Вы находитесь на странице: 1из 70

Course Transcript

Microsoft Windows Server 2012 R2 -


Administration: Managing Active Directory
Managing Domain Controllers
1. Writable Domain Controllers in Windows Server 2012 R2

2. Managing the FSMO Roles in Windows Server 2012 R2

3. Transferring FSMO Roles in Windows Server 2012 R2

4. Cloning Domain Controllers in Windows Server 2012 R2

5. Configuring RODC in Windows Server 2012 R2

Maintaining Active Directory


1. Backing Up Active Directory in Windows Server 2012 R2

2. Recovering Active Directory in Windows Server 2012 R2

3. Optimizing Active Directory in Windows Server 2012

4. Performing Active Directory and DC Maintenance Tasks


Writable Domain Controllers in Windows
Server 2012 R2
Learning Objective
After completing this topic, you should be able to
◾ put the steps to configure Universal Group Membership Caching in order

1. Meet your instructor


Microsoft Windows Server 2012 R2 - Administration: Managing Active Directory

[Welcome to Microsoft Windows Server 2012 R2 - Administration: Managing Active Directory.]

Active Directory is the foundation for the security context for all of our networks. Guys that is
the reality, right. That is the world we live in today, an Active Directory world, almost
exclusively. So when we think about Active Directory management, when we think about the
multimaster replication model of the writable domain controllers, or WDC, we think about the
read-only domain controllers, or RODC, and the opportunity for increased security with the
deployment of read-only domain controllers.

We also think...Now what is the first thing that comes to your mind when I say multimaster
replication model? Well the first thing that you ought to think of is how I control conflicts and
changes. How do I resolve them? Well we are going to spend some time on that. We are going
to take a look at the flexible single master operations, or FSMO, role holders, which are the
role holders that prevent and resolve conflicts in Active Directory.

[The goal of this course is to understand how to maintain and configure Active Directory in
Microsoft Windows Server 2012.]

2. Writable domain controllers


When we think about Active Directory infrastructure, we want to think about physical
components of Active Directory and logical components of Active Directory. Now for most of
you listening to this, for you the forest (the logical concept) is the same as the domain (another
logical concept) because you have only a single domain. Now I know that is not true for
everybody. There are folks who have multiple domains and, of course, Active Directory scales
to support that.

The physical components of Active Directory include the domain controllers and we want to
spend time looking at writable domain controllers, or WDC. That is a physical server that
includes the Active Directory database and it is that database that houses all your security
principals, your user accounts, your group accounts, your computer accounts. The domain
acts as a boundary of replication. Those objects, those user objects are replicated only in the
domain they are created in.
[The AD forest includes four sites, Site A, Site B, Site C, and Site D. Site A and Site B include
the Windows Server 2008 writable domain controller and Site C and Site D include the read-
only domain controller. Site A and B are connected to each other via the Site link A-B, Site B
and Site C are connected to each other via Site Link B-C, and Site B and Site D are connected
to each other via Site Link B-D. The WDC, hosts the AD database and also manages the AD
environment with regards to security, groups, search and find, and DNS.]

When we think about the services that Active Directory is dependent upon and provides to the
network, these are some of things we think about and we want to explore these in some more
detail. But certainly, the first thing is DNS. Guys if you don't know DNS, you have got to learn
DNS for the sake of your career. It is one of those top five technologies that you have to know.
Without it nothing works. Forget it baby, you can't even get a domain controller installed, let
alone support an Active Directory infrastructure.

So we have got to have DNS for name resolution and to find those Active Directory hosted
services that are so important like Global Catalog, or GC, servers, which contain references to
objects across the Active Directory forest. Then the flexible single master operations, or
FSMO, roles, again can't find them without the entries in DNS and we are going to talk about
them at some length in this course. And then Universal Group Membership Caching, which is
the service that provides authentication without the presence of a Global Catalog server in that
site, and we will talk about that in detail coming up.

Where should these services be hosted? Well today the best practice guidance from Microsoft
says that every domain controller should be a DNS server, okay. So that is the Microsoft best
practice. Every domain controller I install should be a DNS server. Global Catalog servers,
again just like with DNS, I want all my domain controllers to be Global Catalog servers,
wherever possible. And when we talk about global catalog, we will talk about some of the
details with that. The flexible single master operations role holders...now guys I will tell you I
could talk for two hours easily about where to put these things. For most of you with
environments of less than a 1,000 users, there is no reason to do anything about it. They all
exist on the first install domain controller and that is just fine in any single domain environment.

And then finally, Universal Group Membership Caching. And first of all, you only need it if you
have remote sites and you only need it if those remote sites have a domain controller in them,
and you can't make that domain controller a Global Catalog server. So it is the kind of thing
that is very specific to particular implementations of Active Directory, not everybody needs it,
but you have got to understand it for the test. So we will take a look at that as well.

3. Demo: UGMC
Now I have suggested that there are times, very specific cases, where you need Universal
Group Membership Caching. First of all, what is it? Well what you have got to understand is
that when users authenticate to Active Directory, they have to be able to contact a Global
Catalog server and that is because universal group memberships are stored where, only on
Global Catalog servers; and we have to be able to retrieve the list of universal group
memberships or else logins fail. So normal, under normal circumstances, we contact a Global
Catalog server. But suppose I have some remote site and the cost of the network bandwidth is
such that I don't want to put the overhead of global catalog replication to that remote site on
the WAN connection.
Now if that is the case, which in the age of ubiquitous broadband connections is hardly ever
the case but let's say that it is, what do I do so that those users can always log in even when
the WAN link is down? On the domain controllers in that remote site, we cache the universal
group memberships. And so when we think about Universal Group Membership Caching, we
don't think of it in terms of a particular domain controller. We think of it in terms of all the
domain controllers within a site. A site connected to headquarters, let's call it, by a low speed
WAN connection that can't support the overhead of global catalog replication.

[A sample network where Universal Group Membership Caching is enabled includes three
domain controllers, DC01-GC, DC02, and DC03. The domain controller DC03 is located in Site
2, which is a remote site with no local global catalog server. The domain controllers DC01-GC
and DC02 are located in Site 1.]

We understand the circumstances under which I use Universal Group Membership Caching,
right. I have a remote site. I have domain controllers in that remote site, by definition, I have to
have domain controllers there. Those domain controllers authenticate users locally. But the
problem is every time they login, they have to make that call to global catalog to retrieve the list
of universal groups. So just putting a domain controller in a remote site does not unburden the
WAN of all of the authentication traffic. Just putting the domain controllers there without a
Global Catalog server means that every time a user logs in, those domain controllers, or DCs,
in a remote site make a call across the WAN to retrieve the list of universal group
memberships. So I still have got a lot of authentication traffic on the WAN. So what do we do?

