Ad Backuup Restore and Maintaince q n as Printed

7/28/2019 Ad Backuup Restore and Maintaince q n as Printed

1/22

Active Directory BACKUP RESTORE and Maintaince Q n As

What Is NTDS.DIT file ?Ntds.ditThis file is the primary Active Directory database file (sometimesreferred to as the data store) that resides on each domain controller (DC). It

storesall of the objects, attributes, and properties for the local domain, as well astheconfiguration and schema portions of the database. By default, this file isinstalledinto the %SYSTEMROOT%\NTDS folder. Although not required, it isrecommendedthat you store this file on an NTFS partition for security purposes.

What do I need to do to prepare my Windows 2000 forest for the installation of the

first Windows Server 2003 DC?

Before you can introduce Windows Server 2003 domain controllers, you must prepare

the forest and domains with the ADPrep utility.ADPrep /forestprep on the schema master in your Windows 2000 forest.

ADPrep /domainprep on the Infrastructure Master in each AD domain.

ADPrep is located in the i386 directory of the Windows Server 2003 install media.For More Info : http://www.petri.co.il/windows_2003_adprep.htm

Which is Active Directory Transactin Log File.Edb*.logThis file format identifies transaction logs.Transaction log namescan

take one of several forms, including edb.log, edb00001.log, edb00002.log,and soforth. Each log file is a fixed 10MB in size, regardless of the amount of actualdatastored in it.The current log file that is receiving updates to Active Directory isnamed edb.log.When this file is full, it is renamed to edb00001.log (orwhateverthe next number is in the sequence, if 00001 is taken), and a new emptyedb.log iscreated. However, these logs dont keep piling up forever; they are regularlypurged through a process called garbage collection,

What is Reserved Log Files(Res1.Log and Res2.Log)Res1.log and Res2.logThese files are known as the reserved (Res) log files.

Their primary purpose is to ensure that Active Directory does not run out ofdiskspace to use when logging transactions. If there is not enough free space tocreatea new transaction log, the reserved log is used. Because of this role, theselog files


2/22

are often referred to asplaceholders. Like the edb.log files mentionedpreviously ,these files are 10MB each.

What is EDB.Chk File ?Edb.chk The checkpoint file is used to track the updates that have beenwritten to the Active Directory database. You can think of this file as a list that ischecked off as updates are flushed to disk from the Active Directory log files. Ifyou shut down the system before all transactions have been written to thedatabase, the checkpoint file will be consulted when you reboot the system sothat any remaining transactions can be written to Active Directory.

Explain the process of Active Directory Database Modification ?The Extensible Storage Engine (ESE) lies at the heart of the Active Directorydatabasesystem. Changes to the Active Directory database on a DC occur through two

primarymeans:

An administrator creates, deletes, or updates objects in the database.

Replication information, which contains new objects, deletion requests,orchanges to existing objects is received from other DCs.

When changes to the database occur, the ESE captures each change as asingle unitknown as a transaction.A transaction contains the changed data and a set ofmetadata.This

metadata can include the Globally Unique Identifier (GUID) assigned to theobject, atimestamp, version, and other information. Its important to note that thisupdate procedureapplies to all changes in Active Directory, including objects, properties, andattributes.A write request occurs when a change is made to the Active Directory.Thisinitiates atransaction that consists of the changes, as well as the metadata describedpreviously. ESEwrites the transaction to the transaction buffer in memory, and then writesthe transaction

to the Edb.log file. After it has been successfully written in the log file, it iswritten to theActive Directory database file.If a failure occurs, when Active Directory recovers, it examines the Edb.chkfile to determinewhich transactions have not been written to the database.Transactions arenot marked aswritten in this file until they have been fully committed to the database.Thisensures that a


