the database.

Online DefragmentationOnline Defragmentation• A tombstone is what is left of an object

that has been deleted. – Deleted objects are not completely removed

from the Active Directory database; rather, they are marked for deletion.

– Tombstone objects have a lifetime of 180 days, by default.

– When the lifetime expires, the objects are permanently deleted during the garbage collection process.

– Additional free space is reclaimed during the garbage collection process through the deletion of tombstone objects and unnecessary log files.

Online DefragmentationOnline Defragmentation

• The advantage of an online defragmentation is that it occurs automatically and does not require the server to be offline to run. An online defragmentation does not reduce the actual size of the Active Directory database.

Offline DefragmentationOffline Defragmentation• Offline defragmentation is a manual process

that defragments the Active Directory database in addition to reducing its size.

• Performing an offline defragmentation is not considered to be a regular maintenance task.

• You should only perform an offline defragmentation if you need to recover a significant amount of disk space.

• As its name suggests, offline defragmentation requires that the server be taken offline so that the Active Directory database is closed and not in use.

• An offline defragmentation cannot run while the AD DS service is running.

Offline DefragmentationOffline Defragmentation

• Performed while the server is booted to Directory Services Restore Mode using the ntdsutil command.

Backing Up Active DirectoryBacking Up Active Directory

• One of the most essential duties of an administrator is ensuring that data and operating system information is backed up in case of a failure.

• Procedures that include the frequency of backups in addition to the type of information that needs to be backed up should be planned and implemented in every organization.

Backing Up Active DirectoryBacking Up Active Directory• To back up Active Directory, you must install the

Windows Server Backup feature from the Server Manager console.

• If you wish to perform backups from the command line, you will also need to install Windows PowerShell, which is a new command-line and task-based scripting technology that is included with Windows Server 2008.– In the present release of Windows Server 2008

PowerShell cannot be installed on Server Core. • Windows Server Backup supports the use of CD and

DVD drives as backup destinations, but does not support magnetic tapes as backup media.

• Additionally, you cannot perform backups to dynamic volumes.

Backing up Active DirectoryBacking up Active Directory• Windows Server 2008 supports two

types of backup:– Manual backup. – Scheduled backup.

• Using Server Backup or the Wbadmin.exe command-line tool when a backup is needed.

• Must be a member of the Administrators group or the Backup Operators group to launch a manual backup.

Backing Up Active DirectoryBacking Up Active Directory

• Windows Server 2008 does not back up or recover System State data in the same way as servers that run Windows Server 2003.

• In Windows Server 2008, you must back up critical volumes rather than only backing up the System State data.

Backing Up Active DirectoryBacking Up Active Directory• Backing up critical volumes involves backing up

the following data:– The system volume, which hosts the boot files,

which consist of bootmgr.exe (the Windows boot loader) and the Boot Configuration Data (BCD) store, which describes boot applications and boot application settings and replaces the boot.ini file in previous versions of Windows.

– The boot volume, which hosts the Windows operating system and the Registry.

– The volume that hosts the SYSVOL share.– The volume that hosts the Active Directory

database (Ntds.dit).– The volume that hosts the Active Directory

database log files.

Backing Up Active DirectoryBacking Up Active Directory• In Windows Server 2008, the system components that

make up System State data depend on the roles installed on a particular computer and which volumes host the critical files used by the operating system and its installed roles.

• At a minimum, the System State consists of the following data, plus any additional data, depending on the server roles that are installed:– Registry.– COM Class Registration database.– Boot files described earlier in this topic.– Active Directory Certificate Services database.– Active Directory Domain Services database.– SYSVOL directory.– Cluster service information.– Microsoft Internet Information Services (IIS) metadirectory.– System files that are under Windows Resource Protection.

Backing Up Active DirectoryBacking Up Active Directory• At a minimum, the System State consists of

the following data, plus any additional data, depending on the server roles that are installed:– Registry.– COM Class Registration database.– Boot files described earlier in this topic.– Active Directory Certificate Services database.– Active Directory Domain Services database.– SYSVOL directory.– Cluster service information.– Microsoft Internet Information Services (IIS)

metadirectory.– System files that are under Windows Resource

Protection.

