Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
AD (Active Directory), AD Schema
Knowledge Base Questions & Answers
What is AD (Active Directory), and what does it do?
-
AD (Active Directory) is a Microsoft directory service used on Windows servers.
-
It is a centralized database for objects such as Users, Computers, Groups, etc.
-
AD allows effective network management with multiple DCs (Domain Controllers) in numerous geographical locations and authenticates users and computers.
-
All AD changes replicate between DCs.
What are the main components of AD's structures?
There are two main structures of AD’s components:
-
Logical Structure:
-
Forest
-
Tree
-
Domain
-
Group Policy
-
OU (Organizational Unit)
-
Trust Relationship
-
Physical Structure:
-
DC
-
Site
-
GC (Global Catalog)
What are some of the critical protocols used by AD, and what are their associated port numbers?
AD utilizes several protocols and port numbers for various operations within the network. There are some of the critical:
-
DNS (Domain Name System). Port number: TCP/UDP (Transmission Control Protocol/User Datagram Protocol) - 53.
-
Kerberos. Port number: TCP/UDP - 88.
-
LDAP (Lightweight Directory Access Protocol). Port number: TCP/UDP - 389.
-
SMB (Server Message Block). Port number: TCP/UDP - 445.
-
RDP (Remote Desktop Protocol). Port number: TCP - 3389.
-
RPC (Remote Procedure Call). Port numbers: TCP/UDP - 49152-65535.
What is Kerberos, and how does it enhance security?
-
Kerberos is a network authentication protocol widely used in Windows server environments.
-
It is the primary authentication protocol, providing secure authentication for users and resources and trust relationship functionality.
-
AD supports Kerberos version 5. Kerberos 5 offers enhanced security features.
-
Kerberos operates on port 88 and uses TCP and UDP protocols for communication.
What is NTLM (NT LAN Manager), and what are some considerations regarding its use in Windows-based operating systems for authentication?
-
NTLM (NT LAN Manager) is an older authentication protocol used in Windows-based operating systems to authenticate users and establish their identity when accessing network resources.
-
While NTLM can be used for authentication across forests, it is typically considered less secure and has certain limitations.
-
It is still available on Windows servers and clients.
What is LDAP (Lightweight Directory Access Protocol), and how is it used in AD? Also, what are the supported LDAP versions and port number?
-
LDAP (Lightweight Directory Access Protocol) is the default protocol for “AD DS” (Active Directory Domain Service).
-
It is an application protocol for connecting, querying, and modifying directory services running over TCP/IP (Transmission Control Protocol/Internet Protocol).
-
LDAP defines how clients and servers exchange information throughout a directory.
-
AD supports LDAPv2 and LDAPv3 versions.
-
LDAP uses port 389 TCP/UDP protocol.
What is RDN (Relative Distinguished Name), and how is it structured?
-
RDN (Relative Distinguished Name) is the name used to uniquely reference objects within its parent container in the directory.
-
Example of RDN:
CN=TestUser1
Where:-
CN (CommonName) - is one of the attribute types used in the RDN.
-
TestUser1 - is the CN attribute's value and represents the object's name within its parent container.
-
-
To see RDN on the GUI (Graphical User Interface) console, open the “Active Directory Users and Computers” MMC ( (Microsoft Management Console) snap-in. Go to the user’s properties and click the "Account" tab. On the “User Logon Name” field, you will see RDN.
What is the purpose of the DN (Distinguished Name), and how does it relate to object hierarchy and uniqueness within a forest?
-
Each AD object in the directory has a unique identifier in a Forest called the DN (Distinguished Name), similar to FQDN (Fully Qualified Domain Name).
-
DN identifies the object and where it resides in the entire object hierarchy.
-
Two objects with the same DN cannot exist in the forest.
-
If an AD object is moved to another container, its DN will be changed to reflect its new position in the hierarchy.
Example of DN:
CN=TestUser,CN=Users,DC=ITTEST,DC=com
-
In this example, DN indicates that the user object TestUser is in the Users container located in the ITTEST.com domain.
-
DC stands for “DomainComponent”.
What is a CNAME (Canonical Name), and how is it structured?
-
CNAME (Canonical Name) identifies the name configured for an AD object.
-
It presents the root of the path first and works downward toward the object name.
-
Example of CNAME:
ITTEST.com/Users/TestUser
Where:-
ITTEST.com - Represents the root of the path.
-
Users - is a container within which the object is located.
-
TestUser - is the name of the object within the Users container.
-
-
Note: see below how you can find CNAME on the GUI console.
What is a SID (Security Identifier)?
-
SID (Security Identifier) is a unique alphanumeric string that identifies users, groups, and computer accounts in a Windows domain or local system.
-
It controls access to resources, enforces security policies, and manages permissions.
-
SID is unique for domain.
-
Example of SID:
S-1-5-21-3623811015-3361044348-30300820-1013 -
Note: see below how you can find SID on the GUI.
What is a GUID (Globally Unique Identifier)?
-
GUID (Globally Unique Identifier) provides a globally unique identifier for objects, not just in the context of security but in various applications and systems.
-
When new domain users, groups, or other AD objects are created, AD assigns a unique GUID to the new object.