3/22

failure that occurs partially through the process of writing data will not bemarked as completedand leave inconsistent data in the Active Directory database.When atransaction hasbeen committed,Active Directory compares the information written to thedatabase with the

information contained in the log file(s).When the two have been verified asidentical, theEdb.chk file is updated and the transaction is marked as committed to thedatabase.Windows Server 2003 uses circulartransaction logging.This means that, withthe exceptionof the Edb.log, Res1.log, and Res2.log files, the log files are deleted after allof thetransactions they contain have been committed to the database. Anotherimportant noteabout logging is that when you back up Active Directory by backing up thesystem state

data (a process we discuss in the next section of this chapter), all eventscurrently waiting tobe written in your transaction logs are committed.The logs are fullycommitted when youshut down or reboot your server

What are the two primary ways through AD Database Changes Occures ?


4/22

Changes to the Active Directory database on a DC occur through twoprimarymeans:

An administrator creates, deletes, or updates objects in thedatabase.

Replication information, which contains new objects, deletionrequests, orchanges to existing objects is received from other DCs.

What is ESE(Extensible Storage Engine)?

ESE is a heart of Active Directory and Coordinates Transactions between the log files,

Checkpoint files and the Database.

What Is Circular Logging in Windows 2003 ?

Windows Server 2003 uses circulartransaction logging.This means that, withthe exceptionof the Edb.log, Res1.log, and Res2.log files, the log files are deleted after allof thetransactions they contain have been committed to the database. Anotherimportant noteabout logging is that when you back up Active Directory by backing up thesystem statedata (a process we discuss in the next section of this chapter), all eventscurrently waiting tobe written in your transaction logs are committed.The logs are fullycommitted when you

shut down or reboot your server. Below Image Shows the process.


5/22

What is Tombstone Process in Active Directory ?The tombstone process exists to support the multimaster replication strategyof WindowsServer 2003s Active Directory service.To understand this better, letssuppose that instead ofusing tombstoning, the object is immediately purged from Active Directory onthe originalDC when you delete it. At the same time, the DCs replication partners arenotified to deletethe object. Most receive the replication request, but one does not. In laterreplication, this DCmight reintroduce the object into the databases of the other DCs. Becausethe other DCshave fully deleted the object, it might appear as a new object to them.

The tombstone process prevents this from occurring. Each DC holds theobject in itsdeleted items container for the length of the tombstone interval.The defaultof 60 days allowsfor plenty of time to pass and ensures that all DCs on the network havesufficient time toreceive the delete request.When this interval is reached, the object is markedas expired.

You should ensure that backups are performed during the tombstoneinterval. Restoresof directory service data older than the tombstone interval should not beperformed to prevent


6/22

the reintroduction of objects that were deleted during this period but havesince beenpurged from the database.

What is Garbage collection Process ?The garbage collection process works in conjunction with the tombstoneprocess. It

runs every 12 hours on DCs by default, and one of its primary functions is topurgeexpired objects from the database. After the expired objects are purged, anyremainingunnecessary log files are deleted and an online defragmentation of thedatabase occurs.Thisconsolidates the free space that was generated by the deletions andincreases the performanceof the database.

What is the Interval Difference between Tombstone and Garbage Collection ProcessThe tombstone interval is configured in days(By Default 60 Days), whereas thegarbage collectioninterval is configured in hours(By Default runs after every 12 Hours)Both can be changed in Active Directory using ADSI

Edit, LDP, or an ADSI script. However, Microsoft recommends that it is generallybest not to change the intervals. The tombstone interval should always be at leastas long as the longest replication interval in the forest.

What AD Database Defragmentation Methods are available?

There are two methods to defragment the Active Directory database in Windows 2000and in Windows Server 2003. One method is an online defragmentation operation that

runs as part of the garbage collection process. The advantage of this method is that the

server does not have to be taken offline for the operation to run. However, this methoddoes not reduce the size of the Active Directory database file (Ntds.dit). The other

method takes the server offline and defragments the database by using the Ntdsutil.exe

utility. This approach requires that the database to start in repair mode. The advantage ofthis method is that the database is resized and unused space is removed. Therefore, and

the size of the Ntds.dit file is reduced. To use this method, the domain controller must be

taken offline.

