First, what is the active directory?
AD is a transactional database, a pre-written record mode that uses ESE97 technology. On disk, AD appears as several files, which are ntds.dit (AD database), a set of transaction records (ie logs) and a checkpoint file that records the last buffer in the database. There is also a temporary database file. A directory service is a composite noun that includes the meaning of a directory data store and related services that allow users or programs to access information. For the community, do you have a catalogue? The catalog provides a centralized storage area for all important data on the corporate network, including resources such as user accounts, computers, printers, applications, security, and system principles. Placing most of the important resources in a shared network resource can improve the efficiency of the enterprise and significantly reduce the total cost of ownership (TCO) of the network. The WIN 2K directory service uses a multi-controller mode, which means that directory resources can be modified on any one controller. So, from the above we can know that AD is actually a database, and each DC is an important database server, so we should protect DCs like protecting important databases.
Second, several concepts of Active Directory
1, domain: a security boundary.
2, tree: a collection of multiple domains.
3. Lin: Multiple associated trees.
4, DNS: Gateway to AD. The service record in the DNS is the root of the application system query AD.
5, GC: an index of AD objects that are often queried. In the local mode, the GC participates in the login request processing of the network client, provides universal group membership, and members of the non-domain administrator group can log in to the network without the assistance of the GC. In mixed mode, the GC does not participate in the login process, but it is still important for the GC to perform directory queries and searches on the network.
6, operating host: Although the multi-controller mode is the core function of AD, but the potential conflict between multiple servers also makes this way work in a certain inapplicability, in order to solve this problem, AD chose Some special machines come in special roles. Each role is responsible for handling changes to a particular AD area.
Third, AD maintenance and backup
1, AD maintenance: Through the performance monitoring tool to monitor the operating status and component status of AD, you can effectively find AD failure and solve it in time.
2, AD backup: AD can be backed up by backing up the system state, you can find the backup tool in the system tool to do this, you can also use third-party software to achieve. But pay attention to some constraints of backing up AD:
* AD only backs up the currently valid data, and does not back up the objects that have been marked for deletion. The deletion of objects in AD is not immediate and requires 60 days to delete the markup time. Therefore, you should avoid recovering AD backups 60 days ago, so as not to cause AD to be incomplete.
* The backup type of AD cannot be selected, only full backup can be used.
* Make sure that the backup contains both the system status, the files on the system disk, and the contents of the SYSVOL directory.
* You can only restore the server with a backup of the original server, and you cannot restore the server with a backup of another server.
3, AD finishing: AD system defaults to run online automatically every 12 hours. But online finishing can not reduce the size of the database, to reduce the size of the database, you need to use offline finishing, its operation is:
When the DC starts, press F8 to enter the boot menu, select "directory recovery mode: enter the system, in the command Enter the following command in the line.
ntdsutil
files
info
Note the directory file path output at this time!
comnpact to c:\\mydir
This command will be in the specified directory. Create a compressed database file.
quit twice, exit the tool.
Next, you need to replace the original file with the compressed file. And restart the computer
four, AD architecture < The architecture of AD is composed of data defined in a structured way. It defines these structures by describing metadata, usually including attribute names, types, lengths, relationships, etc. It seems that it is a bit like a field definition in a relational database. It also includes some extended attributes, including:
1, naming context: there are three, they are the domain naming context (save the data of the current AD domain), configure the naming context ( Save the main base object and configuration information), the schema naming context (save defines all AD objects and attributes).
2, category: describes the AD object and its related properties and attributes.
AD architecture Management: The architecture management is controlled by the architecture host role. By default, the management unit is not visible. You need to register .schmmgmt.dll before you can find it in the MMC. The registration method is run: regsvr32 %systemroot%\\system32\\schmmgmt. The dll.architecture content is forbidden to delete.
5, AD repair and recovery
1, AD maintenance and repair, are implemented through a command line tool - NTDSUTIL. The repair command is:
ntdsutil
repair
2, recovery of AD
Recovery mode: AD has two recovery modes - authorization recovery and unauthorized recovery, the difference is:
1) Authorization recovery: when other When the domain controller contains invalid replication and data, you can use the authorization recovery method. In this case, you can manually specify that you want to restore the entire database or a branch, and specify that the local recovery operation is authoritative. Wei, when the directory replication occurs, the local data shall prevail. Authorization recovery shall modify the upgrade serial number of AD so that its serial number is higher than other DCs, so that the local recovery data can be copied to other DCs. Br>2) Unauthorized recovery: Most recovery operations are unauthorized. When you find that there is a problem with the data of one DC and you are sure that the other DC data is normal, you can use unauthorized recovery. After the recovery is completed, The DC will re-compare the upgrade serial number and participate in normal replication. That is to say, data that is recovered by unauthorized authorization may be rewritten in the copy.
