+ All Categories
Home > Documents > 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active...

1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active...

Date post: 30-Jan-2016
Category:
Upload: martina-bridges
View: 288 times
Download: 7 times
Share this document with a friend
Popular Tags:
87
1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory Moving Active Directory Objects Delegating Administrative Control of Active Directory Objects Backing Up Active Directory Restoring Active Directory Troubleshooting Active Directory
Transcript
Page 1: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

1

Administering Active Directory

• Locating Active Directory Objects

• Controlling Access to Active Directory Objects

• Publishing Resources in Active Directory

• Moving Active Directory Objects

• Delegating Administrative Control of Active Directory Objects

• Backing Up Active Directory

• Restoring Active Directory

• Troubleshooting Active Directory

Page 2: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

2

Locating Active Directory Objects

• Understanding Common Active Directory Objects

• Using Find

• Practice: Searching Active Directory

Page 3: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

3

Locating Active Directory Objects Overview

• Active Directory stores information about objects on the network.

• Each object is a distinct, named set of attributes that represents a specific network entity.

• Active Directory is designed to provide information to queries about directory objects from both users and programs.

Page 4: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

4

Common Object Types

• User account

• Contact

• Group

• Shared folder

• Printer

• Computer

• Domain controllers

• Organizational unit (OU)

Page 5: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

5

Using Find to Locate Objects

Page 6: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

6

Overview of Using Find • The Find dialog box is located in the Administrative Tools folder of

the Active Directory Users and Computers console.

• The Find dialog box provides options that allow the global catalog to be searched for Active Directory objects.

• The Find dialog box helps create an LDAP query that will be executed against the directory or a specific OU.

• The global catalog contains a partial replica of the entire directory, so it stores information about every object in a domain tree or forest.

• Because the global catalog contains a partial replica of the entire directory, users can find information regardless of which domain in the tree or forest contains the data.

• Active Directory automatically generates the contents of the global catalog from the domains that make up the directory.

Page 7: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

7

Controlling Access to Active Directory Objects

• Understanding Active Directory Permissions

• Assigning Active Directory Permissions

• Using Permissions Inheritance

• Preventing Permissions Inheritance

• Practice: Controlling Access to Active Directory Objects

Page 8: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

8

Access to Active Directory Objects Overview

• Windows 2000 uses an object-based security model to implement access control for all Active Directory objects.

• This security model is similar to the one that Windows 2000 uses to implement NTFS.

• Every Active Directory object has a security descriptor that defines who has the permissions to gain access to the object and what type of access is allowed.

• Windows 2000 uses these security descriptors to control access to objects.

Page 9: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

9

Active Directory Security• Permissions provide security for resources by controlling who

can gain access to individual objects or object attributes and the type of access allowed.

• An administrator or the object owner must assign permissions to the object before users can gain access to the object.

• An access control list (ACL) is a stored list of user access permissions for every Active Directory object.

• An ACL for an object lists who can access the object and the specific actions that each user can perform on the object.

• Permissions assign administrative privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object, without assigning administrative permissions for controlling other Active Directory objects.

Page 10: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

10

Object Permissions• The object type determines which permissions can be selected.

• Permissions vary for different object types.

• A user can be a member of multiple groups, each with different permissions that provide different levels of access to objects.

• When assigning a permission to a user for access to an object, and that user is a member of a group that is assigned a different permission, the user’s effective permissions are the combination of the user and group permissions.

• Permissions can be allowed or denied.

• Denied permissions take precedence over any permissions that are otherwise allowed for user accounts and groups.

• Permissions should be denied only when it is absolutely necessary to deny permission to a specific user who is a member of a group with allowed permissions.

Page 11: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

11

Standard Permissions and Special Permissions

• Both standard permissions and special permissions can be set on objects.

• Standard permissions are the most frequently assigned permissions and are composed of special permissions.

• Special permissions provide a finer degree of control for assigning access to objects.

Page 12: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

12

Standard Object Permissions

• Full Control: Change permissions and take ownership, plus perform the tasks allowed by all other standard permissions

• Read: View objects and object attributes, the object owner, and Active Directory permissions

• Write: Change object attributes

• Create All Child Objects: Add any type of child object to an OU

• Delete All Child Objects: Remove any type of object from an OU

Page 13: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

13

Active Directory Permissions

Page 14: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

14

Assigning Active Directory Permissions

• The Active Directory Users and Computers console is used to set standard permissions for objects and attributes of objects.

• The Security tab of the Properties dialog box for the object is used to assign permissions.

• The Properties dialog box is different for each object type.

• When the check boxes under Permissions are shaded, the object has inherited permissions from the parent object.

• To prevent an object from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.

• Special permissions are accessible through the Advanced button.

Page 15: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

15

Access Control Settings For Users Dialog Box

Page 16: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

16

Permission Entry For Users Dialog Box

Page 17: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

17

Inheriting Permissions and Blocking Inheritance

Page 18: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

18

Using Permissions Inheritance

• Similar to file and folder permissions inheritance.

• Minimizes the number of times permissions need to be assigned for objects.

• When permissions are assigned, applying the permissions to child objects propagates the permissions to all the child objects for a parent object.

• Shaded check boxes indicate which permissions are inherited.

Page 19: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

19

Using Permissions Inheritance (con’t)

• Permissions for a given object can be propagated to all child objects.

• Permissions inheritance can be prevented.

• When copying previously inherited permissions, the permissions for that object start out exactly the same as those inherited from the current parent object.

• Any permissions for the parent object that are modified after blocking inheritance no longer apply.

• When previously inherited permissions are removed, Windows 2000 removes existing permissions and assigns no additional permissions to the object; permissions must then be assigned for the object.

Page 20: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

20

Preventing Permissions Inheritance

• Permissions inheritance can be prevented so that a child object does not inherit permissions from its parent object.

• Clearing the Allow Inheritable Permissions From Parent To Propagate To This Object check box, located on the Security tab in the Properties dialog box, prevents permissions inheritance.

• Only the permissions that are explicitly assigned to the object apply.

Page 21: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

21

Actions Allowed When Permissions Inheritance is Prevented

• Copy previously inherited permissions to the object

• The new explicit permissions for the object are a copy of the permissions that it previously inherited from its parent object.

• Any changes can be made to the permissions, as needed.

• Remove previously inherited permissions from the object

• Windows 2000 removes any previously inherited permissions.

• No permissions exist for the object.• Any permissions can be assigned for the object, as

needed.

Page 22: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

22

Publishing Resources in Active Directory

• Publishing Resources in Active Directory

• Publishing Users and Computers

• Publishing Shared Resources

• Publishing Network Services

Page 23: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

23

Overview of Publishing Resources

• Administrators need to be able to provide secure and selective publication of network resources to network users and make it easy for users to find information.

• The directory stores this information for rapid retrieval and integrates Windows 2000 security mechanisms to control access.

Page 24: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

24

Publishable Resources

• Computers

• Printers

• Folders

• Files

• Network services

Page 25: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

25

Users and Computers

• User and computer accounts are added to the directory using the Active Directory Users and Computers console.

• Information about the accounts that is useful for other network users is published automatically.

• Information, such as account security information, is made available only to certain administrator groups.

Page 26: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

26

Shared Resources

• Publishing information about shared resources, such as printers, folders, and files, makes it easy for users to find these resources on the network.

• Windows 2000 network printers are automatically published in the directory when installed.

• Information about Windows NT printers and shared folders can be published in the directory using the Active Directory Users and Computers console.

Page 27: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

27

Network Services

• Network-enabled services can be published in the directory so that administrators can find and administer them using the Active Directory Sites and Services console.

• A service, rather than computers or servers, should be published.

• Publishing a service allows administrators to focus on managing the service regardless of which computer is providing the service or where the computer is located.

• Additional services or applications can be published in the directory using Active Directory programming interfaces.

• The qualities that make a service appropriate for publishing may be better understood by understanding how Active Directory uses services.

Page 28: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

28

Binding Information

• Allows clients to connect to services that do not have well known bindings and that conform to a service-centric model.

• Publishing the bindings for these kinds of services enables Windows 2000 to automatically establish connections with services.

• Machine-centric services are typically handled on a service-by-service basis and should not be published to the directory.

Page 29: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

29

Configuration Information

• Can be common across client applications.

