Você está na página 1de 32

Active Directory Disaster

Recovery
Paul Simmons
Support Engineer
Directory Services
Microsoft Corporation

Definition

Resolving problems on Microsoft Windows


domain controllers that affect client, domain,
or forest operation
In the least amount of time
With the least amount of pain
With the best possible results

Preventive Maintenance

Use good hardware and test it regularly


Test deployments in a lab before deployment
Practice recovery scenarios in a lab
Remove single points of failure
Never have only one domain controller in a
domain
Back up before and after every major state
change
3

Recovery Options

Rebuild

Restore

Winnt32, Dcpromo, and Re-replicate


Known recovery time and results
Windows Backup (Ntbackup.exe) to restore to a
known good state
Re-replicate

Repair

Esentutl repair of database is a last resort


Use integrity check to see if database is damaged

Recovery Tools

Ntbackup System State


Ntdsutil Metadata Cleanup
Esentutl Database Validation and Repair
Winnt32 Rebuild
Dcpromo Re-promote
Component level recovery

FAZAM
Dfsutil.exe
5

Ntbackup

Features:

What to back up

Backs up Active Directory in online mode


Scheduled backups
System state: Active Directory, boot files, registry,
and more

Resources:

Q240363: How to Back Up and Restore the


System State
Q233427: Files and Folders Not Backed Up Using
the Ntbackup.exe Tool

Backup Limitations

Backup life = tombstonelifetime value

Default = 60 days old


Password change interval = 30 days
Password history = 2 (current and previous)
Backup useful life = 60 days or two default
password changes
Old backups can reintroduce tombstoned objects

Schema rollback is not supported

Ntdsutil

Metadata cleanup

Integrity check and repair

Remove orphaned domain controllers or domains

Wrapper around Esentutl


Tells you if database is damaged

Authoritative restore

Mark selected objects on domain controller as


authoritative

Nonauthoritative Restore

What is it?

When to use

Restore to known good point using Ntbackup


Reboot into Active Directory mode to sync
changes
Recover from hardware failure
Return to known good state on single domain
controller

Options

Rebuild server from scratch. Re-run Dcpromo.


Restore machine to a known good point and sync
deltas.

Authoritative Restore

What is it?

When to use

Restore to known good point using Ntbackup


Make objects on reference domain controller as
master copy for Active Directory
Accidental deletion or modification of objects or
containers in the Active Directory
Corruption of objects/attributes in the directory

Options

Find a good domain controller that has the


objects and make it authoritative
Restore from a backup that contains the objects
and make it authoritative

10

Authoritative Restore

Boot into offline restore mode

Mark objects in Ntdsutil as authoritative

Press F8 during boot phase


Log on with offline administrator account
Find machine with objects or restore them
Restore subtree or entire database (rare)

Best practice

Use most specific distinguished name path


needed for recovery
Restore Active Directory over Terminal Services
Q256588
11

Winnt32 and Dcpromo

What is it?

When to use

Reinstall of OS
Run Dcpromo
Known recovery time and end result
No applications or services to protect

Options

Maintain standby server that can be shipped to


remote site
12

Scenarios

Hardware failure

Deleted objects in Active Directory

Flexible Single Master Operation (FSMO)


recovery

Demo of authoritative restore


13

Hardware Failure

Scenario:

Goal:

Domain controller experiences catastrophic


hardware failure
Replace bad hardware or entire server and
resume operations

Given:

Valid backup
Identical hardware

14

Hardware Failure (2)

Process

Replace server or hardware


Restore from tape backup
Re-replicate

Alternatives

Winnt32 and Dcpromo

15

Hardware Failure (3)

Restore to dissimilar hardware

Q263532: Disaster Recovery of Active Directory


on Dissimilar Hardware

Requirements

Same number of drives and drive letters


Complete backup of system state and system
drive
Same NICS, video cards, HAL, kernel, and number
of processors
Remove teaming network cards on target
Same disk drive controller and configuration

16

Deleted Objects in Active Directory

Scenario

Goal

Critical objects have been deleted from Active


Directory
To recover the objects without re-creating them

Given

A valid backup

17

Deleted Objects in Active Directory (2)

Resolution; restore from tape and


authoritative restore in Ntdsutil:

Restore recent backup containing deleted objects


Mark deleted objects as authoritative using
Ntdsutil
Authoritative restore in Ntdsutil

Alternative:

Find replica domain controller that hasnt


received the deletions
Mark deleted distinguished name as authoritative
(no restore required)

18

Deleted Objects in Active Directory (3)

Protection

Set replication schedule once every four days on


backup domain controller
Mark objects as authoritative when deletion
detected

19

FSMO Recovery

Flexible Single Master Operations (FSMO)


Q223787: Flexible Single Master Operation
Transfer and Seizure Process
Transfer roles

Preferred
Graceful

Seizure of roles

Last resort
That server cannot come back onlineEVER.

20

Ntdsutil FSMO Transfer UI

21

Demo: User Objects Created

22

Demo: Repadmin /Showmeta

23

Demo: System State Backup

24

Demo: Deleted Objects

25

Demo: Restore System State

26

Demo: Advanced Options

27

Demo: Authoritative Restore

28

Demo: Authoritative Restore (2)

29

Demo: Repadmin /Showmeta with


Incremented Version Numbers

30

Additional References:

Server recovery:
http://www.microsoft.com/windows2000/techinf
o/administration/fileandprint/recovery.asp

Q241594: HOW TO: Perform an Authoritative


Restore to a Domain Controller in Windows
2000

Microsoft Windows 2000 Server Distributed


Systems Guide, Chapters 9 and 10
31

Thank you for joining us for todays Microsoft Support


WebCast.
For information about all upcoming Support WebCasts
and access to the archived content (streaming media
files, PowerPoint slides, and transcripts), please visit:
http://support.microsoft.com/webcasts/
We sincerely appreciate your feedback. Please send any
comments or suggestions regarding the Support
WebCasts to feedback@microsoft.com and include
Support WebCasts in the subject line.
32