Note:
If you do not meet the following requirements, the recovery operation must fail
* The server name should be the same as the backup time
* The system folder should be the same as the backup
* The directory save path should be the same as the backup time.
3, recovery operation
1) Unauthorized recovery: Start DC, enter "directory recovery mode", perform backup restore operation.
2) Authorization recovery: After performing the unauthorized recovery, continue the following operations:
* ntdsutil
authoritative restore
restore database
This command will authorize the restore of the entire database, if you only want to restore For a branch, you can use:
restore subtree ou=eng,dc=mycompany,dc=com
If the system prompts correctly, answer YES.
quit exit.
Note: After the recovery is completed, the system will automatically prompt whether you need to restart the server. You must select "NO" for the authorization recovery. Otherwise, once the server is restarted, the authorization recovery will become unauthorized recovery. In addition, it should be noted that the authorization recovery restores the SYSVOL file directory together. When the computer account is not disabled, the system will check the computer password every 7 days. The authorization recovery also restores the trust password, which may cause the computer. The trust relationship is lost, which also needs attention.
4, catastrophic recovery processing of AD
1) Reinstall and restore AD
The easiest way to restore AD is to reinstall the operating system and re-upgrade the DC. This creates a new DC, but consider a problem, if the original DC data is corrupted, we will not be able to use the DCPROMO command to delete the AD data on the DC, which may lead to AD data unsynchronization, and more Worse, you can't delete DC objects in the AD user and computer management unit. This is the only way you can remove the DC from the "AD Sites and Services" before you can delete the DC. If you unfortunately need a new DC with the same name as the original DC, then you must use the NTDSUTIL command to delete the object information in the AD before you can create a new DC. The specific operations are as follows:
ntdsutil
metadata cleanup
connections
connect to server <good dc>
quit
select operation target
list site
select site < ID>
list domains
select domain <ID>
list servers in site
select server <bad dc>
remove selected server
The above command can delete the broken DC information. For more detailed information, please refer to NTDSUTIL's help to perform NTDSUTIL? You can read the help information.
Note: Before deleting the original DC, you should confirm that the original DC does not contain any roles. If so, use the NTDSUTIL command to capture the role as follows:
ntdsutil
roles
Seize domain naming master - Override domain roles on connected servers
Seize infrastructure master - Override structural roles on connected servers
Seize PDC - Overwrite PDC roles on connected servers
Seize RID master - Connected Rewriting the RID role on the server
Seize schema master - Rewriting the schema role on the connected server
The DC being captured will not be able to reconnect to the network without reinstalling the operating system! !
2) Restore AD from backup
Recover AD from backup files is very suitable. However, pay attention to the restore mode used. If you recover the information from the wrong operation, you should remember to use the authorization recovery mode.
Note:
* Expired backup: As mentioned earlier, the backup of AD cannot restore the data 60 days ago. If you need to restore the 60-day backup, you need to modify the global mark time according to KB216993 to restore. . Its location in the
CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY, DC=COM, the name is: tombstoneLifetime, the operation needs to directly edit the AD data, Use tools such as ADSI, LDP.
Note: Please be careful!
* Restore under different hardware: Normally, it is not recommended that you restore the backup of AD to different hardware unless you confirm that the hardware of the new machine and the original machine are basically the same and use the same hardware abstraction layer file (HAL). .
* Remote backup and restore: After the BOOT.INI file, you can use the /safeboot:dsrepair command option to boot the remote machine into recovery mode.
5. Conclusion
This article briefly describes the overall concept and basic theory of Active Directory, and focuses on the backup and recovery skills and operations of AD, as well as catastrophic recovery methods.
Appendix: Help for NTDSUTIL
ntdsutil: ?
? - Print this help information
Authoritative restore - Authoritative restore D99v database
Domain management - Prepare new domain creation
Files - Manage NTDS database files
Help - Print this help information
IPDeny List - Manage LDAP IP Deny Lists
LDAP policies - Manage LDAP Protocol Policies
Metadata cleanup - Clean up objects for unused servers
Popups %s - Enable or disable pop-up with "on" or "off" > quit - to exit the utility
roles - management NTDS role owner tokens
security account management - manage security account database - copy the SID cleanup
Semantic database analysis - grammar checker
< Br>