• Publishing configuration information allows the distribution of current configuration information for these applications to all clients in the domain.

• Accessed by client applications as needed, which eases application configuration for users and gives more control over application behaviors.

Page 30: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

30

Characteristics of Service Information

• Useful to many clients

• Relatively stable and unchanging

• Well-defined, reasonable properties

Page 31: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

31

Moving Active Directory Objects

• Moving Objects

• Moving Objects Within a Domain

• Moving Objects Between Domains

• Moving Workstations or Member Servers Between Domains

• Moving Domain Controllers Between Sites

• Practice: Moving Objects Within a Domain

Page 32: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

32

Moving Objects

• In the logical environment, objects can be moved within and between domains in Active Directory.

• In the physical environment, domain controllers can be moved between sites.

Page 33: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

33

Moving Objects Within a Domain

• Objects with identical security requirements should be moved into an OU or container within a domain.

• Access permissions should be assigned to the OU or container and all objects in it.

Page 34: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

34

Move Dialog Box

Page 35: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

35

Moving Objects Between OUs or Containers

• Permissions assigned directly to objects remain the same.

• Objects inherit permissions from the new OU or container.

• Previously inherited permissions from the old OU or container no longer affect the objects.

• Multiple objects can be moved at the same time.

Page 36: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

36

Moving Objects Between Domains

• Supports domain consolidation or organizational restructuring operations.

• Moving an object involves taking an existing object and moving it below an existing parent.

• The distinguished name of the moved object reflects its new position in the hierarchy.

• An object’s GUID is unchanged by a move or rename.

• As users and groups are migrated from one domain to another, they are given a new SID.

• Windows 2000 supports SIDHistory, a security attribute.

• MOVETREE command-line utility.

Page 37: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

37

Supported MOVETREE Operations

• Move an object or a nonempty container to a different domain; valid only within the same forest

• Move Domain Local and Global groups between domains without members and within domains with members; valid only within the same forest

• Move Universal groups with members within and between domains; valid only within the same forest

Page 38: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

38

Unsupported MOVETREE Operations

• Some objects and information are not moved.

• Objects that are not moved are classified as orphaned objects and are placed in an “orphan” container in the LostAndFound container in the source domain.

• The LostAndFound container is visible in the Active Directory Users and Computers console in Advanced View.

• The orphan container is named using the GUID of the parent container being moved and contains the objects that were selected for the MOVETREE operation.

Page 39: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

39

Unsupported MOVETREE Operations

• Local and Domain Global groups that contain members

• The Domain join information for computer objects

• Associated object data

• Including group policies • User profiles• Logon scripts• Users’ personal data• Encrypted files• Smart cards• Public key certificates

Page 40: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

40

Error Conditions That May Cause MOVETREE Failures

• The source domain controller cannot transfer the relative identifier master role owner.

• The source object is locked due to another operation in progress.

• Either the source or destination domain has invalid credentials.

• The destination knows the source object is deleted, but the source does not know.

• A failure at the destination domain controller.

• The source and destination have a schema mismatch.

Page 41: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

41

Restrictions That Cause Moving Users Between Domains to Fail

• The user object contains one or more objects; the user object must be a leaf object.

• A SAM constraint is met; constraints include when the user’s samAccountName already exists in the destination domain, or when the user’s password length does not meet the password restrictions in the target domain.

• The user object belongs to a Global group from the source domain; the user object’s membership is voided because a Global group can only have a member in the same domain.

• Exception: If the user object belongs to the Domain Users group, and that group is the user object’s Primary group, then the move operation succeeds.

Page 42: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

42

Restrictions That Cause Moving Groups Between Domains to Fail

• The group object contains one or more objects.

• The group object’s membership and reverse memberships do not fulfill the requirements of its type.

• The group’s samAccountName exists on the destination domain.

Page 43: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

43

Moving Objects Between Domains Using MOVETREE

• The necessary privileges must exist to perform this operation.

• MOVETREE can be used from the command line and can be called from a batch file to script user and group creation.

