Sunday, May 30, 2010

Install Active Directory

After you gather information as described in "Gathering Installation Information" earlier in this guide, you can use the Active Directory Installation Wizard to install Active Directory..
Requirements
·         Credentials: local Administrator
·         Tools: Dcpromo.exe
To install Active Directory
1.       In the Run dialog box, type dcpromo and click OK.
2.       The Active Directory Installation Wizard appears. Click Next at the Welcome screen.
3.       For Domain Controller Type, select Additional domain controller for an existing domain. Click Next.
4.       For Network Credentials, enter the user name, password, and domain for the user account that has permission to add this new domain controller to the domain. Click Next.
5.       Enter the name of the domain that you want the new domain controller to host. Click Next.
6.       For the Database and Log Locations, enter the paths for the locations of the directory database (Ntds.dit) and the log files. For better performance, store the database and log files on separate physical disk drives. Click Next.
7.       For the Shared System Volume, enter the path where you want to locate the system volume (SYSVOL). Click Next.
8.       Under Directory Services Restore Mode Administrator Password, enter the password that you want to use when you need to start Directory Services Restore Mode. Click Next.
9.       The Summary screen displays a list of the items you chose. Verify that the information is correct and then click Next to proceed with the installation.
10.    The wizard proceeds to install Active Directory. When it finishes, the wizard displays a summary screen listing the domain and site in which the new domain controller is a member. Note this information and ensure that it is correct. If the domain controller is not in the correct site, see "Performing Active Directory Post-Installation Tasks" earlier in this guide. Click Finish to close the wizard.
11.    Click Restart to restart the domain controller.
12.    Let the domain controller restart. If any message indicates that one or more services has failed to start, restart the domain controller one more time. If the initial replication cycles have not had enough time to complete during the first restart on a new domain controller, this can result in some services being unable to start successfully. If the message appears during additional restarts, examine the event logs in Event Viewer to determine the cause of the problem.

Clean Up Metadata

If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.
Requirements
  • Credentials: Enterprise Admins (metadata cleanup requires modifying the configuration naming context)
  • Tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
To clean up metadata
1.       At the command line, type ntdsutil and press ENTER.
2.       At the ntdsutil: prompt, type metadata cleanup and press ENTER.
3.       At the metadata cleanup: prompt, type connections and press ENTER.
4.       At the server connections: prompt, type connect to server servername, where servername is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press ENTER.
5.       Type quit and press ENTER to return you to the metadata cleanup: prompt.
6.       Type select operation target and press ENTER.
7.       Type list domains and press ENTER. This lists all domains in the forest with a number associated with each.
8.       Type select domain number , where number is the number corresponding to the domain in which the failed server was located. Press ENTER.
9.       Type list sites and press ENTER.
10.    Type select site number , where number refers to the number of the site in which the domain controller was a member. Press ENTER.
11.    Type list servers in site and press ENTER. This will list all servers in that site with a corresponding number.
12.    Type select server number and press ENTER, where number refers to the domain controller to be removed.
13.    Type quit and press ENTER. The Metadata cleanup menu is displayed.
14.    Type remove selected server and press ENTER.
At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.
15.    Type quit, and press ENTER until you return to the command prompt.
If the new domain controller receives a different name than the failed domain controller, perform the following additional steps:
Note: Do not perform the additional steps if the new computer will have the same name as the failed computer. Ensure that hardware failure was not the cause of the problem. If the faulty hardware is not changed, then restoring through reinstallation might not help.
To remove the failed server object from the sites
1.       In Active Directory Sites and Services, expand the appropriate site.
2.       Delete the server object associated with the failed domain controller.
To remove the failed server object from the domain controllers container
1.       In Active Directory Users and Computers, expand the domain controllers container.
2.       Delete the computer object associated with the failed domain controller.

