Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Windows DNS (Domain Name System) Server
Knowledge Base Questions & Answers
What are DNS servers’ different types (roles) in Windows environments?
There are four roles of DNS servers:
-
AD (Active Directory) - Integrated DNS Server
-
Primary (Master) DNS Server
-
Secondary (Slave) DNS Server
-
Caching-Only DNS Server
What is “AD (Active Directory) - Integrated DNS Server”?
-
“AD (Active Directory) - Integrated DNS Server” is a DNS server that is integrated with AD.
-
In this setup, the DNS server stores its zone data in the AD database rather than in traditional file-based storage.
-
“AD-Integrated DNS Server” allows for features like multi-master replication, improved security through secure dynamic updates, and more efficient management and synchronization of DNS information across multiple servers.
What is the WINS (Windows Internet Name Service)?
WINS (Windows Internet Name Service) is a legacy service by Microsoft used to resolve NetBIOS (Network Basic Input/Output System) names to IP (Internet Protocol) addresses in older Windows networks.
Experience-Based/Practical Questions & Answers
What are the recommended DNS settings for the network adapter of a DC (Domain Controller) if it is the only DC in a network?
-
If there is just one DC (Domain Controller), specify the DC’s IP address in the “Preferred DNS Server” field. To list other DNS servers is optional.
-
For example, in a setup with a single DC named DC2022 having the IP address 192.168.1.125, you would set DC2022’s IP address (192.168.1.125) on “Preferred DNS Server” field.
What are the recommended DNS settings for the network adapter of a DC if there are two or more DCs in a network?
-
Two DNS servers should be specified if two or more DCs are on the network.
-
For example, on DC DC2019, the “Preferred DNS Server” will be another DC (DC2016, IP address 10.0.13.204), and as “Alternative DNS Server,” it will be its own IP address (10.0.13.205).
-
You must not specify a loopback IP address (127.0.0.1).
Why do you need to point DC to itself for DNS?
-
Pointing a DC to itself for DNS is necessary for proper AD functioning, including AD database replication, authentication, and resource access.
-
It ensures the DC can resolve its own hostname, locate other DCs, perform dynamic DNS updates, and maintain domain services even when other DCs are unavailable.
-
It is crucial for the integrity and functionality of the AD domain.
Should you configure network adapter DNS settings on servers or workstations to point to internet DNS servers?
-
No, it is not recommended to configure servers or workstations within an AD domain environment to use Internet DNS servers directly.
-
If these devices cannot locate the DC through DNS, they may encounter issues joining the domain or logging on.
-
Configure all your servers and workstations to use the DCs as their primary DNS servers.
How are Root domains configured in a DNS server, how many “Root Hints” DNS servers are typically preset in a Windows DNS server, and where can these settings be accessed in the server’s management interface?
-
By default, there are 13 root hints DNS servers configured on the Windows DNS server, which allows contacting them if configured internet DNS servers on the server are not accessible.
-
Root domains can be found on the DNS server on server-level configuration properties. The path is as follows: “DNS Manager” MMC (Microsoft Management Console) snap-in -> DNS -> Server-Name -> Properties -> “Root Hints” tab.
How will you back up the DNS server?
-
If you use the “AD-Integrated DNS Zone,” your DNS information is stored in the AD database. To back up DNS, you need to back up the “System State.”
-
If the DNS zone is not AD-Integrated, then you need backup files in the folder: %SystemRoot%System32/dns
What can be used to troubleshooted DNS?
-
“DNS Manager” MMC snap-in.
-
dcdiag command.
-
dnscmd command.
-
ipconfig command.
-
nslookup command.
How to check DNS Health?
Run command:
dcdiag /test:dns /v /e
How do you determine the domain’s authoritative DNS server’s IP address and check whether DNS works?
-
Use command nslookup. If you get this answer, then DNS works.
-
It gives you information about the default DNS server and its IP address
You try to find out if DNS works on the server correctly. You ran the nslookup command and got the following output. What can you do to resolve the issue?
There is a setting for DNS on the network adapter on DC. You need to go to the network adapter properties of “Internet Protocol Version 6 (TCP/IPv6)”. You will see the following settings. The entry “::1” must be removed. Click on the radio button of network adapter properties “Obtain DNS Server Address Automatically” and save settings.
After this change, you will get the following output.
How can DNS cache poisoning be prevented?
To prevent DNS cache poisoning:
-
Implement DNSSEC (Domain Name System Security Extension) for data authentication.
-
Use firewalls and access control to restrict access.
-
Keep the DNS server updated and secure.
-
Enable source port randomization.
-
Use DNS response policy zones for blocking malicious domains. BIND (Berkeley Internet Name Domain) servers must be installed and configured.
How do you check whether DNS zone replication works between two DNS servers without creating new records?
It can be checked on the zone's properties. Field "Serial Number" values. They must be the same.