How to Perform Offline Defrag of AD Database(I.E NTDS.DIT) ?1. Back up the system state data for fault tolerance purposes. See theBacking Up Active Directory section later in this chapter for more information.2. Boot or reboot the computer.

3. When prompted, press F8 during Windows Server 2003 startup. And go toDirectory Services Restore Mode (Windows DCs only) on the

Windows Advanced Options menu that appears, and press the Enterkey.4. Log on by providing the password for the local administrator accountand clicking the OK button.5. Click the OK button in the dialog box that notifies you that Windows isrunning in safe mode.


7/22

6. Open a command prompt. Type ntdsutil to enter the Ntdsutil utility. Note thatthis is a commandline utility, so the command prompt will change to ntdsutil:.7. Type files. The command prompt should change to display file maintenance.8. Type compact to :\ to create a defragmented andcompacted copy of the Active Directory database in the specified newlocation. For example, compact to C:\ADTemp creates a defragmented,

re-indexed, and re-sized database file in the C:\ADTemp directory, asshown in Figure 11.5. The location specified can be on a local disk oron a mapped network drive. If there are spaces in the path where thefile needs to be placed, it must be surrounded in quotes; for example,compact to c:\ad\july defrag.

9. Type quit to return to the ntdsutil: prompt.10. Type quit again to exit the utility.11. Open Windows Explorer and rename the previously used ntds.dit file

to ntds.old.dit.Step 11 is not specified in Microsofts instructions, but we recommend it for fault

tolerance purposes. As mentioned, an offline defragmentation is very invasive. Itispossible that the compacted file will be corrupt and that Active Directory will notstart after the procedure. If you dont take this step, you will be forced to do asystem state restore to recover the previous database file. By simply renamingthefile, you can boot back into Directory Services Restore Mode, delete the corruptfile, and rename ntds.old.dit back to ntds.dit to recover the system.


8/22

12. In Windows Explorer, copy the new ntds.dit file from the location youspecified, using the compact to command to specify the location ofthe primary ntds.dit file location.13. In Windows Explorer, delete all files that end with the .LOG extension inyour Active Directory log files folder.14. Close the command prompt window and reboot the server normally.

How to Move AD Database File to another Location?1. Reboot your server and go to Directory Services Restore Mode by pressing F82. Open a command prompt.3. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so thecommand prompt will change to ntdsutil:.4. Type files.The command prompt should change to display filemaintenance:.Use one of the following commands to move the Active Directory database or logfiles, or update their paths.

_ Type move DB to :\ to move the ntds.dit database file

to the new location specified. For example, move DB to C:\AD moves thedatabase file to the C:\AD directory and updates the Registry to point to thisnew location, as shown

How to Move Transaction Log files to another Location ?

1. Reboot your server2. Go to Directory Services Restore Mode3. And to command prompt. Type NTDSutil and then will go to ntdsutil

promot4. Then type files and go to file promot then do below task.

5. Type move logs to :\ to move the Active Directory logfiles to the new location specified. For example, move logs to C:\ADmoves the log files to the C:\AD directory and updates the Registry topointto this new location

How will you point your OS to AD Database Restored from Backup at another

placeIts important to properly move the Active Directory database and log filesusingthe Ntdsutil command-line utility. This updates the Registry entries that point

to thecorrect locations in the file system, thus allowing the system to find andinitializethem when booting. If you are forced to restore these files to anotherlocation, orsimply copy them to a new location using Windows Explorer, Active Directorywillnot initialize when the system is rebooted. Fortunately, Microsoft provides away to