Restore SYSVOL from an Alternate Location

Perform the following procedure to restore SYSVOL authoritatively.
Requirements
  • Credentials: local Administrator or Domain Admins
  • Tool: N/A
To restore SYSVOL from an alternate location
1.       If still in Directory Services Restore Mode, restart in normal mode.
2.       Once the system has been rebooted and after the SYSVOL share is published (it may take a few minutes before the SYSVOL share and its sub-folders appear on the domain controller), copy the required files and folders from the SYSVOL directory that was copied to the alternate location to the original location. By doing this, the files that were overwritten are replicated out to the other domain controllers, so that the SYSVOL is the same as that which was present at the time of backup.
Example: restoring SYSVOL from alternate location
The following example shows how to copy the SYSVOL from the alternate location to the original location. Depending on your system, your drive and folder information may vary.
Copy the contents of the scripts directory from:
c:\\sysvol\c_\winnt\Sysvol\Domain\scripts\
And add it to:
c:\Winnt\SYSVOL\Sysvol\domain\scripts\
Copy the contents of the policies directory from:
c:\\sysvol\c_\winnt\Sysvol\Domain\policies\
And add it to:
c:\Winnt\SYSVOL\Sysvol\domain\policies\
By restoring the SYSVOL authoritatively, the files on the restored domain controller will be authoritative for the domain and will replicate to other domain controllers. Changes made to any policy after the backup will be lost.
For example, a Group Policy object by the name of Finance Policy existed at the time of the last backup, and was referenced by a folder in the SYSVOL directory as:
C:\WINNT\SYSVOL\Sysvol\Domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
However, shortly after the last backup, an administrator edited the Finance Policy, and although the properties of the GPO changed, the GUID of the GPO remained the same. As a result, the GPO was still referenced by the same directory name {31B2F340-016D-11D2-945F-00C04FB984F9}.
When the directory is authoritatively restored, the folder {31B2F340-016D-11D2-945F-00C04FB984F9} from the alternate SYSVOL location was copied to the original SYSVOL location. This replaced the old folder and thus the changes the administrator had made after the backup were lost. This step is necessary, however, to maintain the synchronization between Active Directory and SYSVOL.

Perform Authoritative Restore of Entire Directory

This step restores the entire Active Directory, and marks it as authoritative for the enterprise.
Requirements
·         Credentials: local Administrator
·         Tool: Ntdsutil.exe
To perform authoritative restore of the entire directory
1.       Open a command prompt and type ntdsutil and then press ENTER.
2.       At the ntdsutil: prompt, type authoritative restore and then press ENTER.
3.       At the ntdsutil authoritative restore: prompt, type restore database and press ENTER.
4.       At the Authoritative Restore Confirmation dialog box, click OK.
5.       Type quit and press ENTER until you have exited Ntdsutil.exe.
6.       Restart the server. It is now authoritative for the domain, and changes will be replicated to the other domain controllers in the enterprise.

Restore Applicable Portion of SYSVOL from an Alternate Location

If you are authoritatively restoring only a portion of the directory, not the entire directory, it is not necessary to perform this step. However, if the subtree or object that was authoritatively restored contained elements from the SYSVOL, such as a Group Policy object, you should also restore that portion of the SYSVOL authoritatively.
Requirements
  • Credentials: local Administrator or Domain Admins
  • Tool: N/A
To restore applicable portion of SYSVOL from alternate location if necessary
1.       If still in Directory Services Restore Mode, restart in normal mode.
2.       After the system restarts and after the SYSVOL share is published (it can take a few minutes before the SYSVOL share and its sub-folders appear on the domain controller), copy the required files and folders from the SYSVOL directory that was copied to the alternate location to the original location. By doing this, the files that were overwritten are replicated to the other domain controllers, so that the SYSVOL is the same as that which was present at the time of backup.
Example: restoring applicable portion of SYSVOL from alternate location
The following example shows how to copy SYSVOL from the alternate location to the original location. Depending on your system, your drive and folder information can vary.
1.       Copy the contents of the scripts directory from:
c:\\sysvol\c_\winnt\Sysvol\Domain\scripts\
2.       Add the contents to:
c:\Winnt\SYSVOL\Sysvol\domain\scripts\
3.       Copy the contents of the policies directory from:
c:\\sysvol\c_\winnt\Sysvol\Domain\policies\
4.       Add the contents to:
c:\Winnt\SYSVOL\Sysvol\domain\policies\
By restoring the SYSVOL authoritatively, the files on the restored domain controller are authoritative for the domain and replicate to other domain controllers. Changes made to any policy after the backup will be lost.
For example, a Group Policy object by the name of Finance Policy existed at the time of the last backup, and was referenced by a folder in the SYSVOL directory as:
C:\WINNT\SYSVOL\Sysvol\Domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
However, shortly after the last backup, an administrator edited the Finance Policy, and although the properties of the GPO changed, the globally unique identifier (GUID) of the GPO remained the same. As a result, the GPO is still referenced by the same directory name {31B2F340-016D-11D2-945F-00C04FB984F9}.
When the directory is authoritatively restored, the folder {31B2F340-016D-11D2-945F-00C04FB984F9} from the alternate SYSVOL location is copied to the original SYSVOL location. This replaces the old folder and thus the changes the administrator had made after the backup are lost. This step is necessary, however, to maintain the synchronization between Active Directory and SYSVOL.