We enable Universal Group Membership Caching in the site. Now all those domain controllers
in that site cache the universal group memberships, so that they are made available when
users log in. When the user makes the call for authentication to a local domain controller in a
site where Universal Group Membership Caching is enabled, rather than calling the global
catalog the domain controller checks its universal group membership cache, retrieves the
users list of universal group memberships and authenticates the user.

[A sample network where Universal Group Membership Caching is enabled includes three
domain controllers, DC01-GC, DC02, and DC03. The domain controller DC03 is located in Site
2, which is a remote site with no local global catalog server. The domain controllers DC01-GC
and DC02 are located in Site 1.]

Now if we launch from the Tools menu here Active Directory Sites and Services, you can
take a look in here at what my site configuration is. Now in our organization, it is a multidomain
environment, right. There is the Corp domain and then there is a CHILD-DC domain down in
Atlanta, right; that is ATL, that is the Atlanta site. So these sites are physical locations, which
may map to particular domain resources or they may not, right. So for example LGA, this is in
the Corp domain. But this is our LaGuardia subnet, the LaGuardia office as opposed to the
Corp domain, which is in Newark, right. So each of these physical locations maps to one of
these subnets. In the Corp domain, we use this addressing scheme, right, and that is in the
Newark office, that is the physical location.

[The Local Server tabbed page in Server Manager window is open. The view pane of the page
includes the Properties for EWR-DC1 server. The instructor clicks Tools and selects the Active
Directory Sites and Services option. As a result, the Active Directory Sites and Services
window is displayed. The navigation pane includes Active Directory Sites and Services as the
root-node that includes the 'Sites'. The Sites sub-node includes nodes under it: Inter-Site
Transports, Subnets, Default-First-Site-Name, Corp, LGA, and ATL. The Subnets node
includes the following subnets: 10.0.0.0/8, 172.16.0.0/16, and 172.17.0.0/16. Then the
instructor expands ATL node, which contains the Servers sub-node. The Servers node
contains the CHILD-DC child domain. Then the instructor expands LGA node, which also
includes the Servers sub-node. The Servers node contains the LGA-RODC child node.
Similarly, the instructor expands Corp node and it includes Servers sub-node. The Servers
node includes two sub-nodes, EWR-DC1 and EWR-REPLICADC. Then the instructor right-
clicks the 10.0.0.0/8 subnet and from the shortcut menu selects Properties. As a result, the
10.0.0.0/8 Properties dialog box is displayed, which includes five tabs: General, Location,
Object, Security, and Attribute Editor. The General tab is open and it includes a text field
labeled as Description, Corp selected as Site, and Prefix as 10.0.0.0/8. Next the instructor
clicks OK and navigates back to the Active Directory Sites and Services window.]

In the LaGuardia site, right, we can see we use this IP addressing scheme and we see that
there are domain controllers in each of these sites, right. And if I come down here for example,
down to the Atlanta site where the CHILD-DC domain resides, if I access the Properties for
the NTDS Settings, we see that the domain controller down there is a Global Catalog server.
And that is important to me guys because when users log in they have to be able to contact a
Global Catalog server in order to retrieve the list of universal group memberships.

Now that is true even in a single domain environment, right...which my money is that, most of
you are in a single domain environment, I know not everybody is, but a lot of us are. So you
guys want to know even in a single domain environment where are universal group
memberships stored? They are stored on the Global Catalog servers. And the clients have to
be able access a GC when they login or else they don't authenticate, login fails and they get no
network access. So in Atlanta we have a Global Catalog server.

[The Active Directory Sites and Services window is open. The instructor right-clicks the
172.16.0.0/16 subnet and selects the Properties option from the shortcut menu. As a result,
the 172.16.0.0/16 Properties dialog box is displayed, which includes five tabs: General,
Location, Object, Security, and Attribute Editor. The General tab is selected and it includes a
text field labeled as Description, LGA selected as Site, and Prefix as 172.16.0.0/16. Next the
instructor clicks OK and navigates back to the Active Directory Sites and Services window.
Then the instructor expands the CHILD-DC node under Servers and it includes NTDS
Settings. Then the instructor right-clicks the NTDS Settings and selects the Properties option
from the shortcut menu. As a result, the NTDS Settings Properties dialog box is displayed,
which includes five tabs: General, Location, Object, Security, and Attribute Editor. The General
tab is selected and it includes a text field labeled as Description, which has no possible
description. No option is selected from the Query Policy drop-down list. The window also
includes DNS Alias that is partially visible and the Global Catalog option, which is already
selected. Next the instructor clicks OK and navigates back to the Active Directory Sites and
Services window.]

Now I provisioned LaGuardia, the LaGuardia office with its own domain controller, an RODC,
so that authentication can happen locally. But if we look at the NTDS Properties for that
server that lives out in that site, we see it is not a Global Catalog and that is a concern to me;
because if the WAN link is down back to Newark, back to the Corp domain, no Global Catalog
server can be contacted, universal group memberships can't be validated, users don't log in,
nobody in the LaGuardia office can log in.
So what we do? We come up here to the site NTDS settings NT Directory Services settings,
right, We go into Properties and we Enable Universal Group Membership Caching and we
can say, "Where do we cache from?" Well we cache from the Corp site, right, that is where our
domain controllers are. And now when the users first authenticate in the LaGuardia office to
the local RODC, one of the things that will happen not only will their passwords get cached
assuming that they are part of the allowed password replication policy, but additionally their
universal group memberships will be cached on that domain controller, so that in the event the
WAN link is down they are still able to be authenticated.

[The Active Directory Sites and Services window is open. The instructor expands the LGA-
RODC node under LGA Servers, which includes NTDS Settings. Next the instructor right-clicks
the NTDS Settings and selects the Properties option from the shortcut menu. As a result, the
NTDS Settings Properties dialog box is displayed, which includes five tabs: General, Location,
Object, Security, and Attribute Editor. The General tab is selected and it includes a text field
labeled as Description, which has no possible description. No option is selected from the
Query Policy drop-down list. This tabbed page also includes DNS Alias that is partially visible
and the Global Catalog option, which is not selected. Next the instructor clicks OK and
navigates back to the Active Directory Sites and Services window. Then the instructor selects
the LGA node in the navigation pane and the view pane displays a folder named Servers and a
settings file named NTDS Site Settings. The instructor right-clicks the NTDS Site Settings and
selects the Properties option from the shortcut menu. As a result, the NTDS Site Settings
Properties dialog box is displayed, which includes four tabs: Site Settings, Object, Security,
and Attribute Editor. The Site Settings tab is open and it includes text fields labeled as
Description, Server, and Site. All of the text fields are empty. Then the instructor selects the
Enable Universal Group Membership Caching option and then selects CN-Corp site for the
option labeled as 'Refresh cache from:' in the tab. Next the instructor clicks OK and navigates
back to the Active Directory Sites and Services window.]
Managing the FSMO Roles in Windows Server
2012 R2
Learning Objective
After completing this topic, you should be able to
◾ match the FSMO Roles in Windows Server 2012 with their description

1. The FSMO roles


The reality of Active Directory, or AD, and the Active Directory database, the NTDS.dit
database is that Active Directory is what we call a multimaster replication model. So on every
domain controller, or DC, there is a read/writable copy of the database, which means I can
connect to any domain controller, create a user account for you, and the existence of that user
account is replicated to all domain controllers within that domain, got it? Now guys when you
hear that, right, multimaster replication model, I can make changes in any copy of the
database.