Page 44: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

44

MOVETREE Syntax

movetree {/start| /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain\]Username /p Password] [verbose] [{/? | /help}]

Page 45: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

45

MOVETREE Log Files Overview

• Created after the MOVETREE operation

• Located in the directory where the MOVETREE operation was performed

Page 46: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

46

MOVETREE Log Files

• MOVETREE.ERR: Lists any errors encountered during the MOVETREE operation

• MOVETREE.LOG: Lists statistical results of the MOVETREE operation

• MOVETREE.CHK: Lists any potential errors or conflicts detected during the move operation’s precheck phase

Page 47: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

47

Moving Workstations or Member Servers Between Domains

• Moving a workstation or member server from one domain to another can be performed with NETDOM, the Windows 2000 Domain Manager support tool.

• NETDOM is available in the Windows 2000 Support Tools included on the Windows 2000 CD-ROM in the \SUPPORT\TOOLS folder.

Page 48: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

48

NETDOM Syntax

netdom move /D:domain [/OU:ou_path] [/Ud:User /Pd:{Password|*}] [/Uo:User /Po:{Password|*}] [/Reboot:[time_in_seconds]]

Page 49: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

49

Moving Domain Controllers Between Sites• A domain controller can be installed into a site that has

existing domain controllers, except the first domain controller installed, which automatically creates the Default-First-Site-Name site.

• A first domain controller can’t be created in any site but Default-First-Site-Name, but a domain controller can be created in a site that has a previously existing domain controller and then moved to another site.

• After the first domain controller has been installed, creating Default-First-Site-Name, other domain controllers can be created in this site and then moved to alternative sites.

• The preceding procedure may also be used to move member servers between sites.

Page 50: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

50

Move Server Dialog Box

Page 51: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

51

Delegating Administrative Control of AD Objects

• Guidelines for Delegating Control

• Delegation Of Control Wizard

• Guidelines for Administering Active Directory

• Practice: Delegating Administrative Control in Active Directory

Page 52: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

52

Guidelines for Delegating Control

• Administrative control of objects is delegated by assigning permissions to the object, allowing users or groups of users to administer the objects.

• Tracing permissions at the OU or container level is easier than tracking permissions on objects or object attributes.

• The most common method of delegating administrative control is to assign permission at the OU or container level.

• Assigning permissions at the OU or container level allows delegation of administrative control for the objects contained in the OU or container.

• The Delegation Of Control Wizard is used to assign permissions at the OU or container level.

Page 53: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

53

Types of Control to Delegate

• Permissions to change properties on a particular container

• Permissions to create, modify, or delete objects of a specific type in a specific OU or container

• Permissions to modify specific properties on objects of a specific type in a specific OU or container

Page 54: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

54

Ways to Delegate Administrative Control

• Assign control at the OU or container level whenever possible.

• Use the Delegation Of Control Wizard.

• Track the delegation of permission assignments.

• Follow business requirements.

Page 55: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

55

Delegation of Control Wizard

• Steps through the process of assigning permissions at the OU or container level.

• Specialized permissions must be manually assigned.

• Started by clicking the OU or container for which to delegate control and then clicking Delegate Control on the Action menu.

Page 56: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

56

Delegation Of Control Wizard Options• Users Or Groups: Select the user accounts or groups to which

to delegate control

• Tasks To Delegate: Select common tasks from a list or create custom tasks to delegate

• Active Directory Object Type: Select the scope of the tasks to delegate

• Permissions: Select one of the following permissions to delegate:

• General: The most commonly assigned permissions available for the object

• Property-Specific: Permissions that can be assigned to the attributes of the object

• Creation/Deletion Of Specific Child Objects: Permissions to create and delete child objects

Page 57: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

57

Guidelines for Administering Active Directory

• Coordinate Active Directory structure with other administrators.

• Complete all attributes that are important to the organization.

• Use deny permissions sparingly.

• Ensure that at least one user has Full Control for each Active Directory object.

• Ensure delegated users take responsibility and can be held accountable.

• Train users who have control of objects.

Page 58: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

58

Backing Up Active Directory

• Performing Preliminary Tasks

• The Backup Wizard

• What to Back Up

• Where to Store the Backup

• Specifying Advanced Backup Settings

• Scheduling Active Directory Backup Jobs

Page 59: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

59

Performing Preliminary Tasks

• An important part of backing up Active Directory is performing the preliminary tasks.