Perform Authoritative Restore of a Subtree or Leaf Object

This step marks the subtree or leaf object you restored as authoritative for the directory.
Requirements
·         Credentials: local Administrator
·         Tool: Ntdsutil.exe
To perform authoritative restore of a subtree or leaf object
1.       Open a command prompt and type ntdsutil and then press ENTER.
2.       At the ntdsutil: prompt, type authoritative restore and then press ENTER.
3.       At the ntdsutil authoritative restore: prompt, type:
4.  Restore Subtree OU=ouname,DC=domain,DC=domainroot 
For example, if the administrator has inadvertently deleted the Marketing organizational unit in the domain called contoso.com, type:
Restore Subtree OU=Marketing,DC=Contoso,DC=COM 
5.       At the Authoritative Restore Confirmation dialog box, click OK.
6.       Type quit and press ENTER until you have exited Ntdsutil.exe.
7.       Restart the server.

Restore System State to an Alternate Location

Perform this procedure to allow an authoritative restore of SYSVOL. After the objects are restored, you can delete the files in the alternate location.
Requirements
·         Credentials: local Administrator
·         Tool: NTBackup.exe
To restore system state to an alternate location
1.       Click the Restore tab.
2.       Select SystemState. (You need not restore the system disk to an alternate location.)
3.       Ensure that Alternate Location is selected in the Restore Files to drop-down list box and designate the alternate location.
4.       When the restore process is finished, close the backup utility.

Verify Active Directory Restore

After the restore is completed, you can either restart the server in normal operation mode and perform basic verification, or continue with the advanced verification. The advanced option is not usually required, and should be used with caution, as incorrect use of the ntdsutil utility can corrupt the Active Directory database. Both processes are explained below.
Requirements
·         You must log on at the local computer, or you must enable Terminal Services in Remote Administration mode on the remote domain controller.
·         Credentials:
·         Basic: Domain Admins or local Administrator
·         Advanced: local Administrator
·         Tool: NTBackup.exe
To perform basic Active Directory verification
1.       After the restore operation completes, restart the computer in normal operational mode. Active Directory and the Certificate Server automatically detect that they have been recovered from a backup. They perform an integrity check and re-index the database.
2.       After you are able to log on to the system, browse the directory. Verify that all of the user and group objects that were present in the directory prior to backup are restored. Similarly, verify that files that were members of a FRS replica set and certificates that were issued by the Certificate Server are present.
To perform advanced Active Directory verification
Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first, as described in this guide.
1.       Immediately after performing the restore operation, restart the server in Directory Service Repair Mode.
2.       After the system starts, log on using the local Administrator account.
3.       Verify that the Active Directory is in a state consistent with having been recovered from a backup. To do this, check for a specific registry subkey.
In the Run dialog box, type Regedit and click OK.
4.       In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS.
5.       Check that the subkey called Restore In Progress is present. This subkey is automatically generated by Windows NT Backup, and indicates to the Active Directory service that the database files have been restored and that Active Directory service must perform a consistency check and re-index the next time the directory is started. This subkey is automatically removed upon completion of this check. Do not add or delete this subkey.
6.       Use Ntdsutil.exe to check for the recovered Active Directory database files. At the command prompt, type ntdsutil and press ENTER.
7.       At the ntdsutil: prompt, type files and press ENTER.
8.       At the file maintenance: prompt, type info and press ENTER.
9.       If the Active Directory files have been recovered successfully, you should see output listing the paths for the database, the backup directory, the working directory and the log directory, as well as a list of the log file names and file sizes. Do not select any other options.
10.    After you confirm that Active Directory has been restored from the backup and that the registry subkey is present, restart the server in normal mode.
11.    When the computer is restarted in normal mode, Active Directory automatically detects that it has been recovered from a backup and performs an integrity check and re-indexes the database. After you are able to log on to the system, browse the directory and verify that all user and group objects that were present in the directory prior to backup are restored.

Search & Buy Amazon Products at discounted rate!!

Newsletter

Subscribe to AtoZ-networking Newsletter

Do you want to receive Linux FAQs, Microsoft FAQ, Solaris FAQ, detailed Networking tutorials and tips published at atoz-networking? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Sign-up for the newsletter