What is the first thing you get concerned about? You get concerned about conflicts, conflicts in
the data and how do we resolve them. Well that is the function of the flexible single-master
operations, or FSMO, role holders to eliminate, prevent, or reconcile conflicts in the database.
Let's take a look at these.

Now the first thing to understand about the Active Directory database is that it is a .dit file. Now
for you guys that have a Lightweight Directory Access Protocol, or LDAP, background,
immediately you recognize that as an LDAP file type, right? That is what it is. Which means, for
you guys with an LDAP background, you know that Active Directory is nothing but Microsoft's
proprietary implementation of LDAP. And so if you have got that LDAP background, all the
LDAP tools work here – LDAP.exe, Lightweight Directory Interchange Format Directory
Exchange, or LDIFDE, right, et cetera. Now dig it, directory information tree file, a .dit file when
you hear that you want to think to yourself, I know what that is. That is not a simple flat file
database. Oh no! That is a complex hierarchical database, a partitioned database. Now what
does that mean? Well it means that there are different partitions within that database that store
different information and the first of those is the schema partition.

The schema partition is the blueprint for Active Directory. It is what defines an object, object
classes, and object attributes. It is how Active Directory understands what a user object is,
what a group object is, a computer object, et cetera. It is the DNA, the blueprint for everything
in Active Directory. Now the only read/writable copy of that partition of the database is on a
particular server, the first installed domain controller in the forest is called the schema master,
and you have got to be a member of the Schema Admins group to edit that database. To do
that, you run regsvr32 schmmgmt.dll. Why it is 32-bit? I don't know because everything
is 64-bit today, but they are still using 32-bit. That will let you as a schema admin access, the
underlying Active Directory schema and edit it. You never want to do that. You are fooling with
the DNA of Active Directory. Instead, what we do is we use programmatic solutions that are
commonly provided by Microsoft for us.
[The Administrator: Command prompt window includes the following command: regsvr32
schmmgmt.dll. The output of the above command is a RegSvr32 message box, which displays
the following message: DllRegisterServer in schmmgmt.dll succeeded.]

The blueprint, the DNA of Active Directory, is so important that it can only be edited on the
schema master and from there replicated out to all of the rest of Active Directory. Similarly,
what Active Directory understands about itself...the domains, the sites, the domain controllers,
right. The map of Active Directory itself is so important that we have a FSMO role just to
manage that. That is the domain naming master, which, by default, is the first installed domain
controller in the Active Directory forest. And the domain naming master has a partition of the
database on it that is read/writable only on the domain naming master. That is the
configuration partition and that is the map of Active Directory. It is everything Active Directory
knows about itself.

With the schema master, we prevent conflicts in the base DNA of Active Directory. With the
domain naming master, we prevent conflicts in the creation of Active Directory domains. Those
are the first two partitions in the database and the first two FSMO roles, and they are unique to
the Active Directory forest, no matter how many domains you have. The schema and
configuration partitions are the same. But in each domain, there is the domain partition of the
database and that is unique to each domain in Active Directory.

Now guys, you think about this with me. When I create a user object in AD, it gets a security
identifier, or SID, right. How do we prevent conflicts in SID generation? Well the first installed
domain controller in the domain acts as the relative identifier, or RID, master. And basically,
right...RIDs, relative identifiers, are a subset of the object SID. So the full object security
identifier is a concatenation, right, we stitch them together, right. The concatenation is a fancy
word that means 'stitch these things together'...of the domain SID and a relative identifier. The
relative identifiers get handed out to all the domain controllers, all the writable domain
controllers by the RID master. So the RID master says to the first domain controller, "Hey
buddy, you give out numbers one to 500. You give out numbers 501 to 1,000. You give out a
1,001," right there. So RIDs are assigned in blocks of 500. And that way unique SIDs are
always generated at object creation across the Active Directory domain.

Now for most of you out there, you live in a single domain environment and that is the reality,
right? When we look at the world today, almost everybody is working in a single domain
environment, at least in the 1,000-user in lists space. Now for you that means that you have no
use for this thing, this infrastructure master. And you don't even care about it. You don't even
care if the things turned on because the function of the infrastructure master is to track object
references as they move between domains. So if I were a large multinational conglomerate
with a North American domain and a European domain and you came to work for us in North
America, your account would exist in North America. Then you get a transfer to the Berlin
office. Now we move your account, your user account object to the Europe domain, dig it. How
do we track that movement? How do we maintain those object references back to the original
object? Well that is the function of the infrastructure master.

Now most of you are in a single domain so that is not a concern for you, right. But for you guys
that are not, you have got to know this. You have got to know that the infrastructure master
uses the same LDAP ports as Global Catalog and so there is a port conflict. Now dig it. If this
role was on the first installed domain controller, which is always a Global Catalog server, it
does not work, right guys, it is not on, it is not enabled, it can't be. So for this thing to work, you
have got to transfer the role from the original Global Catalog hosted domain controller to a
domain controller that is not a Global Catalog server, which, by the way, following the Microsoft
best practice guidance today, is the only domain controller in your place that is not a Global
Catalog server.

The last of the FSMO roles is the primary domain controller, or PDC, emulator. And the PDC
emulator role serves a number of functions guys. I mean, originally one of its big things was to
perform backward compatibility to Windows 9X generation clients that were hard coded to only
change their passwords and authenticate to a PDC, which...it was an NT 4 term. Don't worry
about it if that is not familiar to you. So...but that functionality does not matter anymore. What
matters today is how do I eliminate conflicts in Group Policy creation? Well when I edit Group
Policy, in fact, I am always doing it on the PDC emulator. How do we eliminate conflicts in
timestamps? How do we keep the clocks all synchronized so that the latest and greatest
change is always the one that is authoritative? The PDC emulator acts as a time server to the
network, keeping clocks synchronized around the network, which is one of the reasons why on
the PDC emulator, you should always run the net time command and sync the PDC emulator
to one of the atomic clocks on the public Internet.