9/22

fix this, using the Ntdsutil utility. To do so, follow these steps:1. Boot or reboot the computer.Go to Directory services restore mode bypressing F82. Log on by providing the password for the local administrator accountand clicking the OKbutton.3. Click the OKbutton in the dialog box that notifies you that Windows is

running in safe mode.4. Open a command prompt.Type ntdsutil to enter the Ntdsutil utility. This isa command-line utility,so the command prompt will change to ntdsutil:.5. Type files. The command prompt should change to display filemaintenance:.6. Use one of the following commands to move the Active Directorydatabase or log files, or to update their paths.7. Type set path DB :\ to update the Registry topoint to the new location of the ntds.dit file.8. Type set path logs :\ to update the Registry topoint to the new location of the Active Directory log files.9. Type quit to return to the ntdsutil: prompt.

10. Type quit again to exit the utility.11. Close the command prompt window and reboot the server normally.


10/22

What is System State ? What Data System State Includes ?System state data is a term Microsoft uses to refer to a set of coreconfiguration informationin Windows 2000, XP, and 2003.The actual information included in thesystem statedepends on the underlying configuration of the operating system, and whichcomponentsare installed. System state data always includes the following:

The Windows Registry

The COM+ Class Registration database

Boot and system files needed to start the operating system, includingNtldr andNtdetect.com

Several additional components are included, depending on the configurationof theoperating system:

The Active Directory database and supporting files, if the computer isa DC

The SYSVOL directory, if the computer is a DC

The Certificate Services database, if the computer is functioning as acertificateAuthority (CA)

The Internet Information Server (IIS) metabase, if IIS is installed on thecomputer

Core cluster service configuration information, if the computer is partof a cluster

What is Volume Shadow Copy Services?

The Volume Shadow Copy Service provides the backup infrastructure for the Microsoft

Windows XP and Microsoft Windows Server 2003 operating systems, as well as a

mechanism for creating consistent point-in-time copies of data known as shadow copies.

Previous to the Volume Shadow Copy Service and its standard set of extensible

application programming interfaces (APIs), there was no standard way to produceclean (uncorrupted) snapshots of a volume. Snapshots often contained corruptions due

to torn writes that required the use of utilities such as Chkdsk.exe to repair. Torn writes

occur when an unplanned event (such as a power failure) prevents the system fromcompletely writing a block of data to disk. The Volume Shadow Copy Service APIs

prevent torn writes by enabling applications to flush partially committed data frommemory.

The Volume Shadow Copy Service has native support for creating consistent shadow

copies across multiple volumes, regardless of the snapshot technology or application. The

Volume Shadow Copy Service can produce consistent shadow copies by coordinatingwith business applications, file-system services, backup applications, fast recovery

solutions, and storage hardware. Several features in the Windows Server 2003 operating


11/22

systems use the Volume Shadow Copy Service, including Shadow Copies for Shared

Folders and Backup.

What are the Different Methods of Backing Up Active Directory ?

As part of a full system backup As part of a partial system backup

Back up the system state data only

What Is Directory Services Restore Mode ?Special feature of this mode is that it allows a DC to bootwithout initializing its copy of the Active Directory database. Because youmust always logon to a Windows Server 2003 computer before you can use the operatingsystem, a smallversion of a local directory service database (called a SAM database) remains

on the computerafter it has been promoted to a DC.This database has a single account, thelocaladministrator account.When you have booted to the Directory Services Restore Mode using thedirectionsgiven earlier in the chapter, you must log on with this account. After you areauthenticated,you can perform certain limited maintenance functions, such as running theNtdsutil utilitymentioned earlier.You can also run the Backup utility to perform restores ofthe ActiveDirectory database. It is necessary to perform all restores while running inthis mode,because the Active Directory database must be offline to be restored. In thismode, you arelogged on to a local account and the Active Directory database is not in use.

What are Different Restore modes for Active directory ?

1. Normal Restore

2. Authoritative Restore

3. Primary Restore

Normal RestoreThis method can be used in the following circumstances:

When a domain only has one DC, and the DC needs to be restored.Youcan alsoopt to use the primary restore method (covered later) for this scenario.


