First, what is the activity directory?
AD is a transactional database that is a mode in advance, using the technique of eSE97. On the disk, the AD is displayed as several files, which are NTDS.DIT (AD Database), a group of transaction records (ie logs), and checkpoint files that record the last buffer of the database. There is also a temporary database file. Directory Services is a combination of nouns, which include directory data storage and access to services that allow users or programs to access information. Do you have a directory for the society? Directory provides a centralized storage area for all important data of enterprise networks, including various resources such as user accounts, computers, printers, applications, security and system principles. In a shared network resource, you can improve your product's efficiency and significantly reducing the total ownership cost (TCO) of the company. Win
2K directory service is used by multi-controller mode, that is, to modify the directory resources on any one controller. So, we can learn from the top, the AD is actually a database, and each DC is an important database server, so we should protect the DC like protecting important databases.
Second, several concepts of the activity directory
1. Domain: A security boundary.
2, tree: a collection of multiple domains.
3, Lin: Multiple associated trees.
4, DNS: The gateway to the AD. The service record in DNS is the foundation of the application system query AD.
5, GC: A index of an AD object that is often queried. In this mode, GC participates in the login request processing of the network client, providing universal group membership, non-domain administrator group members, may not require GC assistance to log in to the network. In mixed mode, GC does not participate in login processing, but GC is still important to direct directory queries in the network.
6. Operating host: Although the multi-controller mode is the core function of the AD, the potential conflict between multiple servers also makes it possible to operate in a certain discretion. In order to solve this problem, AD chose some special The machine is a special role. Each role is responsible for handling changes in a particular AD area.
Third, the maintenance and backup of AD
1, the maintenance of AD: Monitor the operating status and component status of the AD through Performance Monitoring Tools, which can be effectively discovered and resolved in time.
2, the backup of the AD: AD can back up by backing up system status, you can find backup tools in the system tool to do this, or use third-party software to implement. But pay attention to some constraints of the backup AD:
*
The AD only backs up the current valid data, for objects that have been marked, not backed up. The object deletion in the AD is not immediate, and there is a need for 60 days of delete tag time. Therefore, avoid recovering the AD backup of 60 days, so as not to cause AD incomplete.
*
The backup type of the AD cannot be selected and only fully backed up.
*
To ensure that the backup contains the system status, the files of the system, the contents of the system disk, and the contents of the sysvol directory.
*
You can only use the original server to restore the server, and you cannot restore the server with a backup of another server.
3, AD finishing: AD system defaults to run automatically online every 12 hours. However, online finishing cannot reduce the size of the database, to reduce the size of the database, need to use offline finishing, its operation is:
When the DC is started, press F8 to enter the startup menu, select "Directory Recovery Mode: Enter the system, enter the following command under the command line.
NTDSUTIL
Files
Info
Be careful that the directory file path output at this time!
Comnpact
TO
C: / mydir
This command will build a compressed database file in the specified directory.
Quit twice, exit the tool.
Next, you need to replace the original file with a compressed file. And restart the computer four, AD architecture
The architecture of the AD is composed of data defined in a structured manner, which defines these structures by describing metadata, typically includes attribute name, type, length, relationship, and the like. It seems that there is a bit icon definition in the relational database. It also includes some extension properties. include:
1. Name context: There are three, they are domain name contexts (saving data for the current AD domain), configuring the name context (save primary base objects and configuration information), architecture name context (save all AD objects and properties).
2, Category: Describe the AD objects and related features and properties.
AD architecture management: Architecture management is controlled by architecture host role. By default, it is not possible to register .schmmgmt.dll before you can find it in MMC. The registration method is to run: regsvr32
% systemroot% / system32 / schmmgmt.dll. The architecture content is forbidden to delete.
V. Repair and recovery of AD
1, the maintenance and repair of the AD is implemented by a command line tool - ntdsutil. The repair command is:
NTDSUTIL
REPAIR
2, AD recovery
Recovery mode: AD has two recovery modes - Authorized recovery and unauthorized recovery, the difference is:
1) Authorization recovery: When other domain controllers contain invalid replication and data, authorization recovery mode can be employed, in which case you can manually specify you want to recover the entire database or a branch, and specify local recovery The operation is authority. The so-called authority is that when the directory replication occurs, local data is subject to. Authorization Recovery To modify the upgrade serial number of the AD, its serial number is higher than the other DC, so that the local recovery data can be copied to other DCs.
