Programming4us
         
 
 
Applications Server

Active Directory 2008 : Proactive Directory Maintenance and Data Store Protection (part 5) - Protecting DCs as Virtual Machines

9/15/2011 5:02:55 PM

6. Protecting DCs as Virtual Machines

When a server is created as a VM instead of being installed on a physical computer, it becomes nothing more than a set of files on a disk because the disk drives for the computer are hosted in virtual hard drives. DCs running both AD DS and DNS are ideal candidates for virtualization on Hyper-V because they focus on providing a single, network-oriented service. When a machine is virtual, it becomes much easier to protect it, restore it, and otherwise manipulate it. Note, however, that even if the DC is a virtual machine, it should be protected with traditional approaches just as if it were a physical DC. This means backing up the System State on a regular basis. If the machine fails, restore it like you would any other DC.


Note:

MORE INFO PROTECTING DCS AS VIRTUAL MACHINES

For more information on how to protect a DC in a virtual machine, go to http://technet.microsoft.com/en-us/library/dd363545%28WS.10%29.aspx.


6.1. Practice Working with the AD DS Database
6.1.1. Practice Working with the AD DS Database

In this practice, you work with a variety of utilities to protect and manage the AD DS database. First you generate a backup of directory data, and then you use this backup to create a new DC, using offline data to speed the process and reduce replication over the network. You work with the AD DS database to perform a manual defragmentation and compaction and then automate the process. Finally, you rely on the Group Policy Management Console (GPMC) to protect Group Policy objects.

EXERCISE 1 Use Ntdsutil.exe to Capture System State Data

In this exercise, you use the Ntdsutil.exe command to capture the data required to perform an installation from media for a DC.

  1. Log on to SERVER10 with the domain administrator account.

  2. Verify that this server includes a formatted D drive, and create a folder named IFM on this drive.

  3. Launch an elevated command prompt by right-clicking Command Prompt on the Start menu and clicking Run As Administrator.

  4. Type the following commands:

    ntdsutil
    activate instance NTDS
    ifm
    create sysvol full d:\ifm

    The system displays a Creating Snapshot message while the operation is in progress and then lists a series of other information as it completes the operation. Note that the system defragments the newly captured snapshot.



  5. Type:

    quit
    quit

  6. Use Windows Explorer to view the results of the snapshot you created with Ntdusutil.exe.

  7. Share the IFM folder by right-clicking the folder, pointing to Share With, and clicking Specific People.

  8. In the drop-down list, choose Everyone; click Add, and then assign Read/Write permissions in the Permission Level column.

  9. Click Share to create the share.

  10. Click Done.

    Your IFM data is now ready to use to stage a new DC.

EXERCISE 2 Create a DC from Backup Data

In this exercise, you install a new DC in the treyresearch.net domain, using IFM data.

  1. Log on to SERVER 11 with the local administrator account.

  2. Launch Windows Explorer, and create a new folder on the C drive called IFM.

  3. In the Windows Explorer address bar, type \\server10\ifm and press Enter.

  4. If the credentials dialog box appears, type TreyResearch\Administrator or its equivalent and the required password.

    If you use the same account name and password on both servers, even though SERVER11 is not a member of the domain, you will not be prompted for credentials because of pass-through authentication.

  5. Copy the entire contents from the IFM folder on SERVER10 to the C:\IFM folder on SERVER11.

  6. Verify that all items have been copied.

  7. Install the Active Directory Domain Services role. In Server Manager, right-click the Roles node and click Add Roles.

  8. Review the Before You Begin page of the wizard and click Next.

  9. On the Select Server Roles page of the Add Roles Wizard, select Active Directory Domain Services, click Add Required Features, and then click Next.

  10. On the Active Directory Domain Services page, review the information and click Next.

  11. Review your choices and click Install.

  12. Examine the installation results and click Close. Your installation is complete.

  13. Click the Active Directory Domain Services node in Server Manager.

  14. Click Run The Active Directory Domain Services Installation Wizard in the details pane.

    This launches the Active Directory Domain Services Installation Wizard.

  15. Select the Use Advanced Mode Installation check box and click Next.

    You need this option to install from media.

  16. On the Operating System Compatibility page, review the information and click Next.

  17. On the Choose A Deployment Configuration page, choose Existing Forest, select Add A Domain Controller To An Existing Domain, and click Next.

  18. On the Network Credentials page, type treyresearch.net.

    Because you logged on locally to the server and this account does not have access rights to the treyresearch.net domain, you must provide alternate credentials.

  19. Click Set. Type treyresearch.net\Administrator or the equivalent account name and add the password. Click OK, and then click Next.

  20. On the Select A Domain page, click treyresearch.net (forest root domain) and click Next.

  21. On the Select A Site page, accept the default and click Next.

    This page also appears because you are running the wizard in advanced mode.