12/22

If there are multiple DCs on the network for the domain, and at leastone remains

functional, a normal restore can be used to bring the downed DCs back tolife.

Like all Active Directory restores, a normal restore is performed by runningthe Backuputility while logged on to Directory Services Restore Mode.When the restorehas completed,the DC is rebooted.When it comes back up, it begins normal replication withitsreplication partners. Because it was restored from a backup, some of itsobjects will haveolder version numbers than ones currently on the network.This will causeupdates anddeletions to be replicated to the DC and will bring its Active Directorydatabase up to date.

How to Perform Normal Restore

To perform a normal restore, follow these steps:1. Boot or reboot the computer.2. When prompted, press F8 during Windows Server 2003 startup.3. Select Directory Services Restore Mode (Windows DCs only) in theWindows Advanced Options menu that appears, and press the Enter key.4. Select your operating system (for example,Windows Server 2003,Enterprise),and press the Enter key.5. You will see a number of checks performed while the system is booting,andeventually you will receive the Safe Mode logon prompt.6. Log on by providing the password for the local administrator account andclickingthe OKbutton.7. Click the OKbutton in the dialog box that notifies you that Windows isrunningin safe mode.8. Open the Windows Server 2003 Backup utility from Start | All Programs |Accessories | System Tools | Backup.9. On the initial page of the wizard, click the Next button.10. Select the option button next to Restore files and settings, as shownin Figure11.30, and click the Next button.11. The What to Restore page, shown in Figure 11.31, contains an Explorerstyleinterface similar to the one you encountered while configuring your backup

job.Click the plus sign next to File in the left pane.This should reveal the file towhich you backed up the system state data earlier. If it doesnt, you can clickthe


13/22

Browse button and select the file from the Open Backup File dialog box.Click the plus sign next to the file to which you backed up and select thecheckbox next to the backup you want to restore that appears beneath it. Click theNext button after making your selection.12. At this point in the wizard, you can click the Finish button and allow the

restore toproceed with the default advanced settings. However, we want you to seemore ofthe settings that are available within the wizard, so click the Advancedbutton.13. The Where to Restore page, shown in Figure 11.32, appears with threeoptionsthat can be selected from the Restore files to: drop-down box.XOriginal locationThis option restores all files to their original locationsand is the default.When you select this option and click the Next button, adialog box appears, informing you that restoring system state will alwaysoverwrite

the current system state information unless you restore to an alternatelocation. Click the OKbutton to proceed to the next screen.

Now go to Advance Tab and Select Original Location Click Next and SelectReplace Exisiting Files. Click Next and Click Finish.

Authoritative RestoreThere are times when a normal restore of Active Directory isnt sufficient; forexample,when you accidentally delete an OU.Within a few minutes, the deletion willhave replicatedto the other DCs in the domain. If you perform a normal restore in an effort torepopulate the OU back into Active Directory, it will not work.When the DCreboots afterthe restore and replicates with its replication partners, they will have a higherversionnumber for the deleted OU, and the restored DC will be told to delete theobject all overagain.To restore the object, you must use an authoritative restore.

How To Perform Authoritative RestoreAn authoritative restore is exactly like a normal restore, up to a point. Once

the systemstate data has been restored, rather than rebooting the server, the Ntdsutilcommand-lineutility is used to mark one or more objects as authoritative.This gives them avery high versionnumber so that when the server is rebooted and the replication process takesplace, theother servers in the domain will see the high version number and replicatethe object to


14/22

their own Active Directory databases.To restore a database authoritatively,follow the stepsfrom the preceding section up to number 18, and then proceed to thesesteps:

1. Click the No button in the Backup Utility dialog box when asked to

restart.2. Close the Backup utility, if it does not close by itself.3. Open a command prompt (click Start | Run and type cmd).4. Type ntdsutil to enter the Ntdsutil utility. Note that this is a command-line

utility so the command prompt will change to ntdsutil:.5. Type authoritative restore.The command prompt should change todisplay

authoritative restore:.6. Use one of the following commands to mark Active Directory or a portion ofit

as authoritative.

