20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012
3.Switch to the tree view.
4.Expand Adatum.com.
Perform administrative tasks
1.Navigate to the Overview view.
2.Reset the password for Adatum\Adam to Pa$$w0rd, without requiring the user to change the password at the next logon.
3.Use the Global Search section to find any objects that match the search string Rex.
Use the Windows PowerShell History Viewer
1.Open the Windows PowerShell History pane.
2.View the Windows PowerShell cmdlet that you used to perform the most recent task.
Windows PowerShell
Creating a group
3-MCT19
ONLY USE .
1. |
Open the Active Directory Module for Windows PowerShell. |
|
|
2. |
|
|
|
|
|
|
|
|
|
|
|
3. |
Open Active Directory Administrative Center, and confirm that the SalesManager group is |
|
|
|
present in the Users container. |
|
|
1. |
At the PowerShell prompt, move SalesManagers to the Sales OU by using the following command: |
||
|
|
STUDENT |
|
|
|
|
|
|
“OU=Sales,DC=Adatum,DC=com” |
|
|
2.Switch to Active Directory Administrative Center, and then confirm that the SalesManagers groupUSE has been moved to the Sales OU.
Managing Operations Master Roles |
PROHIBITED |
||
In an AD DS environment multimaster replication |
|||
|
|
||
means that all domain controllers have the same |
|
|
|
general capabilities and priorities when modifying |
|
|
|
the AD DS database. However, certain operations |
|
|
|
must be performed by only one system. In AD DS, |
|
|
|
operation masters are domain controllers that |
|
|
|
perform a specific function within the domain |
|
|
|
environment. |
|
|
|
Forest-Wide Operations Master Roles |
|
|
|
The schema master and the domain-naming |
|
|
|
master must be unique in the forest. Each role is |
|
|
|
|
|
||
performed by only one domain controller in the |
|
|
|
entire forest. |
|
|
|
3-20 Maintaining Active Directory Domain Services
Domain Naming Master Role
SIDs generated by a domain controller are unique. Active Directory domain controllers generate SIDs by appending a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Therefore, each domain controller can be confident that the SIDs that it generates are unique.
The domain-naming role is used when adding or removing domains and application partitions in the |
MCT |
|
forest. When you add or remove a domain or application partition, the domain naming master must be |
||
USE |
||
accessible, or the operation will fail. |
||
Schema Master Role |
||
The domain controller holding the schema master role is responsible for making any changes to the |
||
forest’s schema. All other domain controllers hold read-only replicas of the schema. When you need to |
||
modify the schema, the modifications must be sent to the domain controller that hosts the schema master |
||
role. |
.ONLY |
|
Domain-Wide Operations Master Roles |
||
Each domain maintains three single master operations: relative identifier (RID) master, infrastructure |
||
master, and primary domain controller (PDC) Emulator. Each role is performed by only one domain |
||
controller in the domain. |
||
RID Master Role |
||
STUDENT |
||
The RID master plays an integral part in the generation of security identifiers (SIDs) for security principals |
||
such as users, groups, and computers. The SID of a security principal must be unique. Because any |
||
domain controller can create accounts, and therefore, SIDs, a mechanism is necessary to ensure that the |
||
|
||
•Participates in special password update handling for the domain. When a user's password is reset or USE changed, the domain controller that makes the change replicates the change immediately to the PDC emulator. This special replication ensures that the domain controllers know about the new password
•as quickly as possible. PROHIBITED Manages Group Policy updates within a domain. If you modify a GPO on two domain controllers at approximately the same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator acts as the default focal point for all Group Policy changes.
•Provides a master time source for the domain. Many Windows components and technologies rely on time stamps, so synchronizing time across all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC emulator. All other domain members synchronize their time with their preferred domain controller.
• Acts as the domain master browser. When you open network in Windows, you see a list of |
|
|
|||
|
|
workgroups and domains, and when you open a workgroup or domain, you see a list of computers. |
|||
|
|
The browser service creates these two lists, called browse lists. In each network segment, a master |
MCT |
||
|
|
USE |
|||
|
|
browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The |
|||
|
|
domain master browser serves to merge the lists of each master browser so that browse clients can |
|||
|
|
retrieve a comprehensive browse list. |
|||
• |
|
Place the domain-level roles on a high-performance domain controller. |
|||
|
ONLY |
||||
• Do not place the Infrastructure Master domain-level role on a global catalog server, except when |
|||||
|
|
your forest contains only one domain or all of the domain controllers in your forest also are global |
|||
|
|
catalogs. |
|||
• Leave the two forest-level roles on a domain controller in the forest-root domain. |
|||||
• Adjust the workload of the PDC emulator, if necessary, by offloading non-AD DS roles to other |
|||||
|
|
servers. |
|||
|
|
. |
|||
|
|
|
|
||
|
|
Note: You can view the assignment of operations master roles by running the following |
|
|
|
|
|
|
|
||
from a command prompt: |
|
|
|||
|
|
|
|
||
|
Netdom query fsmo |
|
|
||
|
|
|
|||
Managing AD DS Backup and Recovery |
|
|
|||
In earlier Windows versions, backing up Active |
|
|
|
||
|
STUDENT |
||||
Directory involved creating a backup of the |
|
||||
SystemState, which was a small collection of files |
|
||||
that included the Active Directory database and |
|
||||
|
USE |
||||
the registry. |
|
||||
In Windows Server 2012, the SystemState |
|
||||
concept still exists, but it is much larger. Because |
|
||||
of interdependencies between server roles, |
|
||||
physical configuration, and Active Directory, |
|
||||
|
|
|
|||
the SystemState is now a subset of a Full Server |
|
|
|
||
backup and, in some configurations, might be just |
|
|
|
||
as big. To back up a domain controller, you must |
|
|
|
||
|
|
|
|||
back up all critical volumes fully. |
|
|
|||
Restoring AD DS Data
When a domain controller or its directory is corrupted, damaged, or failed, you have several options with which to restore the system.
The first such option is called normal restore or nonauthoritative restore. In a normal restore operation, you restore a backup of Active Directory as of a known good date. Effectively, you roll the domain controller back in time. When AD DS restarts on the domain controller, the domain controller contacts its replication partners and requests all subsequent updates. Effectively, the domain controller catches up with the rest of the domain by using standard replication mechanisms.
PROHIBITED
3-22 MCT USEONLY
of the changes ensure that partners take the changes and replicate them throughout the directory service. In forests with the Active Directory Recycle Bin enabled, you can use the Active Directory Recycle Bin as a more simple alternative to an authoritative restore.
When the restored domain controller is restarted, it replicates from its replication partners all changes that.STUDENT have been made to the directory. It also notifies its partners that it has changes, and the version numbers
PROHIBITED USE
Administering Windows Server® 2012 3-MCT23
At the core of the AD DS environment is the AD DS database. The AD DS database contains all the criticalUSE information required to provide AD DS functionality. Maintaining this database properly is a critical aspect
of AD DS management, and there are several tools and best practices of which you should be aware so that you can manage your AD DS database effectively. This lesson will introduce you to AD DS database management, and show you the tools and methods for maintaining it.
• |
Explain the AD DS database architecture. |
.ONLY |
|||
|
|
||||
• |
Describe NTDSUtil. |
|
|
||
• Explain restartable AD DS. |
|
|
|||
• Explain how to perform AD DS database management. |
STUDENT |
||||
• |
Describe how to create AD DS snapshots. |
||||
|
|
||||
• Explain how to restore deleted objects. |
|
|
|||
• Describe how to configure the Active Directory Recycle Bin. |
|
|
|||
Understanding the AD DS Database |
|
|
|||
AD DS information is stored within the directory |
|
|
|
||
|
|
|
|||
database. Each directory partition, also called a |
|
|
|||
naming context, contains objects of a particular |
|
|
|||
replication scope and purpose. There are three |
|
|
|||
•Domain. The Domain partition contains all USE the objects stored in a domain, including
users, groups, computers, and Group Policy containers (GPCs).
•Configuration. The Configuration partition PROHIBITED contains objects that represent the logical
structure of the forest, including information about domains, as well as the physical topology, including sites, subnets, and services.
•Schema. The Schema partition defines the object classes and their attributes for the entire directory.DomainAD DS partitions on each domain controller, as
3-24 Maintaining Active Directory Domain Services
AD DS Database Files
The AD DS database is stored as a file named NTDS.dit. When you install and configure AD DS, you can |
MCT |
||
specify the location of the file. The default location is %systemroot%\NTDS. Within NTDS.dit are all of |
|||
USE |
|||
the partitions hosted by the domain controller: the forest schema and configuration; the domain-naming |
|||
context; and, depending on the server configuration, the partial attribute set and application partitions. |
|||
In the NTDS folder, there are other files that support the Active Directory database. The Edb*.log files are |
|||
the transaction logs for Active Directory. When a change must be made to the directory, it is first written |
|||
to the log file. The change is committed to the directory as a transaction. If the transaction fails, it can be |
|||
.ONLY |
|||
rolled back. |
|
||
The following table describes the different file level components of the AD DS database. |
|||
|
|
||
File |
Description |
||
|
|
||
NTDS.dit |
• Main AD DS database file |
||
|
• Contains all AD DS partitions and objects |
||
|
|
||
EDB*.log |
Transaction log(s) |
|
|
|
|
|
|
EDB.chk |
Database checkpoint file |
|
|
|
|
|
|
Edbres00001.jrs |
Reserve transaction log file that allows the directory to process |
|
|
Edbres00002.jrs |
transactions if the server runs out of disk space |
|
|
|
|
||
|
|
|
|
AD DS Database Modifications and Replication |
STUDENT |
||
Under normal operations, the transaction log wraps around, with new transactions overwriting old |
|||
transactions that had already been committed. However, if a large number of transactions are made |
|||
within a short period of time, AD DS creates additional transaction log files, so you may see several |
|||
EDB*.log files if you look in the NTDS folder of a particularly busy domain controller. Over time, those |
|||
files are removed automatically. |
|
||
|
USE |
||
The EDB.chk file acts like a bookmark into the log files, marking the location before which transactions |
|||
have been successfully committed to the database, and after which transactions remain to be committed. |
|||
If a disk drive runs out of space, it is highly problematic for the server. It is even more problematic if that |
|||
disk is hosting the AD DS database, because transactions that may be pending cannot be written to the |
|||
logs. Therefore, AD DS maintains two additional log files, edbres0001.jrs and edbres0002.jrs. These are |
|||
|
|||
empty files of 10 megabytes (MB) each. When a disk runs out of space for normal transaction logs, AD DS |
|||
|
|
PROHIBITED |
|
recruits the space used by these two files to write the transactions that are in a queue currently. After that, it safely shuts down AD DS services, and dismounts the database. Of course, it will be important for an administrator to remediate the issue of low disk space as quickly as possible. The file simply provides a temporary solution to prevent the directory service from refusing new transactions.
Administering Windows Server® 2012 3-MCT25
ONLY USE STUDENT .
Restartable AD DS is available by default on all domain controllers that run Windows Server 2012. There are no functional-level requirements or any other prerequisites for using this feature.
PROHIBITED USE
3-26 Maintaining Active Directory Domain Services
Restartable AD DS adds minor changes to the existing Microsoft Management Console (MMC) snap-ins. A
domain controller running Windows Server 2012 AD DS displays Domain Controller in the Services (Local) |
|||
node of the Component Services snap-in and the Computer Management snap-in. Using the snap-in, an |
MCT |
||
|
|||
administrator can easily stop and restart AD DS the same way as any other service that is running locally |
|
||
on the server. |
|
||
Although stopping AD DS is similar to logging on in Directory Services Restore Mode, restartable |
|
||
AD DS provides a unique state, known as AD DS Stopped, for a domain controller that is running Windows |
|||
Server 2012. |
USE |
||
|
|||
Domain Controller States |
|
||
The three possible states for a domain controller running Windows Server 2012 are: |
.ONLY |
||
• |
AD DS Started. In this state, AD DS is started. The domain controller is able to perform AD DS related |
||
|
|||
|
tasks normally. |
|
|
• AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some |
|
||
|
characteristics of both a domain controller in DSRM and a domain-joined member server. |
|
|
• DSRM. This mode (or state) allows standard AD DS administrative tasks. |
STUDENT |
||
With DSRM, the Active Directory database (Ntds.dit) on the local domain controller is offline. Another |
|||
|
|||
domain controller can be contacted for logon, if one is available. If no other domain controller can be |
|
||
contacted, by default you can do one of the following: |
|
||
• Log on to the domain controller locally in DSRM by using the DSRM password. |
|
||
• Restart the domain controller to log on with a domain account. |
|
||
As with a member server, the server is joined to the domain. This means that Group Policy and other |
|
||
settings are still applied to the computer. However, a domain controller should not remain in the AD DS |
|
||
Stopped state for an extended period of time because in this state, it cannot service logon requests or |
|
||
replicate with other domain controllers. |
|
||
Demonstration: Performing AD DS Database Maintenance |
USE |
||
There are several tasks and related tools that you can use to perform AD DS database maintenance. |
|||
This demonstration shows how to: |
|||
• |
Stop AD DS. |
PROHIBITED |
|
• |
Perform an offline defragmentation of the AD DS database. |
||
|
|||
• Check the integrity of the AD DS database. |
|
||
• |
Start AD DS. |
|
|
Demonstration Steps |
|
||
Stop AD DS |
|
||
1. On LON-DC1, open the Services console. |
|
||
2. |
Stop the Active Directory Domain Services service. |
|
|
|
|
Administering Windows Server® 2012 |
3-27 |
|
|
|
Perform an offline defragmentation of the AD DS database |
MCT |
|||||
• |
Run the following commands from a Windows PowerShell prompt. Press Enter after each line: |
|||||
|
ntdsutil |
|
|
|
||
|
activate instance NTDS |
USE |
||||
|
files |
|||||
|
compact to C:\ |
|||||
|
|
|||||
Check the integrity of the offline database |
.ONLY |
|||||
1. |
Run the following commands from a Windows PowerShell prompt. Press Enter after each line: |
|||||
|
|
|
||||
|
|
|
|
|
||
|
Integrity |
|
|
|
||
|
quit |
|
|
|
||
|
Quit |
|
|
|
||
|
|
|
|
|
||
2. |
Close the command prompt window. |
|
|
|
||
Start AD DS |
|
|
|
|||
1. |
Open the Services console. |
STUDENT |
||||
2. |
Start the Active Directory Domain Services service. |
|||||
|
|
|
||||
Creating AD DS Snapshots |
|
|
|
|||
NTDSUtil in Windows Server 2012 can create |
|
|
|
|
||
|
|
|
|
|||
and mount snapshots of AD DS. A snapshot is |
|
|
|
|
||
a form of historical backup that captures the |
|
|
|
|
||
exact state of the directory service at the time of |
|
|
|
|
||
the snapshot. You can use tools to explore the |
|
|
|
|
||
contents of a snapshot to examine the state of |
|
|
|
|
||
the directory service at the time the snapshot was |
|
USE |
||||
made, or connect to a mounted snapshot with |
|
|||||
LDIFDE and export a reimport objects into AD DS. |
|
|||||
Creating an AD DS Snapshot |
|
|||||
To create a snapshot: |
|
|||||
|
|
|
||||
|
PROHIBITED |
|||||
1. |
Open the command prompt. |
|||||
2. |
Type ntdsutil, and then press Enter. |
|||||
|
|
|
||||
3. |
Type snapshot, and then press Enter. |
|
|
|
||
4. |
Type activate instance ntds, and then press Enter. |
|
|
|
||
5. |
Type create, and then press Enter. |
|
|
|
||
6. |
The command returns a message that indicates that the snapshot set was generated successfully. |
|
|
|
||
7. |
The GUID that is displayed is important for commands in later tasks. Make note of the GUID or, |
|
|
|
||
|
alternatively, copy it to the Clipboard. |
|
|
|
||
8. |
Type quit, and then press Enter. |
|
|
|
||
Schedule snapshots of Active Directory regularly. You can use the Task Scheduler to execute a batch file by using the appropriate NTDSUtil commands.
3-28 Maintaining Active Directory Domain Services
Mounting an AD DS Snapshot
To view the contents of a snapshot, you must mount the snapshot as a new instance of AD DS. This is also accomplished with NTDSUtil.
To mount a snapshot:
1.Open an elevated command prompt.
2.Type ntdsutil, and then press Enter.
3.Type activate instance ntds, and then press Enter.
4.Type snapshot, and then press Enter.
5.Type list all, and then press Enter.
6.The command returns a list of all snapshots.
7.Type mount {GUID}, where GUID is the GUID returned by the create snapshot command, and then press Enter.
8.Type quit, and then press Enter.
9.Type quit, and then press Enter.
10.Type dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport 50000, and then press Enter.
11.The port number, 50000, can be any open and unique TCP port number.
12.A message indicates that Active Directory Domain Services startup is complete.
13.Do not close the command prompt window and leave the command you just ran, Dsamain.exe, running while you continue to the next step.
Viewing an AD DS Snapshot
STUDENT .ONLY USE MCT
After the snapshot has been mounted, you can use tools to connect to and explore the snapshot. Even Active Directory Users and Computers can connect to the instance.
To connect to a snapshot with Active Directory Users and Computers:
1. |
Open Active Directory Users and Computers. |
USE |
|
||
2. |
Right-click the root node, and then click Change Domain Controller. |
|
3. |
The Change Directory Server dialog box appears. |
|
4. |
Click <Type a Directory Server name[:port] here>. |
|
5. |
Type LON-DC1:50000, and then press Enter. |
|
6. |
LON-DC1 is the name of the domain controller on which you mounted the snapshot, and 50000 is |
|
|
the TCP port number that you configured for the instance. You now are connected to the snapshot. |
|
7. |
Click OK. |
PROHIBITED |
|
|
Note that snapshots are read-only. You cannot modify the contents of a snapshot. Moreover, there are no direct methods with which to move, copy, or restore objects or attributes from the snapshot to the production instance of Active Directory.
1.Switch to the command prompt in which the snapshot is mounted.
2.Press Ctrl+C to stop DSAMain.exe.