  22. On the Additional Domain Controller Options page, verify that DNS Server and Global Catalog are both selected and click Next.

    If you did not assign a static IP address, the AD DS Active Directory Domain Services Installation Wizard gives you a warning because you are using a dynamic IP Address.

  23. Click the Yes, The Computer Will Use An IP Address Automatically Assigned By A DHCP Server (Not Recommended) option.

    The wizard warns you that it cannot create a delegation for the domain.

  24. Click Yes.

  25. On the Install From Media page, click Replicate Data From Media At The Following Location, type C:\IFM or click Browse to locate the IFM folder on the C drive, and click Next.

    Note that the wizard indicates that the media must have been created from a writable DC because you did not select the RODC mode for this DC.



  26. On the Source Domain Controller page, accept the defaults and click Next.

  27. On the Location For Database, Log Files, And SYSVOL page, accept the default locations and click Next.

  28. Type a strong password, confirm it, and click Next.

  29. Confirm your settings on the Summary page and click Next. Select Reboot On Completion and wait for the operation to complete.

    Your new DC has been created from local media. This reduces replication and then updates the data through replication after the DC has been created.

EXERCISE 3 Perform Database Maintenance

In this exercise, you perform interactive database maintenance, using the restartable Active Directory Domain Services mode. You can perform this operation now because there are two DCs in the treyresearch.net domain. You must have at least two DCs to use restartable AD DS.

  1. Log on to SERVER11 with the domain administrator account.

  2. Use Windows Explorer to create a C:\Temp and a C:\OrignalNTDS folder.

    You use these folders as temporary locations for the compacted and original databases.

  3. In Server Manager, expand the Configuration node and click Services.

  4. Locate the Active Directory Domain Services service (it should be first on the list), right-click it, and click Stop.

  5. In the Stop Other Services dialog box, click Yes.

    The server stops the service.



    Remember that if the service cannot contact another writable DC, it cannot stop; otherwise, no one would be able to log on to the domain.

  6. Launch an elevated command prompt by right-clicking Command Prompt on the Start menu and clicking Run As Administrator.

  7. Begin by compacting the database. Type the following commands:

    ntdsutil
    activate instance NTDS
    files
    compact to C:\temp

    The Ntdsutil.exe utility compacts the database and copies it to the new location. In very large directories, this operation can take some time.



  8. Type the following after the compaction operation is complete:

    quit
    quit

  9. Delete all the log files. Type the following:

    cd %systemroot%\ntds
    del *.log

    You delete the log files because you will be replacing the Ntds.dit file with the newly compacted file, and the existing log files will not work with the newly compacted database.

  10. Back up the Ntds.dit file to protect it in case something goes wrong. Type the following:

    copy ntds.dit \originalntds

  11. Copy the newly compacted database back to the NTDS folder. To do so, make sure you are still within the %SystemRoot%\NTDS folder and type the following:

    copy c:\temp\ntds.dit
    y

  12. Verify the integrity of the new Ntds.dit file, and then perform a semantic database analysis to verify the data within the database. To do so, type the following:

    ntdsutil
    activate instance NTDS
    files
    integrity
    quit
    semantic database analysis
    go fixup
    quit
    quit

    Note that if the integrity check fails, you must recopy the original Ntds.dit back to this folder because the newly compacted file is corrupt. If you do not do so, your DC will no longer be operational.

  13. Return to Server Manager, expand the Configuration node, and click Services.

  14. Locate the Active Directory Domain Services service (it should be first on the list), right-click it, and click Start.

    Your server is back online and ready to deliver authentication services to the network. It can take several minutes for the dependent services to restart. Delete the Ntds.dit located in the Original NTDS folder because it is no longer valid. You can also empty the Temp folder.

EXERCISE 4 Automate Database Maintenance

You can script the entire database compaction operation from the command line if you want to automate it. You should, however, make sure that all the operational results are captured in a text file so that you can review them if something goes wrong.

  1. Log on to SERVER11 with the domain administrator account.

  2. Make sure both a C:\Temp folder and a C:\originalntds folder exist on your server and that both folders are empty.

    You use the C:\Temp folder as a temporary location for the compacted database. You are ready to automate the compaction process.

  3. Move to the C:\Temp folder, right-click in the details pane, and click New; then click Text Document.

  4. Name the text document Compaction.cmd.

    If you cannot see the .txt extension of the file, in Windows Explorer, click Folder And Search Options on the Organize menu. On the View tab, clear Hide Extensions For Known File Types and click OK. Remove the .txt extension on your file name. Confirm the name change.

  5. Right-click Compaction.cmd and click Edit. Type the following commands:

    del C:\temp\*.dit
    del C:\originalntds\*.dit
    net stop ntds /y
    ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit
    cd \windows\ntds
    del *.log
    copy ntds.dit \originalntds
    del ntds.dit
    copy c:\temp\ntds.dit
    ntdsutil "activate instance NTDS" files integrity quit
    "semantic database analysis" "go fixup" quit quit
    net start ntds

  6. Save and close the Compaction.cmd file.

    Note that you can add a pause command after each command in your text file to verify the proper operation of the commands while testing.