Type restore database to mark the domain and configurationcontainers of

the database as authoritative.The schema container cannot be marked asauthoritative; consequently, an authoritative restore can not be performedforthe schema. Because you cannot delete objects from the schema, this is notanissue.

Type restore subtree followed by the distinguished name of theobject in

Active Directory that you want to restore; for example, restore subtreeOU=student,DC=syngress,DC=com to restore the OU named studentin the syngress.com domain.

The verinc option can be used with either the restore database orrestore

subtree command. Remember, when an object or the database is restoredauthoritatively, a large version number is applied to it.The verinc option isdesigned to be used when you need to perform another authoritative restore,on top of an existing authoritative restore. It allows you to choose your ownversion number, thus ensuring that it will be higher than the one usedpreviouslyby the utility.The proper syntax is restore database verinc %d orrestore subtree verinc %d, with %d being the desired increment for the version number.

7. ClickYes in the Authoritative Restore Confirmation dialog box,

8. Type quit to return to the ntdsutil: prompt.. Type quit again to exit theutility.


15/22

9. Close the command prompt and reboot the server normally.

Primary Restore:The primary restore method is new in Windows Server 2003, and is designedfor situationswhere all DCs for a given domain have gone down and you need to rebuildthe domainfrom backup.The first server that is restored in this situation should berestored using thismethod. Additional DCs should be restored using the normal restore method.A primaryrestore is also the new preferred method to use when restoring whatMicrosoft refers to asa standalone DC, which means the DC in a domain with only one DC. If youhave adomain with only one DC and that server goes down, use this method torestore it.

How to perform Primary RestorePerforming a primary restore is similar to performing a normal restore.Theonly differenceis that you select the check box next to When restoring replicated datasets,mark the restored data as the primary data for all replicas in theAdvanced portionof the Restore wizard, as shown in Figure 11.35. Refer to step 14 in theNormal Restore

section of this chapter, or complete Exercise 11.04, which walks you throughthe entireprocess of performing a primary restore.

1. Reboot or boot your DC.2. When prompted, press F8 during Windows Server 2003 startup.3. On the Advanced Startup Options menu that appears, select DirectoryServices Restore Mode.4. Log on by providing the password for the local administrator accountand clicking the OKbutton.5. Open the Windows Server 2003 Backup utility from Start | All

Programs | Accessories | System Tools | Backup.6. On the initial page of the wizard, click the Next button.7. Select the option button next to Restore files and settings, and clickthe Next button.8. Click the plus sign next to File in the left pane. If your backup file doesnot appear, click the Browse button and select the file from theOpen Backup File dialog box.9. Click the plus sign next to the file to which you backed up the systemstate data and select the check mark next to the backup you want to


16/22

restore that appears beneath it.10. Click the Next button after making your selection.11. Click the Advanced button.12. Accept the default restore location, Original location, and click theNext button.13. Select the Replace existing files option and click the Next button to

proceed.14. On the Advanced Restore Options page, select the check box next toWhen restoring replicated data sets, mark the restored data as theprimary data for all replicas and accept all other defaults.

15. Click the Next button.16. Click the Finish button to begin the restore.17. The restore will take at least a few minutes. When it is finished, clickthe Report button to view the restore log associated with the job.Review it for any error messages, such as those pertaining to files thathad to be skipped. After reviewing the log, close the Notepad application.18. Close the Backup utility and reboot the server normally.