• The files to be backed up must be closed.

• Users must be instructed to close files before the backup begins.

• Applications using the system or users who cannot be notified will have their sessions terminated when backup begins.

• Windows Backup does not back up files that are locked by applications.

• E-mail or the Send Console Message dialog box can be used to send administrative messages to users.

Page 60: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

60

Preliminary Tasks: Removable Media Device

• The backup device must be attached to a computer on the network and turned on; the tape device must be attached to the computer on which Windows Backup is to run.

• The media device must be listed on the Windows 2000 HCL.

• The media must be loaded in the media device.

Page 61: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

61

Backup Wizard What To Back Up Page

Page 62: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

62

Backing Up System State Data

• System State data comprises the registry, the COM+ Class Registration database, system boot files, and the Certificate Services database.

• If the server is a domain controller, Active Directory and the SYSVOL directory are also contained in the System State data.

• All System State data relevant to the computer is backed up; individual components of the System State data cannot be chosen for backup.

• System State data can be backed up on a local computer only; it cannot be backed up on a remote computer.

Page 63: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

63

Backup WizardWhere To Store The Backup Page

Page 64: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

64

Backup Media Options

• Backup Media Type

• Tape or file.• File can be located on any disk-based medium,

including a hard disk, shared folder, or removable disk.

• Backup Media Or File Name

• Location where Windows Backup will store the data.• For a tape, enter the tape name.• For a file, enter the path for the backup file.

Page 65: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

65

Backup Wizard Options

• Start the backup: If Finish is clicked, the Backup Wizard displays status information about the backup job in the Backup Progress dialog box.

• Specify advanced backup options: If Advanced is clicked, the Backup Wizard offers advanced backup settings.

Page 66: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

66

Advanced Backup Settings Pages

• Type Of Backup

• How To Backup

• Media Options

• Backup Label

• When To Back Up

Page 67: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

67

Backup Wizard Provides the Opportunity to do Either of the Following

• Finish the backup process

• The Backup Wizard displays the Completing The Backup Wizard settings and then presents the option to finish and immediately start the backup.

• During backup, the wizard displays status information about the backup job.

• Back up later

• Additional dialog boxes are shown to schedule the backup process to occur later.

Page 68: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

68

Scheduling Active Directory Backup Jobs

• An unattended backup job can occur later when users are not at work and files are closed.

• Active Directory backup jobs should be scheduled to occur at regular intervals.

• Windows 2000 integrates Windows Backup with the Task Scheduler service.

Page 69: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

69

Restoring Active Directory

• Preparing to Restore Active Directory

• Nonauthoritative Restore

• Authoritative Restore

• Performing a Nonauthoritative Restore

• Specifying Advanced Restore Settings

• Performing an Authoritative Restore

Page 70: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

70

Preparing to Restore Active Directory

• As with the backup process, only the System State data that was backed up can be restored, including the registry, the COM+ Class Registration database, system boot files, the SYSVOL directory, the Active Directory, and the Certificate Services database.

• Individual components of the System State data cannot be restored.

• If the System State data is being restored to a domain controller, the choice of whether to perform a nonauthoritative restore or an authoritative restore must be specified.

• Default method of restoring the System State data to a domain controller is nonauthoritative.

Page 71: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

71

Nonauthoritative Restore

• Any component of the System State replicated with another domain controller is brought up-to-date by replication after the data is restored.

• The Active Directory replication system updates the restored data with newer data from other servers.

Page 72: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

72

Authoritative Restore

• If the changes made subsequent to the last backup operation shouldn’t be replicated, an authoritative restore must be performed.

• An authoritative restore must be performed if users, groups, or OUs are inadvertently deleted from Active Directory and the system needs to restore so that the deleted objects are recovered and replicated.

• NTDSUTIL must be run after performing a nonauthoritative restore of the System State data but before the server is restarted.

• NTDSUTIL allows the objects to be marked as authoritative.

Page 73: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

73

Authoritative Restore (con’t)

• Marking an object as authoritative changes its update sequence number so that it is higher than any other update sequence number in the Active Directory replication system.

• Using NTDSUTIL ensures replicated or distributed data that has been restored is properly replicated or distributed throughout the organization.

