Download Module 4: Managing Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Open Database Connectivity wikipedia , lookup

IMDb wikipedia , lookup

Oracle Database wikipedia , lookup

Serializability wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Btrieve wikipedia , lookup

Ingres (database) wikipedia , lookup

Functional Database Model wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Concurrency control wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

Versant Object Database wikipedia , lookup

ContactPoint wikipedia , lookup

Transcript 
Module 9: Implementing
an Active Directory
Domain Services
Maintenance Plan
M
Module Overview
• Maintaining the AD DS Domain Controllers
• Backing Up Active Directory Domain Services
• Restoring Active Directory Domain Services
Lesson 1: Maintaining the AD DS
Domain Controllers
• The Active Directory Domain Services Database and
Log Files
• How the AD DS Database Is Modified
• Managing the Active Directory Database Using
NTDSUtil Tool
• What Is an AD DS Database Defragmentation?
• What Are Restartable Active Directory Domain Services?
• Demonstration: Performing AD DS Database
Maintenance Tasks
• Locking Down Services on a AD DS Domain Controller
The Active Directory Domain Services Database
and Log Files
File
Description
Ntds.dit
• Is the Active Directory database file
• Stores all Active Directory objects on the
domain controller
• Uses the default location
systemroot\NTDS folder
Edb*.log
• Is a transaction log file
• Uses the default transaction log file
Edb.chk
• Is a checkpoint file
• Tracks data not yet written to Active
ebdres00001.jrs
ebdres00002.jrs
Edb.log
Directory database file
• Are the reserved transaction log files
How the AD DS Database Is Modified
Edb.chk
Update the
checkpoint
Write Request
Commit the
transaction
Transaction
is initiated
Write to the
transaction
buffer
Write to the
transaction
log file
EDB.log
Write to the
database
on disk
Ntds.dit on Disk
Managing the Active Directory Database Using
NTDSUtil Tool
Ntdsutil.exe is a command-line tool used to manage some
Active Directory components
Use Ntdsutil.exe to:

Perform Active Directory database maintenance

Move the Active Directory database files

Manage and control single master operations

Remove metadata left behind by domain controllers that
were removed from the network without being properly uninstalled
Type HELP at any NTDSUtil prompt for context-sensitive help
What Is an AD DS Database Defragmentation?
Offline defragmentation creates a new, compacted version
of the database file

The new file may be considerably smaller, depending on how
fragmented the original database file was

Use the NTDSUtil command-line tool to perform offline
defragmentation on a dismounted database

Active Directory performs online database defragmentation
automatically every 12 hours

Online defragmentation optimizes data storage in the database
and reclaims space in the directory for new objects, but does not
reduce the size of the database file
What Are Restartable Active Directory
Domain Services?
Restartable AD DS services allows administrators to stop the
Active Directory Domain Services without stopping any
other services
Use restartable AD DS services when:
• Applying updates that modify Active Directory service
files on a domain controller
• Performing tasks such as offline defragmentation of the
Active Directory database
Directory Services Restore Mode must be used to restore Active
Directory database
Demonstration: Performing AD DS Database
Maintenance Tasks
In this demonstration, you will see how to:
• Start and stop AD DS Services
• Move AD Database to a different drive using NTDSUtil
• Use NTDSUtil and AD DS Stopped mode for Offline Defrag
Locking Down Services on AD DS
Domain Controllers
Services required for AD DS to function correctly:
• Distributed File System
• DNS Server
• File Replication Service
• Kerberos Key Distribution Center
• Intersite Messaging
• Remote Procedure Call (RPC) Locator

Minimize the number of server roles and applications
installed on domain controllers

Use the Security Configuration Wizard to lock down the
services on a domain controller
Lesson 2: Backing Up Active Directory
Domain Services
• Introduction to Backing Up AD DS
• Windows Backup Features
• Demonstration: Backing Up AD DS
Introduction to Backing Up AD DS
To back up Active Directory, you must back up all critical volumes
Critical volumes include:
• The system volume: the volume that hosts the boot files
• The boot volume: the volume that hosts the Windows
operating system and the Registry
• The volume that hosts the SYSVOL tree
• The volume that hosts the Active Directory database
(Ntds.dit)
• The volume that hosts the Active Directory database log files
All of these files may be stored in a single volume or distributed
across multiple volumes
Windows Backup Features
Windows Server Backup is a Windows Server 2008 feature used to
back up and recover the operating system and data
With Windows Server Backup, you can:

Recover the server without using third-party backup
and recovery tools

Backup an entire server or selected volumes

Perform manual or automatic backups

Recover items or entire volumes

Use DVDs or CDs as backup media
Windows Server Backup does not support backing up individual
files or directories, only entire volumes
Demonstration: Backing Up AD DS
In this demonstration, you will see how to back up AD DS
Lesson 3: Restoring Active Directory
Domain Services
• Overview of Restoring AD DS
• What Is a Nonauthoritative AD DS Restore?
• What Is an Authoritative AD DS Restore?
• What Is the Database Mounting Tool?
• Demonstration: Using the Database Mounting Tool
• Reanimating Tombstoned AD DS Objects
Overview of Restoring AD DS
Options for restoring Active Directory Domain Services include:
• Normal Restore
• Authoritative Restore
• Full Server Restore
• Alternate Location Restore
What Is a Nonauthoritative AD DS Restore?
A nonauthoritative or normal AD DS restore returns the directory
service to its state at the time that the backup was created

AD DS replication updates the domain controller with changes that
have occurred since the backup was created

Restart the domain controller in Directory Services Restore Mode
to perform a nonauthoritative restore
1
2
Press F8 when restarting the server and choose Directory Services
Restore Mode or type the command bcdedit /set safeboot dsrepair
and restart the server
Provide the Directory Services Restore Mode password
What Is an Authoritative AD DS Restore?
Authoritative restore provides a method to recover objects and containers
that have been deleted from AD DS
Authoritative restore is a four-step process:
1
Start the domain controller in DSRM
2
Restore the desired backup, which is typically the most
recent backup
3
Use Ntdsutil.exe to mark desired objects, containers, or
partitions as authoritative
4
Restart the domain in normal mode to replicate the changes
To mark an object as authoritative, use a command like:
restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com
What Is the Database Mounting Tool?
The Database Mounting Tool can be used to:

Create and view snapshots of data that is stored in AD DS

Improve recovery processes for your organizations by
providing a means to compare data as it exists in snapshots
that are taken at different times

Eliminate the need to restore multiple backups to compare
the Active Directory data that they contain

View, but not restore, deleted objects and containers
Demonstration: Using the Database Mounting
Tool
In this demonstration, you will see how to use the Database
Mounting Tool to view deleted AD DS objects
Reanimating Tombstoned AD DS Objects
You can reanimate deleted objects manually in AD DS when:
• You do not have current AD DS backups in a domain where user
accounts or security groups were deleted
• The deleted object has not yet been scavenged from the
Active Directory database
• The deletion occurred in domains that contain only
Windows Server 2003 or later domain controllers
To reanimate tombstoned AD DS objects:
• Use LDP.exe to locate the deleted object
• Modify the object’s isDeleted attribute and provide a
distinguished name
 Enable the object and reconfigure the object attributes
Lab: Implementing an Active Directory Domain
Services Maintenance Plan
• Exercise 1: Maintaining AD DS Domain Controllers
• Exercise 2: Backing Up AD DS
• Exercise 3: Performing a Nonauthoritative Restore of the
AD DS Database
• Exercise 4: Performing an Authoritative Restore of the AD
DS Database
• Exercise 5: Restoring Data Using the AD DS Data
Mining Tool
Logon information
Virtual machine
6425A-NYC-DC1, 6425A-NYC-DC2
User name
Administrator
Password
Pa$$w0rd
Estimated time: 75 minutes
Lab Review
• How could you apply the security policy you created in
Exercise 1 to multiple domain controllers? What concerns
would you have with doing this?
• Why is a Nonauthoritative AD DS restore overwritten by
replication? How does an authoritative restore prevent this
from happening?
• What is the difference between restoring an AD DS object
by undeleting it and just recreating the object?
Module Review and Takeaways
• Review questions
• Considerations
• Tools
Beta Feedback Tool
Beta feedback tool helps:
•



•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
Beta Feedback
Overall flow of module:
•


Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
Pacing:
•



Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•



Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?
Related documents
FoxFiles: Getting Started What is FoxFiles?
FoxFiles: Getting Started What is FoxFiles?
Go to Start – All Programs – Microsoft SQL Server Management Studio
Go to Start – All Programs – Microsoft SQL Server Management Studio
Regulatory statistics and information
Regulatory statistics and information
DBA 102:NOW WHAT
DBA 102:NOW WHAT
Operating Systems (OS)
Operating Systems (OS)
transfer the PecStar database to a new server
transfer the PecStar database to a new server
Module 8: Examining Active Directory Replication
Module 8: Examining Active Directory Replication
Reasons to Rely on Databases Instead of the Open Internet
Reasons to Rely on Databases Instead of the Open Internet
Many of us can be very sceptical about advertising. However it`s
Many of us can be very sceptical about advertising. However it`s
TerraPage Database Configuration for SubrScene
TerraPage Database Configuration for SubrScene
TCP/IP Configuration
TCP/IP Configuration
Database-lecture 10
Database-lecture 10
Lecture 10 MS-SQL Server Basics
Lecture 10 MS-SQL Server Basics
Lecture 10 MS-SQL Server Basics
Lecture 10 MS-SQL Server Basics
Working interactively with VFP - dFPUG
Working interactively with VFP - dFPUG