17/22

Active Directory Maintaince Commands

NTDSUTIL INTEGRITYThe integritycommand is used to detect low-level corruption of the database.It performs

its work at the binary level, which means that it reads every byte of the ESEdatabase structurelooking for corruption. Note that although the ESE structure forms the basisof ActiveDirectory, this command might not parse all Active Directory databaseinformation. Somecritical Active Directory information is additional to and outside theknowledge of the esentutlcommand that this option uses. Because of the detailed checking it performs,this tooloften takes a while to complete its operations.In addition to the byte-level corruption check mentioned previously, the

Ntdsutilintegritycommand also performs a full check on the integrity of the directoryservice files.After successfully running the command, Microsoft suggests that you performa semanticdatabase analysis

The Ntdsutil integritycommand must be performedwhen the database is offline, so you have to run it from Directory ServicesRestoreMode.To use the command, follow these steps:

How to Use

.Reboot your server and go to Directory Services Restore Mode by pressing F8.Log in using Directory services Restore Mode username and password..Open a command prompt.. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility sothecommand prompt will change to ntdsutil:.. Type files.The command prompt should change to display filemaintenance:.. Type integrity.. View and evaluate the information displayed on the screen as the processruns.. Type quit to return to the ntdsutil: prompt.. Type quit again to exit the utility.. Close the command prompt window and reboot the server normally.

NTDSUTIL Recover CommandRemember that transactions are written to log files before being committedto the Active


18/22

Directory database file. In the event of power failure or other systemproblems, not alltransactions will be written to the database.When the system is booted, ESEshould use thecheckpoint, log, and database files to determine what was committedproperly to the

database and what still needs to be written. Although this process works inmost cases, occasionallyinconsistencies result and it is necessary to run the process againmanually.Therecovercommand performs a soft recovery of the database log files, whichmeans that itwrites transactions from the log files to the directory service database.Thisprocess is sometimesalso referred to as re-running the log files manually.

How to Use

Reboot your server and go to Directory Services Restore Mode by pressing F8.Log in using Directory services Restore Mode username and password..Open a command prompt.. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility sothecommand prompt will change to ntdsutil:.

Type files.The command prompt should change to display filemaintenance:.. Type recover.. View and evaluate the information displayed on the screen as the processruns..Type quit to return to the ntdsutil: prompt.

. Type quit again to exit the utility.. Close the command prompt window.

Semantic Database Analysis CommandThe semantic database analysis command is the primary command that isused to verify thefull integrity of the Active Directory database.You might be wondering whatthe differenceis between this command and the integritycommand from the files: prompt.Recall that theintegritycommand works by calling the Esentutl utility, which has full

knowledge of theESE database system but not necessarily all portions of the Active Directorydatabase.Thesemantic database analysis command is specific to Active Directory and doesnot use theEsentutl command.As its name implies, it analyzes the Active Directorydatabase, based on


19/22

Active Directory semantics (whereas the integritycommand bases its checkon ESENTdatabase semantics). Running semantic database analysis includes checksfor the following:XReference countsXCounts references from the data table and the link table to ensure that they

match the listed counts for the record.XEnsures that each object has a full distinguished name, GUID, and nonzeroreference count.XFor each deleted object, the utility verifies that it does not have adistinguishedname or GUID and makes sure that it has a deleted time and date.XDeleted objectsXVerifies that the object has a deleted time and date.XEnsures that the object has a special relative distinguished name.XAncestor checks Determines if the Distinguished Name Tag is equal to:XThe ancestor list of the parentXThe current Distinguished Name TagXSecurity descriptor checksXVerifies a valid descriptor.XEnsures that it has a control field.XVerifies that the discretionary access control list is not empty.XA warning is generated if deleted objects without a discretionary controlaccess list are located.XReplication checks.XChecks the up-to-dateness vector in the directory partition head to ensurethat the correct number of cursors exist.XChecks to ensure that every object has a property metadata vector.