  7. Test the file by launching an elevated command prompt by right-clicking Command Prompt on the Start menu and clicking Run As Administrator.

  8. Type:

    cd \temp
    compaction

  9. If at any time the file does not work, use Ctrl+C to cancel the batch file and correct the errors.

    If the file works properly, you can use it to automate the compaction process.

  10. Remove any pause statements you entered in the file and save it again.

    You can reuse this command file each time you want to run the compaction on your systems. It is recommended that you run this command file interactively to address any errors or issues during the process. Be very wary of putting this file into a scheduled task. You should never run compaction in unattended mode because errors could destroy your DC.

If a DC is nonfunctioning, you can use the following command to remove the DC role:

dcpromo /forceremoval

Run the Active Directory Domain Services Installation Wizard again to re-create the DC. Perform the Ntds.dit compaction operation at least once a month.

EXERCISE 5 Protect Group Policy Objects

In this exercise, you use the GPMC to back up GPOs.

  1. Log on to SERVER11 with the domain administrator account.

  2. Verify the existence of a folder named Temp on the C drive.

  3. Launch the Group Policy Management console from the Administrative Tools program group.

  4. Expand Forest\Domains\treyresearch.net\Group Policy Objects.

  5. Right-click Group Policy Objects and click Back Up All.

  6. Type the location as C:\Temp or use the Browse button to locate the folder.

  7. Type a description, in this case First GPO Backup, and click Back Up.

    The GPO backup tool shows the progress of the backup.

  8. Click OK after the backup is complete.

    Your GPOs are now protected.

  9. Back up the Temp folder.

    You can rely on this folder to copy the GPOs from one domain to another. Perform this operation at least once a week.

Other -----------------
- BizTalk 2009 : The BizTalk Management Database
- BizTalk 2009 : Handling Failed Messages and Errors
- Microsoft Dynamics GP 2010 : Dynamics GP Utilities (part 3) - Additional steps
- Microsoft Dynamics GP 2010 : Dynamics GP Utilities (part 2) - Loading sample company data & Creating a new Dynamics GP company
- Microsoft Dynamics GP 2010 : Dynamics GP Utilities (part 1) - Completing the Dynamics GP installation
- Microsoft Dynamics GP 2010 : Creating an ODBC data source
- Microsoft Dynamics AX 2009 : Working with Forms - Storing last form values
- Microsoft Dynamics AX 2009 : Creating modal forms & Changing common form appearance
- Exchange Server 2010 : Performing Tracking and Logging Activities in an Organization (part 2) - Using Protocol Logging & Using Connectivity Logging
- Exchange Server 2010 : Performing Tracking and Logging Activities in an Organization (part 1) - Using Message Tracking
- Exchange Server 2010 Maintenance, Monitoring, and Queuing : Understanding Troubleshooting Basics
- Extending Microsoft Dynamics CRM 4.0 : Examples
- Extending Microsoft Dynamics CRM 4.0 : IFrames
- BizTalk 2009 : Using XML Namespaces (part 3) - Using System Property Schemas
- BizTalk 2009 : Using XML Namespaces (part 2) - Using Port Filters and Content-Based Routing
- BizTalk 2009 : Using XML Namespaces (part 1) - Understanding Property Promotions
- BizTalk 2009 : Understanding the Message Bus
- Active Directory Domain Services 2008 : Determine Global Catalog Servers
- BizTalk Server 2006 Operations : Disaster Recovery
- Configuring and Using Active Directory Rights Management Services
 
 
Most View
- Windows Server 2008 : Installing the Web Server Role (part 6)
- Setting Up Your Windows Home Server 2011 Network : Configuring Windows Home Server for Networking
- Microsoft Dynamic AX 2009 : The Batch Framework (part 4) - Creating a Batch Job - Using the Batch API
- Microsoft ASP.NET 3.5 : Writing HTTP Handlers (part 3) - The Picture Viewer Handler
- Installing SQL Server 2012 : The Installation Process (part 3) - Installing SQL Server 2012 Through the Command Line, Installing SQL Server 2012 Through PowerShell
- Exchange Server 2010 Administration Essentials : Validating the Exchange Server Licensing
- Working with Windows 7’s Basic Network Tools and Tasks (part 5) - Viewing Network Status Details
- The Art of SEO : Trending, Seasonality, and Seasonal Fluctuations in Keyword Demand
- Windows Server 2008 : Using PowerShell to Manage Active Directory (part 2) - Working with the Domain Object, Creating a List of Domain Computers
- Windows 7 : Setting Up the Remote Computer as a Host (part 2) - Configuring XP to Act as a Remote Desktop Host
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS