module 12
DESCRIPTION
Module 12. Monitoring, Managing, and Recovering AD DS. Module Overview. Monitoring AD DSManaging the AD DS DatabaseAD DS Backup and Recovery Options for AD DS and Other Identity and Access Solutions. Lesson 1: Monitoring AD DS. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/1.jpg)
Microsoft® Official Course
Module 12
Monitoring, Managing, and Recovering AD DS
![Page 2: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/2.jpg)
Module Overview
Monitoring AD DSManaging the AD DS Database•AD DS Backup and Recovery Options for AD DS and Other Identity and Access Solutions
![Page 3: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/3.jpg)
Lesson 1: Monitoring AD DS
Understanding Performance and BottlenecksOverview of Monitoring ToolsPerformance MonitorData Collector Sets•Demonstration: How to Monitor Performance
![Page 4: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/4.jpg)
Understanding Performance and Bottlenecks•Key system resources:• CPU• Disk• Memory• Network
•A bottleneck is a resource that is currently at peak utilization
![Page 5: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/5.jpg)
Overview of Monitoring Tools
Windows Server 2012 provides the following tools to help with monitoring performance issues:• Task Manager• Resource Monitor• Event Viewer• Performance Monitor
![Page 6: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/6.jpg)
Performance Monitor
You can use Performance Monitor to view current performance statistics or historical data gathered by using data collector sets
![Page 7: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/7.jpg)
Data Collector Sets
•You can use data collector sets to gather performance-related information
•Data collector sets can contain the following types of data collectors:• Performance counters• Event trace data• System configuration information
![Page 8: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/8.jpg)
Demonstration: How to Monitor PerformanceIn this demonstration, you will see how to:•Create a data collector set•Create a disk load on the server•Analyze the resulting data in a report
![Page 9: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/9.jpg)
Lab A: Monitoring AD DS
•Exercise 1: Monitoring AD DS with Performance Monitor
Logon InformationVirtual machine: 10969A-LON-DC1User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 40 minutes
![Page 10: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/10.jpg)
Lab Scenario
Last month, the only domain controller in the Cambridge branch office failed. You now are required to monitor AD DS to help identify problems before they become critical.
![Page 11: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/11.jpg)
Lab Review
•When analyzing the performance of a domain controller, aside from the AD DS–specific counters in Performance Monitor, what other factors can influence domain controller performance?
![Page 12: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/12.jpg)
Lesson 2: Managing the AD DS Database
Overview of the AD DS DatabaseManaging the Database with NtdsUtil.exeRestartable AD DSDemonstration: Performing Database Management•Managing AD DS Snapshots
![Page 13: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/13.jpg)
Overview of the AD DS Database
The AD DS database holds all domain-based information in four or more partitions
AD DSDatabase
DomainController
Schema Partition
ApplicationPartitions (optional)
ConfigurationPartition
Domain Partition
![Page 14: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/14.jpg)
Managing the Database with NtdsUtil.exe•Manage and control single master operations •Perform AD DS database maintenance:• Perform offline defragmentation• Create and mount snapshots• Move database files
•Clean domain controller metadata:• Domain controller removal or demotion while not connected to domain
•Reset Directory Services Restore Mode: password• set dsrm
![Page 15: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/15.jpg)
Restartable AD DS
•Use the Services console to start or stop AD DS
•Three states of AD DS:• AD DS Started• AD DS Stopped• Directory Services Restore Mode
• It is not possible to perform a system state restore while AD DS is in Stopped state
![Page 16: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/16.jpg)
Demonstration: Performing Database ManagementIn this demonstration, you will see how to:•Stop AD DS•Perform an offline defragmentation of the AD DS database•Check the integrity of the AD DS database•Start AD DS
![Page 17: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/17.jpg)
Managing AD DS Snapshots
•Create a snapshot of AD DS with NTDSUtil•Mount the snapshot with NTDSUtil•Expose the snapshot:
• Right-click the root node of Active Directory Users and Computers, then and choose Connect to Domain Controller
• Enter serverFQDN:port•View read-only snapshot:
• Cannot directly restore data from the snapshot•Recover data:
• Connect to the mounted snapshot, and then export/reimport objects’ attributes with LDIFDE
• Restore a backup from the same date as the snapshot• Manually reenter data
![Page 18: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/18.jpg)
Lesson 3: AD DS Backup and Recovery Options for AD DS and Other Identity and Access SolutionsReanimating Deleted ObjectsConfiguring the Active Directory Recycle BinDemonstration: Implementing the Active Directory Recycle BinBackup TechnologiesBackup and Recovery ToolsAD DS Backup and RecoveryBackup Options for AD CSBackup Options for AD RMS•Backup Options for AD FS
![Page 19: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/19.jpg)
Reanimating Deleted Objects
• Deleted objects are recovered through tombstone reanimation• When an object is deleted, most of its attributes are cleared• Authoritative restore requires AD DS downtime
Live
Tombstoned
Physically Deleted
Garbage Collection
Delete
ReanimateTombstone/
Authoritative Restore
![Page 20: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/20.jpg)
Configuring the Active Directory Recycle Bin•Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime
•Uses Active Directory module for Windows PowerShell or the Active Directory Administrative Center to restore objects
Live DeletedGarbage
CollectionDelete
Undelete/Authoritativ
eRestore
Recycled
Recycle PhysicallyDeleted
Deleted Object
Lifetime
RecycledObject Lifetime
![Page 21: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/21.jpg)
Demonstration: Implementing the Active Directory Recycle BinIn this demonstration, you will see how to:•Enable the Active Directory Recycle Bin•Create and then delete test accounts•Restore deleted accounts
![Page 22: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/22.jpg)
Backup Technologies
•The VSS backup technology solves data consistency issues by creating shadow copies
•You can use streaming backups for older applications that are not VSS-aware
![Page 23: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/23.jpg)
Backup and Recovery Tools
•Windows Server Backup•Windows Azure Online Backup•Data Protection Manager
![Page 24: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/24.jpg)
AD DS Backup and Recovery• Nonauthoritative or normal restore:• Restore domain controller to previously known good state• Domain controller updates by using standard replication from
partners
• Authoritative restore: • Restore domain controller to previously known good state • Mark objects that you want to be authoritative• Domain controller updates from its up-to-date-partners• Domain controller sends authoritative updates to its partners
• Full server restore: • Typically performed in Windows Recovery Environment
• Alternate location restore
![Page 25: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/25.jpg)
Backup Options for AD CS
Windows Server
Backup
CA
Certutil.exe Tool
DPM
C:/
![Page 26: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/26.jpg)
Backup Options for AD RMS
•Back up private keys and certificates
•Ensure that the AD RMS database is backed up regularly
•Export templates to back them up
•Run AD RMS server as a virtual machine, and perform full server backup
![Page 27: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/27.jpg)
Backup Options for AD FS
• %systemdrive%\ADFS• System state
• Servers running AD FS components must be backed up based on the information in the following table:Components Files to back upFederation Service •TrustPolicy.xml file
• Web.config and other files under %SystemRoot%\ADFS• System state• Custom transform module (.dll) and related files• Applicationhost.config
Web Application Proxy • Web.config and other files under %SystemRoot%\ADFS• System state • Applicationhost.config
AD FS Web Agent • %SystemRoot%\ADFS• System state
![Page 28: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/28.jpg)
Lab B: Recovering Objects in AD DS
Exercise 1: Backing up and Restoring AD DS•Exercise 2: Recovering Objects in AD DS
Logon InformationVirtual machines: 10969A-LON-DC1
10969A-LON-DC2User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 60 minutes
![Page 29: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/29.jpg)
Lab Scenario
You were notified yesterday that one user account was deleted by accident. A few days ago, additional user accounts were deleted accidentally. You want to recover these accounts.It is your responsibility to ensure that the directory service is backed up. Today, you noticed that last night's backup did not run as scheduled. You therefore decided to perform an interactive backup. Shortly after the backup, a domain administrator accidentally deletes the IT OU. You must recover this OU.
![Page 30: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/30.jpg)
Lab Review
When you restore a deleted user, or an OU with user objects, by using authoritative restore, will the objects be exactly the same as before? Which attributes might not be the same?• In the lab, would it be possible to restore these deleted objects if they were deleted before Active Directory Recycle Bin has been enabled?
![Page 31: Module 12](https://reader036.vdocument.in/reader036/viewer/2022081517/5681674a550346895ddbf9bb/html5/thumbnails/31.jpg)
Module Review and Takeaways
•Review Question