And by doing so, then you keep all the clocks synchronized within milliseconds of each other,
right. And that is what you want to do because timestamps are going to be important in a
multimaster replication model. What about password changes, right? Like...because I can
authenticate to any domain controller. If I change my password on one, how long is it going to
take to replicate across the network? Well normally, it could take a while if the password
changes and the account lockouts fell under the same replication categories...everything else,
but they don't, there...what is called urgent replication traffic. So when you lockout an account
or you change a password, that information is immediately replicated to the PDC emulator,
which immediately pushes that change out to everybody else.

2. FSMO role placements


Now ladies and gentlemen, when it comes to architecting the placement of my FSMO role
holders in network environments of less than 1,000 users with only a single domain, I have a
hard time telling you to move them anywhere. They are on the first installed domain controller,
which is almost certainly going to be at the site, you know, your headquarters right, where your
IT staff is. It is going to be proximate to the majority of your users and that is what you want,
right. So in those circumstances, there is very little reason to offload anything. Now if you want
to add another domain, then you want to add another domain controller. Make sure it is not a
Global Catalog server and offload the infrastructure master to it. But other than that, I would
leave them in a central location and not move them off that first installed domain controller.

Now here we see a scaled implementation of Active Directory, a single forest multidomain
implementation. And I know that because, when I look at this, right, I see that there are two
domain triangles and they are joined from bottom to top and they have a consistent naming
convention, right ug.ad, manufacturing.ug.ad. Now when we think about the domain specific
infrastructure master role, its job is to update object references between domains, as objects
move between domains in an Active Directory forest so that...and remember it can't be on a
Global Catalog server and so we always offload that role. Now commonly, guys for the
purposes of managing network replication and latency issues, we want the domain controllers
to be on the same subnet. We want that subnet to be proximate to the users and we don't ever
locate the FSMO roles in remote offices, right? We want them in the central location where we
can maximize the efficiencies of replication and minimize latency.

3. Demo: FSMO management


When we think about managing conflicts and preventing conflicts in a multimaster replication
model, we think about the FSMO role holders, right, the operations master role holders, that is
their job. Now pre-eminent among these is the schema master, which maintains the only
read/writable copy of the Active Directory Schema, the definition of objects in the directory,
right. Now that is, by default, on the first installed domain controller in the Active Directory
forest, and there is a tool, a Microsoft Management Console, or MMC, management console
snap-in called the Active Directory Schema management snap-in. And if I come in here I see
that, that is here, we can add that and then we have access to the underlying blueprint, right,
the underlying DNA of Active Directory. This is where the definitions of all the objects, object
classes, and object attributes for Active Directory live.

[Server Manager is open. It includes the following options: Dashboard, Local Server, All
Servers, AD DS, DHCP, DNS, and File and Storage Services. The Local Server option is open
and the Properties for EWR-DC1 page is displayed. This page includes the following partially
displayed information: Computer name: EWR-DC1 Domain: Corp.Borcadero.com Windows
Firewall: Domain: On Remote management: Enabled Remote Desktop: Disabled NIC
Teaming: Disabled CORP: 10.0.0.1, IPv6 enabled Ethernet: 192.168.1.117, IPv6 enabled
Operating system version: Microsoft Windows Server 2012 R2 Datacenter Hardware
information: Microsoft Corporation Virtual Machine The instructor navigates to the MMC
management console. This console/window includes File, Action, View, Favorites, Window,
and Help menu options. It also includes the Console Root node. Then the instructor clicks the
File menu and selects Add/Remove Snap-in. As a result, the Add/Remove Snap-in dialog box
is displayed. This dialog box includes the following sections: Available snap-ins, Selected
snap-ins, and Description. It also includes Add, Edit Extensions, Remove, Move Up, Move
Down, and Advanced buttons. The Available snap-ins section includes different snap-ins, each
having a vendor. Next the instructor double clicks the Active Directory Schema snap-in in the
Available snap-ins section and it gets added in the Selected snap-ins section. The instructor
then selects the Active Directory Schema snap-in in the Selected snap-ins section and clicks
OK. As a result, the MMC management console window is displayed. On this window, the
Active Directory Schema node is added below the Console Root node. The Active Directory
Schema node includes Classes and Attributes nodes.]

Now if you are sitting on the first installed domain controller in the Active Directory forest and
you go to add this snap-in and it does not appear, that is because you have got to first register
the Dynamic Link Library, or DLL. So what I do...and this is true even in Windows Server 2012
today, which is all 64-bit, right, I come into a Run command and I run regsvr32
schmmgmt.dll and I register the schema management DLL and that should be done.

You can do this on any server and you can remote in, but it is preferable really to limit access
to the schema management console because changes made here are potentially problematic,
right, you want to limit access to this by limiting membership in the Schema Admins group. And
in fact, right by default, Microsoft says you should not put anybody in that group until you need
to get access to the schema. Then you temporarily add somebody, give them access and go
from there, and then get them out of the group when their job is done. So that is the schema
management DLL. Now if we take a look here, I meant to show you this in the Schema
Management Console, I can right-click Active Directory up there and I can see the server that
is acting as the schema master, right. That is what I want to know here.

[The MMC management console is open. This window includes the Console Root node. This
node includes the Active Directory Schema node. The Active Directory Schema node further
includes Classes and Attributes nodes. The instructor navigates to the Run dialog box. This
dialog box includes regserv32 schmmgmt.dll already entered in the Open text field. On this
dialog box, the instructor clicks Cancel and navigates to the MMC management console. On
this window, the instructor right-clicks the Active Directory Schema node and selects
Operations Master. As a result, the Change Schema Master dialog box is displayed. This
dialog box includes Current schema master (Online) text field in which EWR-
DC1.Corp.Borcadero.com is already entered. It also includes Change button. On this dialog
box, the instructor clicks Close and the MMC management console.]

Now to locate the domain naming master, which again is a forest specific role, right, I can go
into the Domains and Trusts Console and in the Domains and Trusts Console, if I right-click
the top of the tree and say Operations Master there, I see the domain naming master.

And again, guys there is one domain naming master, one schema master per Active Directory
domain. The schema master has the only read/writable copy of the schema partition of the
Active Directory database, while the domain naming master has the only read/writable copy of
the configuration portion of the database, the map of Active Directory, the domains, the domain
controllers, the Global Catalog servers, et cetera.

[The MMC management console is open. This window includes the Console Root node. This
node includes the Active Directory Schema node. The Active Directory Schema node further
includes Classes and Attributes nodes. The instructor navigates to the Active Directory
Domains and Trusts [EWR-DC1.Corp.Brocadero.com] window. This window includes Active
Directory Domains and Trusts [EWR-DC1.Corp.Brocadero.com] node. This node further
includes Corp.Brocadero.com node. The instructor right-clicks the Active Directory Domains
and Trusts [EWR-DC1.Corp.Brocadero.com] node and selects Operations Master. As a result,
the Operations Master dialog box is displayed. This dialog box includes Domain naming
operations master text field in which EWR-DC1.Corp.Borcadero.com is already entered. It also
includes a Change button.]

Now these are both forest wide roles, right. There is only one schema master, one domain
naming master in the forest. But in a domain, for every domain, right, I have a relative
identifier, or RID, master, a primary domain controller, or PDC, emulator and an Infrastructure
master. So in a domain like mine where I have a parent domain Corp and a child domain child,
I have a RID master, PDC emulator, and Infrastructure master for each of those Active
Directory domains.

These are the consoles where we can get at these. We can identify which servers if we have
not previously documented this, right, one of the things you want to document is who your role
holders are. And if we had a need to change or transfer who the role holder was, we could do it
from within these consoles, the Schema Management Console, Active Directory Domains and
Trusts, or Active Directory Users and Computers.
[The Active Directory Domains and Trusts [EWR-DC1.Corp.Brocadero.com] window is open
and the Operations Master dialog box is displayed. This dialog box includes Domain naming
operations master text field in which EWR-DC1.Corp.Borcadero.com is already entered. It also
includes a Change button. On this dialog box, the instructor clicks Close. As a result, the
Active Directory Domains and Trusts [EWR-DC1.Corp.Brocadero.com] window is displayed.
The instructor navigates to the Active Directory Users and Computers window. This window
includes the File, Action, View, and Help menu options. It also includes the Saved Queries and
Corp.Brocadero.com nodes. The Corp.Brocadero.com node includes the following partially
displayed nodes: Builtin, Computers, Domain Controllers, Executives,
ForeignSecurityPrincipals, ITUsers, LoadAndFound, Managed Service Accounts, Marketing
Users, Program Data, R&D Laptops, R&D Users, Sales Users, System, Servers, Users, Win7
Clients, Win8 Clients, and NTDS Quotas. The ITUsers node is already selected. The instructor
right-clicks the Corp.Brocadero.com node and selects Operations Master. As a result, the
Operations Master dialog box is displayed. This dialog box includes RID, PDC, and
Infrastructure tabs. The RID tab is selected by default and the RID tabbed page is displayed.
This page includes Operations Master text field in which EWR-DC1.Corp.Brocadero.com is
already entered. It also includes a Change button.]
Transferring FSMO Roles in Windows Server
2012 R2
Learning Objective
After completing this topic, you should be able to
◾ match the FSMO roles to descriptions of how they respond to seizing

1. FSMO transfer and seizing


Whenever Microsoft releases a new operating system, we replace our domain controllers with
the domain controllers running the new OS, right. So if you have got an Active Directory
domain that has got all 2003 domain controllers or got, that has all 2008 domain controllers,
one of the things that you are likely going to be tasked with in the near future is
decommissioning them and bringing up 2012 R2 domain controllers. Now what about the
flexible single master operations, or FSMO, roles that are so important to me? Well I want to
transfer them off those machines and we transfer roles when we are in the process of
decommissioning the earlier versions of the operating systems, right.

We are going to demote those domain controllers, make them member servers again, remove
the Active Directory components, remove the Active Directory database, and instead have that
housed on a more resilient, newer hardware, on a 2012 R2 box, right. In those scenarios, we
do graceful transfers when the servers are all online. But what happens if a FSMO role holder
suddenly goes offline? In those cases, we seize those roles.

[In a sample forest, the ug.ad domain controller includes three domains, schema master,
domain naming master and Global Catalog, and PDC emulator and RID master. This domain
controller is connected to its child domain controller, manufacturing.ug.ad. The
manufacturing.ug.ad domain controller includes two domains, PDC emulator and RID master
and Infrastructure master. When a domain controller is transferred, its operation is moved from
one DC to another. The DC replication occurs and hence no information is lost. The previous
role holder no longer attempts to complete the job and hence no duplicate operations exist on
the network. When a domain controller is seized, the DC is unexpectedly unavailable and
hence due to failure, it requires the role to be moved. The role is transferred to another DC.
The DC can never be reattached to network. It can cause corruption of data.]

Now under what circumstances do we transfer roles? Well if you have got problems all these
roles by default are hosted on the first installed domain controller in your Active Directory
domain. Consequently, that tends to be the oldest box around right, and so over time as the
performance of that box degrades, we want to move those roles, we want to transfer those
roles off that box and get them someplace where they ought to be. If a DC were to fail or if a
DC needs to be commissioned, decommissioned, right, on my 2003, 2008 domain controllers,
I want to remove the Active Directory components, get the Active Directory database off there,
get all my authentication and authorization services onto a brand, spanking new 2012 R2 box.

So I want to transfer the roles from the earlier servers. If there are administrative configurations
that will affect the role on the domain controller, we are making some change to the nature of
the network infrastructure that requires a transfer of that role off that box. That is another
example of when we might do this. But again guys, wherever possible we want to transfer the
roles. Next we want to take a look at when to seize those roles and what some of the concerns
are with seizing those roles.

[In a sample forest, the ug.ad domain controller includes three domains, schema master,
domain naming master and (Global Catalog), and PDC emulator and RID master. This domain
controller is connected to its child domain controller, manufacturing.ug.ad. The
manufacturing.ug.ad domain controller includes two domains, PDC emulator and RID master
and Infrastructure master.]

Wherever possible, we want to gracefully transfer the role from a running domain controller to
another running domain controller, then you and I know that is not always possible. There are
circumstances where motherboards fry, disks fail, construction guys put a nail right through the
disks, right through the...I had this happened once, right through the platters of your forest root
domain controller painful, right. So what do you do? I seize those roles. I forcibly make another
domain controller in the place responsible for those roles and I want to do that. Now guys be
aware, if you are ever in this situation, there are only two domain controllers that you can even
think about putting back online after the role has been seized from them and that is the primary
domain controller, or PDC emulator and the infrastructure master. The others all have to be
permanently decommissioned, they can never be brought back online again.

[Seizing of a schema master role will only be evident when the schema needs to be modified.
After the role is seized original DC host cannot be brought back online. TheDC must be
completely removed from Active Directory before it can be re-introduced to an Active Directory
domain. Seizing of a domain naming master role will only be evident when you try to add or
remove a domain, or promote or remove a domain controller. After the role is seized the
original DC host cannot be brought back online. DC must be completely removed from Active
Directory before it can be re-introduced to an Active Directory domain. Seizing of an
Infrastructure master role will not be noticed immediately, but inconsistencies will start to
appear in universal group memberships Infrastructure Master role be seized to another DC not
serving the global catalog. Original DC can be returned to the network if it is revived Seizing of
a RID master role will be noticed if a DC has exhausted its RID pool before the role is re-
established. After being seized to another DC, the original domain controller host must be
removed from Active Directory before it can be re-introduced to an Active Directory domain.
Seizing of a PDC emulator master role will immediately effect older OS client attempting to
logon. Failure will have an almost immediate impact on general logon and password change.
The original DC can be returned to the network if it is revived. The Administrator: Command
Prompt - ntdsutil window includes the following code: C:\Windows\system32\ntdsutil ntdsutil:
roles fsmo maintenance: connections server connections: connect to server Server2012-07
Binding to Server2012-07... Connected to Server 2012-07 using credentials of locally logged
on user. server connection: quit fsmo maintenance: seize infrastructure master The Role
Seizure Confirmation Dialog dialog box displays message asking confirmation to seize the
particular role that is being seized. It consists of "Yes" and "No" buttons.]

2. Demo: Transferring a FSMO role


As we migrate our Active Directory domains from 2003, 2008 to 2012, one of the things that
we do as part of that demotion of the older domain controllers, is we transfer FSMO roles from
them to the new 2012 servers. And then another occasion to do that is when I am moving from
a single domain environment to a multidomain environment. So let us take a look at something
here. If I am here in the Active Directory Users and Computers console and I right-click up
here at the domain level, right, there is this choice for Operations Masters. And I see that I
am in the default configuration right, that all the Operations Masters are sitting on that first
installed domain controller just like I would expect them to be. But there is a problem with this. I
want to add a child domain and I see that the Infrastructure master is on a domain controller
that is also a Global Catalog server, right, we can validate that here in the domain controller
properties, NTDS Settings. I see it is a Global Catalog. So I know it is, right, because it is a
first installed domain controller so by default it is always a Global Catalog, or GC.

[The Active Directory Users and Computers window. The Domain Controllers node in the
navigation pane is already selected. The instructor right-clicks Corp.Brocadero.com node in
the navigation pane and selects Operations Masters option from the shortcut menu. The
Operations Masters dialog box is displayed and contains of following tabs: RID, PDC, and
Infrastructure. The Infrastructure tab is open. The Infrastructure tabbed page consists of two
text fields: one field for Operations master, and another field, in which you can enter the name
of the computer on which the operations master role is to be transferred. The instructor
navigates back to the Active Directory Users and Computers window, where the Domain
Controllers node is selected. The view pane displays following domain controller names: EWR-
DC1, EWR-REPLICADC, and LGA-RDC. The instructor right-clicks EWR-DC1, which opens
the EWR-DC1 Properties page. the instructor clicks NTDS Settings button on the EWR-DC1
Properties page. The NTDS Settings Properties dialog box is displayed, in which the General
tabbed page is open. The page contains following text fields: Description, Query Policy, and
DNS Alias. The page also contains the Global Catalog option, which is already selected.]

That is a problem because there is a port conflict with the Global Catalog service, an
Lightweight Directory Access Protocol, or LDAP, port conflict with the Global Catalog service
and with the Infrastructure master role. So that role is not actually functioning, but I don't care
because up till now I have been in a single domain environment. And in any single domain
environment, what is the function of the Infrastructure master? Its track changes to objects as
they move between Active Directory domains. So I don't have another...I have not had another
domain before now I did not care that the thing did not work, right. Now if I am a GUI kind a
guy, what I can do is I can sit down at the domain controller that I want to become the
infrastructure master.

So in this example, if we look here at our Domain Controllers again, if we look at the properties
for EWR-REPLICADC in the NTDS Settings, we see that the second domain controller for this
domain is not a Global Catalog, it is a good candidate for becoming our Infrastructure master.
So that is the machine I want to target for this. So if I am a GUI guy and I want to do this
change in the GUI, what I do is I log in to that machine. I open up Active Directory Users and
Computers, I go to Infrastructure master and I say Change.

[The General tabbed page is open in the NTDS Settings Properties dialog box. The instructor
clicks OK and navigates back to the EWR-DC1 on localhost window. The instructor right-clicks
Corp.Brocadero.com in the navigation pane and selects Operations Masters option from the
shortcut menu. The Operations Masters dialog box is open with the RID tab open. Next the
instructor clicks the Infrastructure tab. The instructor navigates to the EWR-DC1 on localhost
window in which Corp.Brocadero.com node is already selected. The instructor clicks Domain
Controllers node and right-clicks EWR-REPLICADC in the navigation pane. The EWR-
REPLICADC Properties dialog box is displayed and the General tab is open. The instructor
clicks NTDS Settings button on the page, which opens NTDS Settings Properties dialog box,
which includes the following text fields: Description, Query policy, and DNS Alias, along with
the Global Catalog option. Next the instructor navigates back to the EWR-DC1 on localhost
window and right-clicks Corp.Brocadero node in the navigation pane. The instructor selects
Operations Masters option from the shortcut menu and clicks the Infrastructure tab on the
Operations Masters dialog box. The instructor clicks the Change button on this page.]

But you have to be logged in, see that is one of the limitations so the GUI actually have to be
logged into that or connected to that machine. See if I try to Change it here, connected to the
local it says no. So if I wanted to change it from here without changing my connections, what
could I do? Well I could come in here into PowerShell and in PowerShell now you will notice
the Netdom commands work here. If I wanted to just query for the FSMO roles, I wanted a
quick list of those roles and who is hosting them, I can validate that here with netdom query
fsmo, flexible single master operations, right.

And we see, just like we saw in the GUI, that all those roles are hosted on this machine. Now
there are some new PowerShell cmdlets for managing FSMO roles. So for example, it is the
Move-ADDirectoryServerOperationMasterRole cmdlet and what I do is I specify
as the Identity, the domain controller that I want to move the role to.

