Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Replication - Part 2
Experience-Based/Practical Questions & Answers
Which protocol is used to replicate data?
-
Usually, RPC over IP is used.
-
SMTP is used for replication between sites if there is an issue with RPC replication.
What is the difference between Inbound and Outbound Replication?
-
“Inbound Replication” refers to the traffic received by a DC.
-
“Outbound Replication” refers to the traffic sent by a DC.
Name a few of the GUI (Graphical User Interfaces) tools and commands available in AD that you can use to troubleshoot issues.
-
“Active Directory Sites and Services” MMC (Microsoft Management Console) snap-in.
-
“Event Viewer” MMC snap-in.
-
PerfMon (Performance Monitor) - can be used to monitor replication-related performance counters: “NTDS Replication," "Replication Metadata," and "Replication Failures" to assess the health and performance of replication.
-
dcdiag command.
-
repadmin command.
What command allows you to see the replication status between source DC and its replication partners?
Command is:
repadmin /showrepl
How can you view a summary of AD replication?
Run command:
repadmin /replsummary
How do you check how many items are in the DC replication queue?
Run command:
repadmin /queue
What command can be used to check if replication works?
Run command:
dcdiag /test:replications
How do you force replication between DCs on the AD site where you log in?
Run command:
repadmin /syncall
How do you force replication between all DCs between all “AD Sites?”
To force replication between all DCs in all “AD Sites” with detailed information, you can run the following command:
repadmin /syncall /AdeP
To force replication with basic information of proceeding with the request, run the command:
repadmin /syncall /AdePq
Where:
-
A - synchronizes all NCs (Naming Contexts) that are held on the source DC.
-
d - Identifies DCs by DN (Distinguished Names) in messages.
-
e - synchronizes DCs across all “AD Sites.”
-
P - pushes changes from the source DC.
-
q - runs in quiet mode, which suppresses call-back messages.
What are the troubleshooting steps if DC shows that it isn’t replicating with one of its partners?
AD replication issues can occur due to a variety of reasons. For example, DNS, network, security issues, etc. There are the following steps to troubleshoot the issue:
-
Check to see if servers can ping each other.
-
Check if “A” DNS records point to the proper IP addresses.
-
Remove and recreate the DC replication Link.
-
Check time settings on both replication partners.
-
Run dcdiag and repadmin commands to troubleshoot the issue.
What are the recommendations for AD replication?
-
Ensure that the network has sufficient bandwidth and low Latency between “AD Sites” to support replication traffic.
-
Deploy DCs in a way that optimizes replication efficiency.
-
Create “Site Links” that reflect the network connectivity between “AD Sites.”
-
Configure replication schedules and intervals based on the available bandwidth and Link reliability.
How can the configuration of a RODC (Read-Only Domain Controller) be adjusted to allow replication of user passwords?
You can use the “Password Replication Policy.” It configures which users’ credentials can be cached on a specific RODC (Read-Only Domain Controller).