Additional Study Topics: Utilities | Groups | Migration Issues | RIS
I.
Components of AD
A. Architecture:
AD is composed in a layered architecture, which enables it to provide directory services
to both clients and application in a seamless manner. The service layers are accessed by
application program interfaces (APIs), which allow custom-built client interfaces to
access and manipulate the AD data.
1. Three basic
layers to AD
a. DSA
(directory system agent)
i.
Provides the
APIs necessary for Directory Access calls. Allows protocols such as LDAP access to the
Directory Data.
b. Database
layer
i.
Provides
interface between databases and the requesting client application. Serves mainly to
protect the database from direct access and possible corruption from erroneous client
applications.
c. ESE
(extensible storage engine)
i.
Only layer
that directly accesses and manipulates data within the directory store. Uses
transaction-based logging to ensure reliability of every transaction and sits below the
database layer described above.
2. Four basic
protocols and APIs that can be used to access the AD
a. LDAP/ADSI
(LDIF to a lesser extent)
i.
Primary
client access protocol used to gain access to the data within the AD database. Used
primarily by Windows 2000 clients, but also by all 9x clients configured to use the Active
Directory client. Can be programmed via ADSI and scripted via LDIF.
b. Messaging API
(MAPI)
i.
Used
primarily by MS Outlook programs to send and receive e-mail via Exchange servers. Built
around the RPC protocol and can be used to gain basic access to the directory using the
address-book-provided interface.
c. Security
Accounts Manager (SAM)
i.
Used to
authenticate users during logon, as well as replication between domain controllers with
legacy NT serves. Replaced by LDAP and AD within Windows 2000, but still supported to
ensure reverse compatibility.
d. Replication
(REPL)
i.
An RPC-based
process that allows for the replication of DSA data between domain controllers.
B. Components
1. Domains
a. Core
component of all NT and 2000 organizations
b. Used as base
authentication and replication unit within the organization
c. All other
structural components of AD are simply collections of one or more domains with transitive
trust relationships between them.
d. Smallest
self-sufficient unit within AD
2. Organizational
units
a. X.500-based
container objects. Can be used to provide structure and administrative ease to objects
within AD domains.Can contain objects, as well as other OUs
b. All OUs exist
within a specific domain.
3. Trees
a. Groups of
domains that share a common namespace and are arranged in a hierarchical structure based
on that structure
b. Cannot exist
independent of domains or forests. Used mostly as an organizational structure provider to
multiple domains within the same forest.
c. Domains
within a tree have transitive trust relationships with the domain directly above as well
as all domains directly below.
d. Not all
organizations will have trees, as they normally only exist in very large organizations
that contain multiple companies.
4. Forests
a. Highest
object within an organization
b. Automatically
created when first AD server and domain are created
c. Forest can
contain multiple domains and trees, but organization can really only contain one forest.
d. Required of
all AD installations, but may not share a common namespace with other domains and trees
within the organization
e. All trees and
domains within a forest contain common elements
i.
Schema
ii.
Global
Catalog
II.
Backing up Active Directory components
A. Prerequisites
1. All open
files have to be closed.
2. Backup unit
should be on the Windows 2000 HCL.
a. Backup device
properly configured and powered on
b. Proper backup
media inserted into the drive
3. The Task
Scheduler server has to be running in order for scheduled jobs to be preformed.
4. Backup
software
a. Backup Wizard
b. NTBACKUP
c. Third-party
backup software
i.
Veritas
Backup Exec
ii.
Cheyenne
Arc-Serve
B. Backup Wizard
1. GUI-based
backup utility which allows easy configuration of backup and restore jobs
2. New to
Windows 2000
3. Allows for
automatic backup of the system state data, which will automatically back up the:
i.
SYSVOL
directory
ii.
Windows 2000
registry
iii.
System boot
files
iv.
Certificate
services database
v.
Com+ class
registration database
C. NTBACKUP
1. Command-line
utility, not configurable via GUI in any way
2. Native to
legacy NT servers, and was its only built-in backup utility available
3. Cannot be
used to restore data, only for backup purpose
4. Has extensive
and powerful scripting support that can be configured in nearly any base situation
5. Table 4-1 on
page 192-193 shows the basic scripting options available with NTBACKUP.
III.
Restoring Active Directory
A. Prerequisites
1. System
administrator or backup operator privileges on local system and domain
2. Verify access
to all shares, files, and directory of the data to be restored
3. Verify proper
media is in place
4. Verify remote
storage manager is running if the backup is going to be preformed from a media pool device
B. Non-authoritative
restore
1. Used when
restoring a failed server
2. Restores AD
information to the server exactly as it was during the backup, and marks the data in the
AD (via update sequence number) as old. This allows the AD server to get the necessary
updates from the other domain controllers within the domain and be current with all
changes since the last backup.
C. Authoritative
restore
1. Used when
restoring Active Directory itself
2. Restores the
AD information to the server and marks the data within the server AD databases as most
current. This causes all other servers within the domain to replicate this server’s
AD information over their own.
3. Should be
used very sparingly
4. Can’t
repair failed scheme updates, so caution still needs to be paid whenever updating the
scheme itself.
D. Performing a
restore
1. Reboot server
into AD restore mode by pressing F8 during the boot process
2. Must use
administrator account and AD restore password assigned during the AD installation process,
not the default administrator account
3. Restore
process detailed on pages 196–203 of the text
IV.
Recovering from a system failure
A. Possible
causes
1. Hard drive
failure
2. Power failure
3. Systems
software failure
4. Negligent use
of deletion or modification commands
5. Damaging
viruses
6. Sabotage
7. Natural
disaster
B. NTDSUTIL
1. Used for all
database maintenance of the Active Directory data store
2. Manually
launched from the Run line
3. Direct
management and control of the FSMO operations
4. Removes
orphaned domain controllers references
C. Restoring
from backup media
1. Perform the
basic steps highlighted in the “Performing a Restore” section
2. Normally
requires a non-authoritative restore process
D. Restoring via
a replica
1. With proper
AD replication in place, a system restore may not be necessary. Instead, the other AD
servers can be used to rebuild the failed server.
2. Repair the
cause of the failure and reinstall Windows 2000
3. Rerun
DCPROMO to promote the server to the status of domain controller, in which case it will
automatically receive an up-to-date replica of the AD database.