[The Operations Masters dialog box is open. The instructor clicks the Change button in the
Infrastructure tabbed page. The Active Directory Domain Services message box is displayed
with a message that reading, to transfer the operations master role to another computer, first a
connection should be established with the computer. The instructor clicks OK and navigates to
the PowerShell command prompt., which includes the following code: PS
C:\Users\Administrator> netdom query fsmo The instructor runs the command and following
output are displayed: Schema master EWR-DC1.Corp.Brocadero.com Domain naming master
EWR-DC1.Corp.Brocadero.com PDC EWR-DC1.Corp.Brocadero.com RID EWR-
DC1.Corp.Brocadero.com RID pool manager EWR-DC1.Corp.Brocadero.com Infrastructure
master EWR-DC1.Corp.Brocadero.com The command completed successfully. Next the
instructor enters following cmdlet in PowerShell command prompt: PS C:\Users\Administrator>
Move-ADDirectoryServerOperationMasterRole -Identity EWR-ReplicaDC -OperationMasterrole
2]

So in this example, EWR-ReplicaDC and I don't need the fully qualified domain name, or
FQDN, just the Network Basic Input/Output, or NetBIOS, name of the machine will do. And
then the switch is OperationMasterrole, right, again all singular, now like you might
expect. And then look here see that number 2 that corresponds to an integer parameter value
for the InfrastructureMaster role, right.

So guys if you look at this list, here is something you want to know. You can reference the role
holders either by this name or by this number and clearly this is a lot easier, right. If I needed
to...if I had my forest root domain controller crash and I wanted to move en masse all five of
these roles, I could do it by comma separating zero through four, boom, as part of the
command line; or I can type a PDCEmulator, RIDMaster, right, that is why there is no
spaces here guys, because these are the parameter values that would be used to specify this
role holder in PowerShell. DomainNamingMaster...no spaces, dig, or if you are like me, 4.
And it is a lot easier, right.

[The PowerShell command prompt is open, which contains the following code: PS
C:\Users\Administrator> netdom query fsmo Schema master EWR-
DC1.Corp.Brocadero.com Domain naming master EWR-DC1.Corp.Brocadero.com PDC
EWR-DC1.Corp.Brocadero.com RID EWR-DC1.Corp.Brocadero.com
RID pool manager EWR-DC1.Corp.Brocadero.com Infrastructure master EWR-
DC1.Corp.Brocadero.com The command completed successfully. PS C:\Users\Administrator>
Move-ADDirectoryServerOperationMasterRole -Identity EWR-ReplicaDC -OperationMasterrole
2 Next the instructor opens a list of FSMO Role Holders Parameter Values in notepad. The
values displayed in the list are as follows: 0-PDCEmulator 1-RIDMaster 2-InfrastructureMaster
3-SchemaMaster 4-DomainNamingMaster The instructor navigates back to the PowerShell
command prompt.]

So we come back in here right now you can see there is the command line. There is the
specified role, go ahead, and say Enter. And then we should be prompted, 'You are going to
move this role, are you sure you want to do this?' 'Move Operation Master Role, Do you want
to move role 'InfrastructureMaster' to server' and I see this server is fully qualified domain
there. Y for yes and I know you could back out of it at this juncture if you wanted to. And this is
a much easier process than all that mucking around in with Ntdsutil, right, which is still a valid
way to do things. But this is clearly a lot easier even with that long cmdlet right, that
ADDirectoryServer. Now if I run netdom query fsmo, what I see is that the Infrastructure
master role is being handled by the ReplicaDC, which is exactly what I want to see.

[The PowerShell command prompt is open, which includes the following code: PS
C:\Users\Administrator> netdom query fsmo Schema master EWR-
DC1.Corp.Brocadero.com Domain naming master EWR-DC1.Corp.Brocadero.com PDC
EWR-DC1.Corp.Brocadero.com RID EWR-DC1.Corp.Brocadero.com
RID pool manager EWR-DC1.Corp.Brocadero.com Infrastructure master EWR-
DC1.Corp.Brocadero.com The command completed successfully. PS C:\Users\Administrator>
Move-ADDirectoryServerOperationMasterRole -Identity EWR-ReplicaDC -OperationMasterrole
2 The instructor hits Enter and a confirmation message is displayed asking for a confirmation
to move the Operation Master role is displayed. The default option is "Y". The instructor enters
'y'. Next the instructor again runs the 'netdom query fsmo' cmdlet. Now the Infrastructure
master is changed to EWR-ReplicaDC.Corp.Brocadero.com as displayed on the screen.]

Now guys there are times, right, like I suggested that if your forest root domain controller
crashed, it was offline and you needed to get these roles back online, what you can do to seize
the role, forcibly seize the role is you can specify the force parameter here. So I just add the
force parameter and that forces...if the current role holder is offline, it forces the online
domain controller to take on that responsibility. Now be aware when you do that, if you ever do
that, if you are in a situation where you go to seize the FSMO role, the guidance from Microsoft
is that for three out of five of these roles, that machine should never be brought back online.
You got to reformat the disk, reinstall the operating system because you can't have two relative
identifier, or RID, masters. You can't have two of these guys thinking they are the one. So
when we seize those roles, we always prefer to transfer or move gracefully with both servers
online. But if you have to force, you want to know that you want to take that other server offline
permanently, reformat the drive, reinstall the operating system.
[The PowerShell command prompt is open. The instructor enters following cmdlet: Move-
ADDirectoryServerOperationMasterRole -Identity EWR-ReplicaDC -OperationMasterrole 2 in
the command prompt. Next the instructor enters the force parameter and the cmdlet is
displayed is as follows: Move-ADDirectoryServerOperationMasterRole -Identity EWR-
ReplicaDC -OperationMasterrole 2 -force]
Cloning Domain Controllers in Windows Server
2012 R2
Learning Objective
After completing this topic, you should be able to
◾ identify how to configure and deploy a virtualized domain controller clone

1. Cloning domain controllers


This is one of my favorite things ever. I mean, it is just incredible what you can do today. With
virtualization, I can virtualize my domain controllers, which right off-the-bat, right, makes
backup and disaster recovery a whole lot easier when they are virtualized. And then when we
think about, you know, like live migrations and the resiliency of Hyper-V support today, it is just
a whole another world to live in. And now let's take this to its next logical conclusion. We know
that the domain controllers all have the same Active Directory database and the same system
volume, right, the Domain System Volume, or SYSVOL, where Group Policy Objects are
stored. So the configuration data from domain controller to domain controller is extraordinarily
similar. If I have got a virtual environment where the domain controller is really nothing but a
file that lives on the host machine, well doesn't it make sense that I ought to be able to just
copy that file to create a new domain controller ad hoc at will and provision new domain
controllers, not in two days but in two minutes? And that is exactly what domain controller
cloning does for me. Let's take a look.

Now what does the process of domain controller cloning look like? Well the domain controller
has to be a virtual machine, which means that it exists as a virtual hard disk, or VHD, or a
VHDX file, right. And have I got to copy that file first, that is the first thing I do. I also have to
provision the machine that is being cloned, I have to give it permissions to be cloned. And
today we do that by adding the computer account of the domain controller I want to clone...get
this, are you ready for this, to the cloneable Domain Controllers group. I am not even kidding.
That is exactly what you do. You have the computer account of the domain controller you want
to clone to the cloneable domain controllers group in order to be able to do this.