-
GUID is globally unique, meaning that it is intended to be unique across different domains and forests.
-
Example of GUID:
123e4567-e89b-12d3-a456-426614174000 -
Do the following for information about CNAME (Canonical Name), GUID, and SID on the GUI console. Open the “Active Directory Administrative Center”. Go to the user’s properties and then click on the bottom, “More Information.”
What is the “AD Recycle Bin”?
-
“AD Recycle Bin” is a feature that helps restore accidentally deleted AD objects without using backup, rebooting DCs, or restarting any services.
-
It was introduced in Windows 2008 R2.
What is “Metadata Cleanup”?
“Metadata Cleanup” removes the metadata associated with a failed or decommissioned DC from the AD database.
What are some of the default containers, and what are their specific purposes?
In AD, several default containers serve specific purposes:
-
Builtin - This container contains built-in "Security Groups" that were created automatically during AD installation and hold automatically created Users’ accounts. Examples: Administrators, Guest and Users.
-
Computers - This container is the default location where Computer objects are stored when they join the domain.
-
Domain Controllers - This container stores all the Domain's DC objects.
-
Users - This container is the default location for storing “User Groups” and Users objects within the domain.
-
LostAndFound - This container stores orphaned objects or objects that have lost their original location in the directory structure. In the multi-master replication method, replication conflicts can happen, and objects with replication conflicts will be stored in the LostAndFound container. You need to enable “Advanced Features” on the console to see it.
-
System - This container stores objects related to system services and processes within AD. It includes objects such as the “Default Domain Controllers Policy” and “Default Domain Policy,” which define the domain's security settings and group policies. You need to enable “Advanced Features” on the console to see it.
What is the Tombstone in AD?
-
Tombstone is a state of the object when it was deleted on AD.
-
When objects are deleted, they are kept in a hidden state within the AD database for a specific period.
What is the purpose of “Tombstone Lifetime,” and what is the default duration?
-
“Tombstone Lifetime” allows configuring settings regarding how long a deleted object is retained in AD.
-
By default, AD uses 180 days of “Tombstone Lifetime.”
What is the purpose of the “ADSI Edit” (Active Directory Service Interfaces Editor) MMC (Microsoft Management Console) snap-in in AD, and what tasks can it perform?
“ADSI Edit” (Active Directory Service Interfaces Editor) MMC (Microsoft Management Console) snap-in allows you to add, edit, and delete objects and their properties.
What is the “AD Schema,” and what are the main types of objects it contains?
-
“AD Schema” is a collection of definitions and attributes defining objects that can be stored in AD.
-
“AD Schema” consists of two types of objects:
-
Classes
-
Attributes
What are classes in the “AD Schema,” and how do they define objects in AD?
-
“AD Schema” consists of classes defining the various objects that can be created in AD.
-
The “AD Schema” class determines objects' properties, attributes, and behaviors. For example, when a new Computer account is created in AD, its definition is derived from the computer class.
What are “AD Schema Attributes,” and how do they differ based on object types?
-
“AD Schema Attributes” store data that defines the information within an object. For example, a User object has attributes like first name, last name, and password.
-
They vary depending on the object type. For instance, a user object has a first name attribute but not a printer model attribute.
-
Certain “AD Schema Attributes” are mandatory, whereas others are optional. For example, a new user object requires an account attribute, while the user's telephone number is optional.
What types of entities can “AD Objects” represent?
“AD Objects” can represent various entities such as Users, Groups, Computers, OUs, Domains, Sites, and more.
What are Stale objects?
Stale is objects that have not been used or accessed for a long time.
What is a “Lingering Object,” and under what circumstances does it reappear on a restored DC?
-
“Lingering Object” is a deleted AD object that reappears on the restored DC in its local AD copy. If you use a backup created over 180 days ago to restore an object deleted later, this situation can occur.
-
Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), so it will never be notified of the deletion.
What is the “Extending AD Schema”?
“Extending AD Schema” refers to the process of adding or modifying object classes and attributes within AD to support new features or applications.
Experience-Based/Practical Questions & Answers
How do you make the “Active Directory Schema” MMC snap-in visible?
-
To make the "Active Directory Schema" MMC snap-in visible, you must register the file schmmgmt.dll. Run the following command in the “Run” box.
regsvr32 schmmgmt.dll -
Open MMC and add "Active Directory Schema" to the MMC snap-in.
Can SID be changed?
SID cannot be changed.
Can GUID be changed?
GUID cannot be changed.
How can you remove “Lingering Objects”?
Use the repadmin command to remove “Lingering Objects.”
Is it possible to change the "Tombstone Lifetime" period, and if so, how can it be done?
It is possible. Use the “ADSI Edit” MMC snap-in.
How is the “AD Schema” extended?
You can extend the “AD Schema” by using the “Active Directory Schema” MMC.
The organization wants to add a new object attribute to the User object. Which member of the AD group(s) must an IT (Information Technology) person be to perform the requested task?
Since this task involves modifying the AD schema, the user must be a member of the "Schema Administrators" or "Enterprise Administrators" groups.
What are the key recommendations for managing AD effectively?
-
Keep AD as simple as possible. It will help improve efficiency, and it will make the troubleshooting process easier whenever problems arise.
-
Use the appropriate Site topology.