Errors generated by the semantic database analysis command are written todsdit.dmp.xxlog files, which are located in the profile directory of the user running theutility (forexample, C:\Documents and Settings\Administrator). As with most low-leveldatabasetools, this command must be run when the database is not initialized (inother words, inDirectory Services Restore Mode). Microsoft recommends that you perform afull backupof the system state data prior to running this command. Follow these steps toperform asemantic database check:

How to Use

Reboot your server and go to Directory Services Restore Mode by pressing F8.Log in using Directory services Restore Mode username and password..Open a command prompt.. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility sothecommand prompt will change to ntdsutil

Type Semantic database analysis, and press the Enter key.


20/22

At the semantic checker: prompt, type Verbose on, and press Enter.Thisoption displays the Semantic Checker.12. Choose one of the following options:XTo start the Semantic Checker and not have it repair any of the errors itencounters, type Go, and press the Enter key.XTo start the Semantic Checker and have it repair the errors it encounters,

typeGo Fixup, and press the Enter key.13. View and evaluate the information displayed on the screen as the processruns.

There is very little difference visually between the two modes.

Using the esentutl CommandESENT (Extensible Storage Engine for NT) is one of the acronyms used torefer to the

ESE database system that Active Directory uses.The Esentutl command is themaintenancecommand that is associated with this database system. Because Microsoftprefers that youuse the Ntdsutil command for all low-level database maintenance operations,they built callsto most of the major Esentutl operations into it. However, you do not have touse Ntdsutilto perform these operations

The following are two of the commands from earlier in thechapter with their associated Esentutl command-line arguments:XIntegrity%SYSTEMROOT% \System32\esentutl.exe /g

C:\Windows\NTDS\ntds.dit /oXRecover%SYSTEMROOT%\System32\esentutl.exe /redb/lC:\Windows\NTDS /s C:\WINNT\NTDS /8 /o

The esentutl.exe command used in conjunction with the/p switch, shown inFigure11.48, is considered the most dangerous of all the low-level databasecommands. In Windows2000, this command was available as the repairoption in Ntdsutil, and hasbeen removed inthe version of Ntdsutil that ships with Windows Server 2003.This optionperforms a very

low-level and highly invasive binary database repair operation. It is very likelythat you willlose some data when using this option, and it is highly possible that it will bedata essential toyour Active Directory database.

You should use this command with the/p switch only when you have beenadvised to


21/22

do so by Microsoft support personnel, or when you feel that you have triedeverything else toget Active Directory to initialize.Always make a backup of your database filebefore you run thisutility. In most cases, you will be resorting to this option when ActiveDirectory can no longer

initialize, and you will be booted to Directory Services Restore Mode.Thesimplest way toback up the database and related components in this scenario is to copythem to a secondlocation in the file system, using Windows Explorer.If Active Directory can initialize and you still feel you should (or Microsoft techsupportasks you to) run this command, you must boot into Directory ServicesRestore Mode first.

The database must be offline for low-level operations such as this. Microsoftrecommendsrunning a semantic database analysis after this command has completed

successfully.To use therepaircommand, enter the following at a command prompt: %SYSTEMROOT%\system32\esentutl.exe /p C:\Windows\NTDS\ntds.dit /!10240 /8 /o

How to Change Directory Services Restore Mode Password

1. Open a command prompt.(At Normal Mode)


22/22

2. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility,so thecommand prompt will change to ntdsutil:.3. Type Set DSRM Password.4. At the Reset DSRM Administrator Password: prompt, type ResetPassword

on server .5. At the Please type password for DS Restore Mode AdministratorAccount: prompt, type the new password that you want to use.6. At the Please confirm new password: prompt, re-type the newpassword thatyou want to use.7. Review the feedback on the screen to ensure that the operation wassuccessful.Figure 11.49 shows the full procedure.8. Type quit or q to return to the ntdsutil: prompt.9. Type quit or q again to exit the utility.10. Close the command prompt window

Ad Backuup Restore and Maintaince q n as Printed

Documents

Transcript of Ad Backuup Restore and Maintaince q n as Printed