• NTDSUTIL can be found in the systemroot\system32 directory; accompanying documentation is located within the Windows 2000 Help files.

Page 74: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

74

Performing a Nonauthoritative Restore

• To restore the System State data on a domain controller, the computer first must be started in Directory Services Restore Mode.

• Directory Services Restore Mode allows the SYSVOL directory and Active Directory directory services database to be restored.

• System State data can be restored only on a local computer, not a remote computer.

Page 75: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

75

Restore WizardWhat To Restore Page

Page 76: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

76

Restore Wizard:Advanced Restore Options

• Where To Restore page: Restore Files To option

• How To Restore page: When Restoring Files That Already Exist option

• Advanced Restore Options page: Select The Special Restore Options You Want To Use option

Page 77: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

77

Windows Backup FunctionsAfter the Restore Wizard

• Prompts for verification of the selection of the source media to use to restore data; after verification, Windows Backup starts the restore process.

• Displays status information about the restore process.

Page 78: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

78

Performing an Authoritative Restore: Authoritative Restore Operation

• An authoritative restore occurs after a nonauthoritative restore and designates the entire directory, a subtree, or individual objects to be recognized as authoritative with respect to replica domain controllers in the forest.

• The NTDSUTIL utility allows objects to be marked as authoritative so that they are propagated through replication, thereby updating existing copies of those objects throughout the forest.

Page 79: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

79

Performing an Authoritative Restore: After the Authoritative Restore Operation

• Normal replication brings the restored domain controller up-to-date with any changes from the additional domain controllers that were not overridden by the authoritative restore.

• Replication also propagates the authoritatively restored object(s) to other domain controllers in the forest.

• The deleted objects that were marked as authoritative are replicated from the restored domain controller to the additional domain controllers.

• Because the restored objects have the same object GUID and object SID, security remains intact, and object dependencies are maintained.

Page 80: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

80

Additional Tasks for Authoritatively Restoring the Entire Active Directory Database

• An additional procedure involving the SYSVOL directory must be performed to ensure the integrity of the computer’s group policy.

• Which additional procedure should be performed depends on whether the entire Active Directory database or only a portion is being authoritatively restored.

Page 81: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

81

Troubleshooting Active Directory

• Cannot add/remove a domain

• Cannot create objects

• Cannot modify the schema

• Changes to group membership not taking effect

• Clients without Active Directory client software cannot log on

• Unable to access resources in another domain

Page 82: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

82

Symptom: Cannot Add/Remove a Domain

• Cause:

• Domain naming master is not available. Network connectivity problem Failure of computer holding the domain naming

master role• Solution:

• Resolve the network connectivity problem.• Repair/replace domain naming master computer.

Page 83: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

83

Symptom: Cannot Create Objects in Active Directory

• Cause:

• Relative ID master is not available. Network connectivity problem Failure of computer holding the relative ID master

role• Solution:

• Resolve network connectivity problem.• Repair/replace relative ID master computer.

Page 84: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

84

Symptom: Cannot Modify the Schema

• Cause:

• Schema master is not available. Network connectivity problem Failure of computer holding the schema master

role• Solution:

• Resolve network connectivity problem.• Repair/replace schema master computer.

Page 85: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

85

Symptom: Changes to Group Memberships Not Taking Effect

• Cause:

• Infrastructure master is not available. Connectivity problem Failure of computer holding the infrastructure

master role• Solution:

• Resolve network connectivity problem.• Repair/replace infrastructure master computer.

Page 86: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

86

Symptom: Clients Without Active Directory Client Software Installed Cannot Log On

• Cause:

• Primary domain controller emulator is not available. Network connectivity problem Failure of computer holding the primary domain

controller emulator role• Solution:

• Resolve network connectivity problem.• Repair/replace primary domain controller emulator

computer.

Page 87: 1 Administering Active Directory Locating Active Directory Objects Controlling Access to Active Directory Objects Publishing Resources in Active Directory.

87

Symptom: Unable to Access Resources in Another Domain

• Cause:

• Failure of the trust between the domains.

• Solution:

• Reset and verify the trust between domains. The PDC emulator must be available to reset

trust.


Recommended