2) Non-authorized recovery: Most recovery operations are unauthorized. When you find a DC data, it is said that other DC data is normal, you can use unauthorized recovery. After the recovery is complete, the DC will restore the upgrade number and participate in normal replication. That is, the data through unauthorized recovery may be rewritten again in replication.
be careful:
If you don't reach the following requirements, the recovery operation must fail
*
The server name is the same as the backup
*
The drive where the system folder is located should be the same as the backup.
*
Directory Save the path and backup
3, restore operation
1) Non-authorized recovery: Start DC, enter "directory recovery mode", perform backup restore operations.
2) Authorization recovery: Continue to do the following after performing unauthorized recovery:
*
NTDSUTIL
Authoritative
RESTORE
RESTORE
Database
This command will be authorized to restore the entire database. If you just want to restore a branch, you can use:
RESTORE
Subtree
OU = ENG, DC = Mycompany, DC = COM
Whether the system prompts are correct and answer yes.
Quit exits.
Note: After the recovery is complete, the system will automatically prompt to restart the server, and the authorization recovery must select "NO", otherwise this authorization recovery will become unauthorized recovery once the server is restarted. In addition, it is important to note that authorization recovery is restored together with the sysvol file directory. When the computer account is not disabled, the system will check the password every 7 days, and the authorized recovery is also restored to this trust password, which may cause a computer. Trust relationship is lost, which also needs attention.
4, AD catastrophic recovery process
1) Reinstall Recovery AD
The easiest way to restore the AD is to reinstall the operating system and re-upgrade DC. This creates a new DC, but consider a problem, if the data of the original DC has been damaged, we will not be able to use the dcpromo command to delete the AD data on the DC, which may result in different steps of the AD data, and more Worse, in the management unit of the AD user and the computer, you cannot delete the DC object. This is where you can only delete the server first from the "AD site and service" to remove the DC. If you are unfortunately need new DCs and the original DC name, then you must first use the ntdsutil command to delete object information in the AD to create a new DC. The specific operation is as follows:
NTDSUTIL
Metadata
Cleanup
Connections
Connect
TO
Server
DC> quit SELECT Operation Target List Site SELECT Site List Domains SELECT Domain List Servers in Site SELECT Server DC> Remove SELECTED Server The above command can delete the broken DC information. For more detailed information, please refer to NTDSUTIL, perform NTDSUTIL ? You can read help. Note: Before deleting the original DC, you should confirm that the original DC does not contain any roles. If so, use the ntdsutil command to capture the role, the method is as follows: NTDSUTIL Roles Seize Domain naming Master - Change the domain role on the connected server Seize INFRASTRUCTURE Master - Rewrive structure role on the connected server Seize PDC - Rewriting on the connected server PDC Character Seize RID Master - Rewriting on the connected server RID Character Seize Schema Master - Override the architectural role on the connected server The DC that was captured and could not re-enter the network without reinstalling the operating system! ! 2) Restore AD from backup Restoring the AD from backup files is very suitable. But pay attention to the restore mode used, if information is restored to the error operation, you should remember to use the authorized recovery mode. be careful: * Expired backup: We mentioned before, AD's backup could not restore data from 60 days ago. If you need to restore a 50-day backup, you need to modify the global tag time before you need to modify the global tag time. The position is in AD CN = Directory Service, cn = windows NT, CN = Services, CN = Configuration, DC = Company, DC = COM, name: Tombstonelifetime, this operation requires direct editing AD data, using tools such as ADSI, LDP. Note: Please make careful operation! * Restore under different hardware: Usually, it is not recommended that you restore the AD's backup to different hardware unless you confirm that the hardware of the new machine and the original machine is basically, and use the same hardware abstraction layer file (HAL). * Remote Backup and Restore: After the Boot.ini file, you can add / saveboot: dsrepair command option to boot the remote machine to enter the recovery mode. 5 Conclusion This article briefly describes the overall concept and basic theory of the Activity Directory, focusing on the backup and recovery techniques and operations of the AD, as well as catastrophic recovery methods.
