8/8/2019 Securing Windows 2000 Active Directory

1/6

Securing Windows 2000 Active Directory

(Part 3) - Backup and Restoration

In this article I will focus on the active directory process. As part of

securing your active directory you need to ensure that as a contingency

plan you are able to restore your active directory in event of disaster.

Published: Jan 06, 2003

Updated: Jul 23, 2004

Section:Articles :: Windows OS Security

Author:Ricky M. Magalhaes

Rating: 3.2/5 - 144 Votes

In this article I will focus on the active directory process. As part of securing your active directory youneed to ensure that as a contingency plan you are able to restore your active directory in event of disaster.

(For those that missed the first two articles in this series may clickhere to be taken to Part 1 and here to be

taken toPart 2).

When backing up active directory Microsoft only supports one type of backup, you can only perform a full

backup on active directory. Incremental and differential backups tend not to work correctly on active

directory it is recommended that these options are not used. AD uses an advanced Jet database that exports

a backup interface similar to Exchange 5.5. The reason for dropping support for incremental and

differential backups is that most backup applications bind to the local client-side DLL that have entry

points defined in ntdsbcli.h.

What will you be backing up?

When backing up active directory you need to note that active directory will be treated part of the system

state data.

The contents of the system state are as follows.

1. Boot files, including the system files, and all files protected by Windows File Protection (WFP).

2. Active Directory (on a domain controller only).

3. Sysvol (on a domain controller only).

4. Certificate Services (on certification authority only).

5. Cluster database (on a cluster node only).

6. The registry.

7. Performance counters configuration information.8. Component Services Class registration database.

System state backups facts

1. Login in as Administrator or Backup Operator.

2. Only domain controllers contain AD in the system state.

3. System state backups can be incorporated into typical backup jobs.4. System state backups are online.

http://www.windowsecurity.com/articles/windows_os_security/http://www.windowsecurity.com/articles/windows_os_security/http://www.windowsecurity.com/articles/windows_os_security/http://www.windowsecurity.com/Ricky_M_Magalhaes/http://www.windowsecurity.com/Ricky_M_Magalhaes/http://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_1.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_1.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_1.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_2.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_2.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_2.htmlhttp://www.addthis.com/bookmark.php?v=15&winname=addthis&pub=TechGenix&s=&url=http%3A%2F%2Fwww.windowsecurity.com%2Farticles%2FSecuring_Windows_2000_Active_Directory_Part_3__Backup_and_Restoration.html%3Fprintversion&title=Securing%20Windows%202000%20Active%20Directory%20(Part%203)%20-%20Backup%20and%20Restoration&logo=&logobg=&logocolor=&ate=AT-TechGenix/-/-/278c1d0852e4c0/2&adt=undefined&content=&CXNID=2000001.5215456080540439074NXChttp://www.windowsecurity.com/articles/windows_os_security/http://www.windowsecurity.com/Ricky_M_Magalhaes/http://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_1.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_1.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_2.htmlhttp://www.windowsecurity.com/articles/Securing_Windows_2000_Active_Directory_Part_2.html

8/8/2019 Securing Windows 2000 Active Directory

2/6

5. Third party tools should be used when remotely backing up and restoring system state. Windows

backup will only work on the local machine!

Limitations of system state backup.

1. The backup and restore of the system store can not be set to backup or restore individual

components due to dependencies among the system state components.2. System state data restores can be redirected alternate locations in which only the registry files,

Sysvol directory files, and system boot files are restored (the remote redirection is not complete

restore).

3. The Active Directory database, Certificate Services database, and Component Services Class

Registration database are not restored to the alternate location. This means that if you need to test

restore you will run into issues when restoring in a lab environment.

Where is the Active Directory?

Active directory does not reside on any one domain controller, but rather collectively across the domain

controllers. It is a good idea to backup the system state of the entire team of domain controllers concerned

when backing up active directory, but excludes the relative ID (RID) master domain controller. Missingone of the domain controllers can result in you being unable to restore the active directory. It is vital that

no one else is able to add domain controllers to your domain controller work team.

8/8/2019 Securing Windows 2000 Active Directory

3/6

The diagram above represents a computer that has been selected to be backed up using a popular backup

package. Note the system state is available for backing up.

Backing up the Active Directory

It is important that you backup the whole of active directory as well the underlying services anddependencies. Active directory relies heavily on DNS. If you are using active directory- integrated DNS

then you will not need to explicitly backup the zone files.

It is recommended that you backup the system disk as well as the system state as backing up the system

disk will incorporate the DNS zone data. Backing up active directory will prove to be very spread spectrum

as good practice dictated that database files and log files be placed on separate disks. Note: you will not

have to specify where these files are even if they are on separate disks as backing up the system state

automatically consolidates the files into one location for backup purposes.

Warning!

If the last backup you have is older than the tombstone lifetime set in Active Directory, your backup is

considered to be ineffective. It is recommended that you perform at least two backups within the tombstone

lifetime; this means that every 29 days a backup should be made as the tombstone life time is 60 days. Ifthis method is not followed you will find inconsistency within your active directory I strongly recommend

that a weekly backup should be the absolute minimum backup horizon considered.

Below are the files that complete the Active Directory.

1. ntds.dit (The database file.)

2. edb.chk(Checkpoint file.)

3. edb*.log (Transaction log files.)4. res1.log and res2.log (Reserved transaction log files.)

to start the backup of your active directory

1. click on start then click on run then type in ntbackup and click ok.

8/8/2019 Securing Windows 2000 Active Directory

4/6

2. You should be presented with the ntbackup utility; click on tools, then click on backup wizard, then

click next.

8/8/2019 Securing Windows 2000 Active Directory

5/6

3. Select only back up the system state.

8/8/2019 Securing Windows 2000 Active Directory

6/6

4. Select the location of where you would like to backup your system state to. If you backup to a hard

disk ensure that the disk is formatted with NTFS.

5. Check you settings and then click Finish. If you would like to configure scheduling, hardware

compression, media labels, data verification, or append it to a different job you can do this by clicking on

the advanced button on this screen. Data verification can be viewed in the event viewer.

Directory service

The directory service is the mechanism that AD uses to trace and classify users and resources existing in a

distributed system. The directory service should be considered within your overall AD backup and restorestrategy. Directory service information can be replicated to other domain controllers in the same domain

environment. It is vital that a recovery plan is in place before attempting a restore. All changes encountered

during backup are stored in a temporary log and appended to the end of the backup set when the backup is

complete.

Summary

Windows 2000 stores all its security information is stored in the Active Directory. This article hasdescribed the process that needs to take place in order to backup the active directory, ensuring that it

remains secure.