module 8: designing active directory disaster recovery in windows server 2008
TRANSCRIPT
Module 8: Designing Active Directory
Disaster Recovery in Windows Server 2008
Module Overview
• Designing an Active Directory Database Maintenance Strategy
• Designing an Active Directory Backup and Recovery Strategy
• Designing an AD DS Monitoring Strategy
Lesson 1: Designing an Active Directory Database Maintenance Strategy
• Overview of Database Maintenance
• Benefits of Restartable AD DS in Windows Server 2008
• Considerations for Using Restartable AD DS
Overview of Database Maintenance
There are two types of database maintenance:
• Online maintenance• All tasks are run automatically by the Windows operating system
• Active Directory automatically performs periodic online defragmentation of the database
• Offline maintenance• Offline maintenance is rarely required, and must be done while AD
DS is stopped
• Performing an offline defragmentation creates a new, compacted version of the database file
Windows Server Backup provides a basic backup and recovery solution for computers running the Windows Server® 2008 operating system
Windows Server Backup provides a basic backup and recovery solution for computers running the Windows Server® 2008 operating system
Benefits of Restartable AD DS in Windows Server 2008
Benefits of restartable AD DS in Windows Server 2008 include:
• Reduces the time that is required to perform offline operations
• Starting in Directory Services Repair Mode is no longer required for database defragmentation
• Improves the availability of other services that run on a domain controller by keeping them running when AD DS is stopped
• In combination with the Server Core installation of Windows Server 2008, restartable AD DS reduces the overall servicing requirements of a domain controller
Considerations for Using Restartable AD DS
When using restartable AD DS in Windows Server 2008, consider:
• You cannot start a domain controller running Windows Server 2008 in the AD DS Stopped state
• Services that depend on AD DS shut down before AD DS shuts down
• If the domain controller is a DNS server, it will not respond to any queries for Active Directory–integrated zones while AD DS is stopped
• You can stop and start AD DS, but you cannot pause it
• If another domain controller services the logon, the computer on which AD DS is stopped acts as the member server
• You cannot swap the Ntds.dit file while AD DS is stopped
Lesson 2: Designing an Active Directory Backup and Recovery Strategy
• Overview of AD DS Backup and Recovery
• AD DS Backup and Recovery in Windows Server 2008
• Active Directory Domain Services Backup System Components
• Options for Restoring AD DS
• Considerations for Restoring AD DS
• Guidelines for Designing Backup and Recovery in AD DS
Overview of AD DS Backup and Recovery
Key points for performing backups:
• Critical volume backups back up all AD DS related data
• Multiple domain controllers are not an alternative to performing backups
• Test your backups frequently
• Backups are only valid for the length of the tombstone lifetime
In Windows Server 2008:
• You must back up critical volumes rather than only System State data
• Windows Server backup has three recovery modes:
• Full server recovery
• System state recovery
• File/folder recovery
• Windows Server Backup does not support backing up individual files or directories
• Windows Server Backup supports DVDs or CDs as backup media
AD DS Backup and Recovery in Windows Server 2008
Windows Server Backup is the new backup application in Windows Server 2008Windows Server Backup is the new backup application in Windows Server 2008
Active Directory Domain Services Backup System Components
Critical volumes include:
• The system volume: the volume that hosts the boot files
• The boot volume: the volume that hosts the Windows operating system and the Registry
• The volume that hosts the SYSVOL directory
• The volume that hosts the Active Directory database (Ntds.dit)
Options for Restoring AD DS
Nonauthoritative restore:
• Also known as Normal AD DS restore
• Restores the database to the date and time of the backup
• Changes since last backup are replicated from other domain controllers
• Used for disaster recovery of a domain controller
Authoritative restore:
• Restores the database to the date and time of the backup
• Marks a selected portion of the backup as authoritative
• Anything marked authoritative is replicated to all other domain controllers
• Used when objects are deleted (or for entire forest or domain recovery)
Full Domain Controller restore is used to restore the full domain controller on new hardwareFull Domain Controller restore is used to restore the full domain controller on new hardware
Considerations for Restoring AD DS
When restoring AD DS, consider:
Authoritative restore provides a method to recover objects and containers that have been deleted from AD DS
Restoration of group memberships for user objects that are deleted and restored authoritatively differs, depending on when LVR was implemented
Ntdsutil makes it possible to restore back-links that were created before LVR was implemented
The Active Directory database mounting tool (Dsamain.exe) provides the ability to compare data from snapshots or backups that are taken at different times
Database mounting tool exposes AD DS data stored in snapshots or backups online taken at different points in time
Database mounting tool makes it possible to recreate deleted objects and their back-links without restarting the domain controller in Directory Services Restore Mode
Guidelines for Designing Backup and Recovery in AD DS
When backing up and recovering AD DS:
Store operating system files, Ntds.dit, the Active Directory database, log files and SYSVOL on separate volumes that do not contain other users, operating systems, or application data
Prevent accidental deletions of AD DS Objects by using the Protect this object from accidental deletion option
To restore AD DS or SYSVOL, perform regular backups of critical volumes on domain controllers
Create a backup volume on a dedicated internal or external hard drive
Use the Windows Automated Installation Kit to install Windows RE on a separate partition
Guidelines for Monitoring Active Directory Domain Controllers
When backing up and recovering AD DS:
Develop a regular process for reviewing monitoring information
Develop an alert mechanism for critical issues
Develop an escalation process for dealing with issues identified by monitoring
Develop a performance baseline
Verify that all domain controllers are communicating with the central monitoring console or collector
Ensure that SYSVOL is properly shared
Ensure that the domain controller is advertising itself
Review the domain controller disk space reports