* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Module 4: Managing Security
Survey
Document related concepts
Open Database Connectivity wikipedia , lookup
Oracle Database wikipedia , lookup
Serializability wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Ingres (database) wikipedia , lookup
Functional Database Model wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Concurrency control wikipedia , lookup
Database model wikipedia , lookup
Clusterpoint wikipedia , lookup
Transcript
Module 9: Implementing an Active Directory Domain Services Maintenance Plan M Module Overview • Maintaining the AD DS Domain Controllers • Backing Up Active Directory Domain Services • Restoring Active Directory Domain Services Lesson 1: Maintaining the AD DS Domain Controllers • The Active Directory Domain Services Database and Log Files • How the AD DS Database Is Modified • Managing the Active Directory Database Using NTDSUtil Tool • What Is an AD DS Database Defragmentation? • What Are Restartable Active Directory Domain Services? • Demonstration: Performing AD DS Database Maintenance Tasks • Locking Down Services on a AD DS Domain Controller The Active Directory Domain Services Database and Log Files File Description Ntds.dit • Is the Active Directory database file • Stores all Active Directory objects on the domain controller • Uses the default location systemroot\NTDS folder Edb*.log • Is a transaction log file • Uses the default transaction log file Edb.chk • Is a checkpoint file • Tracks data not yet written to Active ebdres00001.jrs ebdres00002.jrs Edb.log Directory database file • Are the reserved transaction log files How the AD DS Database Is Modified Edb.chk Update the checkpoint Write Request Commit the transaction Transaction is initiated Write to the transaction buffer Write to the transaction log file EDB.log Write to the database on disk Ntds.dit on Disk Managing the Active Directory Database Using NTDSUtil Tool Ntdsutil.exe is a command-line tool used to manage some Active Directory components Use Ntdsutil.exe to: Perform Active Directory database maintenance Move the Active Directory database files Manage and control single master operations Remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled Type HELP at any NTDSUtil prompt for context-sensitive help What Is an AD DS Database Defragmentation? Offline defragmentation creates a new, compacted version of the database file The new file may be considerably smaller, depending on how fragmented the original database file was Use the NTDSUtil command-line tool to perform offline defragmentation on a dismounted database Active Directory performs online database defragmentation automatically every 12 hours Online defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database file What Are Restartable Active Directory Domain Services? Restartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any other services Use restartable AD DS services when: • Applying updates that modify Active Directory service files on a domain controller • Performing tasks such as offline defragmentation of the Active Directory database Directory Services Restore Mode must be used to restore Active Directory database Demonstration: Performing AD DS Database Maintenance Tasks In this demonstration, you will see how to: • Start and stop AD DS Services • Move AD Database to a different drive using NTDSUtil • Use NTDSUtil and AD DS Stopped mode for Offline Defrag Locking Down Services on AD DS Domain Controllers Services required for AD DS to function correctly: • Distributed File System • DNS Server • File Replication Service • Kerberos Key Distribution Center • Intersite Messaging • Remote Procedure Call (RPC) Locator Minimize the number of server roles and applications installed on domain controllers Use the Security Configuration Wizard to lock down the services on a domain controller Lesson 2: Backing Up Active Directory Domain Services • Introduction to Backing Up AD DS • Windows Backup Features • Demonstration: Backing Up AD DS Introduction to Backing Up AD DS To back up Active Directory, you must back up all critical volumes Critical volumes include: • The system volume: the volume that hosts the boot files • The boot volume: the volume that hosts the Windows operating system and the Registry • The volume that hosts the SYSVOL tree • The volume that hosts the Active Directory database (Ntds.dit) • The volume that hosts the Active Directory database log files All of these files may be stored in a single volume or distributed across multiple volumes Windows Backup Features Windows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and data With Windows Server Backup, you can: Recover the server without using third-party backup and recovery tools Backup an entire server or selected volumes Perform manual or automatic backups Recover items or entire volumes Use DVDs or CDs as backup media Windows Server Backup does not support backing up individual files or directories, only entire volumes Demonstration: Backing Up AD DS In this demonstration, you will see how to back up AD DS Lesson 3: Restoring Active Directory Domain Services • Overview of Restoring AD DS • What Is a Nonauthoritative AD DS Restore? • What Is an Authoritative AD DS Restore? • What Is the Database Mounting Tool? • Demonstration: Using the Database Mounting Tool • Reanimating Tombstoned AD DS Objects Overview of Restoring AD DS Options for restoring Active Directory Domain Services include: • Normal Restore • Authoritative Restore • Full Server Restore • Alternate Location Restore What Is a Nonauthoritative AD DS Restore? A nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was created AD DS replication updates the domain controller with changes that have occurred since the backup was created Restart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restore 1 2 Press F8 when restarting the server and choose Directory Services Restore Mode or type the command bcdedit /set safeboot dsrepair and restart the server Provide the Directory Services Restore Mode password What Is an Authoritative AD DS Restore? Authoritative restore provides a method to recover objects and containers that have been deleted from AD DS Authoritative restore is a four-step process: 1 Start the domain controller in DSRM 2 Restore the desired backup, which is typically the most recent backup 3 Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative 4 Restart the domain in normal mode to replicate the changes To mark an object as authoritative, use a command like: restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com What Is the Database Mounting Tool? The Database Mounting Tool can be used to: Create and view snapshots of data that is stored in AD DS Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different times Eliminate the need to restore multiple backups to compare the Active Directory data that they contain View, but not restore, deleted objects and containers Demonstration: Using the Database Mounting Tool In this demonstration, you will see how to use the Database Mounting Tool to view deleted AD DS objects Reanimating Tombstoned AD DS Objects You can reanimate deleted objects manually in AD DS when: • You do not have current AD DS backups in a domain where user accounts or security groups were deleted • The deleted object has not yet been scavenged from the Active Directory database • The deletion occurred in domains that contain only Windows Server 2003 or later domain controllers To reanimate tombstoned AD DS objects: • Use LDP.exe to locate the deleted object • Modify the object’s isDeleted attribute and provide a distinguished name Enable the object and reconfigure the object attributes Lab: Implementing an Active Directory Domain Services Maintenance Plan • Exercise 1: Maintaining AD DS Domain Controllers • Exercise 2: Backing Up AD DS • Exercise 3: Performing a Nonauthoritative Restore of the AD DS Database • Exercise 4: Performing an Authoritative Restore of the AD DS Database • Exercise 5: Restoring Data Using the AD DS Data Mining Tool Logon information Virtual machine 6425A-NYC-DC1, 6425A-NYC-DC2 User name Administrator Password Pa$$w0rd Estimated time: 75 minutes Lab Review • How could you apply the security policy you created in Exercise 1 to multiple domain controllers? What concerns would you have with doing this? • Why is a Nonauthoritative AD DS restore overwritten by replication? How does an authoritative restore prevent this from happening? • What is the difference between restoring an AD DS object by undeleting it and just recreating the object? Module Review and Takeaways • Review questions • Considerations • Tools Beta Feedback Tool Beta feedback tool helps: • • Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query. Walkthrough of the tool Beta Feedback Overall flow of module: • Which topics did you think flowed smoothly, from topic to topic? Was something taught out of order? Pacing: • Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Learner activities: • Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?