Backing Up Active DirectoryBacking Up Active Directory

Restoring Active DirectoryRestoring Active Directory

• Windows Server 2008 offers the ability to restore the Active Directory database.– Restoring Active Directory using

normal replication.– Restoring Active Directory using

wbadmin and ntdsutil.

Restoring Active Directory using Wbadmin and Ntdsutil• Windows Server 2008 allows several different

restoration methods, depending on the goals for your restore.

• You can use wbadmin, which is the command-line component of the Windows Server Backup snap-in, to perform a nonauthoritative restore of Active Directory, which restores a single Active Directory domain controller to its state before the backup. – This method can be used to restore a single

domain controller to a point in time when it was considered to be good. If the domain has other domain controllers, the replication process will update the domain controller with the most recent information after the restore is complete.

Monitoring Active DirectoryMonitoring Active Directory

• Monitoring the Active Directory service is an important part of network administration.

• Monitoring enables you to take a proactive approach to network management.

• By raising the awareness of possible network problems before they occur, you have better control over their impact.

Monitoring Active DirectoryMonitoring Active Directory

• Monitoring Active Directory can provide the following benefits:– Early alerts to potential problems.– Improved system reliability.– Fewer support calls to the helpdesk.– Improved system performance.

Event LogsEvent Logs• Windows Server 2008 uses the Windows

Event Viewer to record system events, such as security, application, and directory service events.

• Directory Services logs:– Events related to Active Directory are recorded

in the Directory Service log. – The Directory Service log is created when

Active Directory is installed. – It logs informational events such as service

start and stop messages, errors, and warnings. – This log should be the first place you look when

you suspect a problem with Active Directory.

Event LogsEvent Logs

Reliability and Performance MonitorReliability and Performance Monitor

• The Reliability and Performance Monitor is a tool located within the Administrative Tools folder that will collect real-time information on your local computer or from a specific computer to which you have permissions. – This information can be viewed in a

number of different formats that include charts, graphs, and histograms.

– The reports can be saved or printed for documentation purposes.

Reliability and Performance MonitorReliability and Performance Monitor

Diagnosing and Troubleshooting Active Diagnosing and Troubleshooting Active DirectoryDirectory

• To assist you with obtaining more detailed information in the event logs, you can set the event logs to record diagnostic information specific to processes related to Active Directory.– To enable, modify the following

registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Active Directory Diagnostic ToolsActive Directory Diagnostic Tools

Active Directory Diagnostic ToolsActive Directory Diagnostic Tools

SummarySummary• Active Directory has two defragmentation

methods: online defragmentation and offline defragmentation. – Online defragmentation is an automatic

process triggered by the garbage collection process.

– Offline defragmentation is a manual process that requires the server to be restarted in Directory Services Restore mode. •The Ntdsutil command-line utility is used to

perform the offline defragmentation.

SummarySummary• The Active Directory database can be

moved to a new location if you decide that there is a need to relocate it due to space limitations. – This is accomplished with the Ntdsutil

command-line utility.

• When you back up Active Directory, you must include the System State data. – The System State data includes operating

system-specific information needed for installed services and operating system components to function.

SummarySummary

• In the event of a domain controller failure, two restore options are available in Windows Server 2008: authoritative and nonauthoritative.

• An authoritative restore uses the Ntdsutil command-line utility and allows you to mark records that supersede any existing records during replication.

SummarySummary

• The nonauthoritative restore method restores the Active Directory database to its state before the backup. – After a normal restore, replication of

more recent object information from other domain controllers is used to update the database to match all other domain controllers.

SummarySummary

• Active Directory cannot be restored from a backup that is older than the default tombstone lifetime of 180 days.

• Domain controllers keep track of deleted objects only for the duration of the tombstone lifetime.

SummarySummary• When monitoring the health of Active

Directory, you can examine the Directory Service log to obtain information. – The Directory Service log is created

when Active Directory is installed.– By default, it logs informational

events, such as service start and stop messages, errors, and warnings.

– Additional diagnostic logging can be achieved by modifying the registry.

SummarySummary

• The Reliability and Performance Monitor in Windows Server 2008 allows you to collect real-time information on your local computer or from a specific computer to which you have permissions. – This information can be viewed in a

number of different formats that include charts, graphs, and histograms.

SummarySummary

• The Reliability and Performance Monitor uses performance objects, or categories, and performance counters to organize performance information. – Performance counters are the specific

processes to monitor. – Many counters are available.