And then you have got to create this Extensible Markup Language, or XML, file...this
configuration file because it is no good, right. We can't just copy the VHD, it is got to be a
unique installation. So the security identifier, or SID, needs to change from the installed
machine to the new machine. The name of the machine has to change, right. It is almost like
Sysprepping the machine. And where that configuration file must be is in the Windows NT
Directory Services, or NTDS, directory, the same root directory that the NTDS database is in.
For all you test takers out there, you must know that, that is the only place, for the test, right,
where that XML file has to live.

Now what are the requirements, the prerequisites for being able to do this? Well you have got
to be a domain admin or you have to have been delegated these same level of rights. I run
these with PowerShell commands, it is all PowerShell driven. The machine that I am cloning
must be a 2012 or better machine that was created on Windows Server 2012 Hyper-V. Now for
you test takers out there, you must know that the primary domain controller, or PDC, emulator
must have been upgraded to 2012, right. You could have every other domain controller in the
place, still be a 2008 machine, but the PDC emulator role has to be 2012. And then also there
are some domain controllers that can't be cloned because they have unique databases on
them. Dynamic Host Configuration Protocol, or DHCP, Active Directory Certificate Services, or
AD CS, and Active Directory Lightweight Directory Services, or AD LDS, cannot be cloned.

2. Demo: Performing cloning


One of the things that we want to be able to do is recover quickly from the loss of a domain
controller or rapidly provision domain controllers. And so starting with Windows Server 2012,
we see we have this Cloneable Domain Controllers group in the Users container, that is there
by default, and what we can do is we can come in here and we can Add virtual domain
controllers to this group and that will give us the right to clone them. Now if you to look up here,
you can see what we search for by default, right, Users, Service Accounts, right. I want to
come in here to object type and the only thing I am interested in are Computers, right, and I
just want to see the computer accounts.

And the computer that we want to clone is the EWR-ReplicaDC, so we will do a search for
that, boom, and that is the machine we are sitting on, right. And so I have added this machine
account to this group and in so doing, I granted the right to be cloned. Now we can generate
an XML file from the settings on this machine and use that XML file to import into a new virtual
machine and rapidly deploy a new domain controller.

[The Active Directory Users and Computers Console is open, in which the navigation pane
displays the nodes Saved Queries and Corp.Brocadero.com. The Corp.Brocadero.com node is
expanded and includes the following sub-nodes: Builtin, Computers, Domain Controllers,
Executives, ForeignSecurityPrincipals, IT Users, Kiosk_Computers, Managed Service
Accounts, Marketing Users, R&D Laptops, R&D Users, Sales Users, Servers, Users, Win 7
Clients, and Win 8 Clients. From these sub-nodes, Users is already selected and various users
are displayed in the view pane. The view pane displays three columns: Name, Type, and
Description. The Name column includes the Users, the Type column displays the type of user,
and the Description column includes the description for each user. From the users listed in the
Name column, the instructor double-clicks Cloneable Domain Controllers and the Cloneable
Domain Controllers Properties dialog box is displayed, which includes the tabs General,
Members, Member Of, and Managed By. From these tabs, the General tab is selected by
default. The instructor clicks the Members tab, which includes two columns Name and Active
Directory Domain Services Folder that are both blank. On the Members tab, the instructor
clicks Add and the Select Users, Contacts, Computers, Service Accounts, or Groups dialog
box is displayed. This dialog box includes the "Select this object type" field along with the
Object Types button. The dialog box includes the "From this location" field along with the
Locations button. The dialog box also includes the "Enter the object names to select
(examples)" field along with the Check Names button, which is disabled. The "Select this
object type" field is disabled and includes the types Users, Service Accounts, Groups, or Other
objects, and the "From this location" field includes the location Corp.Brocadero.com. The
instructor clicks Object Types and the Object Types dialog box is displayed, which includes the
Object types list box. The Object type list box includes the following checkboxes: Other
objects, Contains, Service Accounts, Computers, Groups, and Users. From these checkboxes,
Other objects, Service Accounts, Groups, and Users are already selected. The instructor
clears all checkboxes, selects the Computers checkbox, and clicks OK. As a result, the Object
Types dialog box closes and Computers is displayed in the "Select this object type" field of the
Select Users, Contacts, Computers, Service Accounts, or Groups dialog box. Then in the
"Enter the object names to select (examples)" field, the instructor enters EWR-ReplicaDC and
clicks Check Names, which displays the name EWR-REPLICADC in capital letters. Next the
instructor clicks OK, the dialog box closes, and the Members tab of the Cloneable Domain
Controllers Properties dialog box is displayed, within which, in the Name column, EWR-
REPLICADC is displayed and in the Active Directory Domain Services Folder,
Corp.Brocadero.com/Domain Controllers is displayed. Then the instructor clicks OK, the
Cloneable Domain Controllers Properties dialog box closes, and the Active Directory Users
and Computers Console is displayed.]

For this to work at all, there are a couple of basic requirements. The hypervisor has to support
what they call VM-Generation ID, which is only in Server 2012. Now third-party vendors may
also have that support and you may therefore be able to clone in other places like VMware, but
check with those vendors to see if that is supported. The source virtual DC has to be run in
Windows Server 2012 or 2012 R2, which we can see we are, there is our Start button, right.
And the primary domain controller, or PDC, emulator role holder must be online and available
to the clone DC and must be running Windows Server 2012, guys that is a test tip. When it
comes to cloning your domain controllers, the PDC emulator has to be running Server 2012 or
2012 R2.

So now the first thing that I want to do is, there is a whole bunch of applications that can't be
cloned and that may give rise to this the question of, "Well what applications can be cloned?"
Well if we look down here in the Local Disk Windows System32, there is a
DefaultDCCloneAllowList and I could open this list up and if we open this list up, we see in
here all the applications and services particularly Microsoft services and applications that can
be cloned.

[The Active Directory Users and Computers Console is open and in the navigation pane, the
Users node is already selected, which displays the list of users, their type, and description in
the view pane. The instructor navigates to Windows Explorer, in which the system files located
at Local Disk (C:) - Windows - System32 folder are displayed in the view pane. From these
files, the instructor right-clicks DefaultDCCloneAllowList, from the shortcut menu opens the
Open with extended list, from the list clicks Notepad. As a result, the file
DefaultDCCloneAllowList opens as a Notepad, which includes the following partially visible
code: <DefaultCloneConfig> <AllowList> <!-- Service types --> <Allow>
<Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow>
<Name>ALG</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AppIDSvc</Name> <Type>Service</Type> </Allow> <Allow>]

Now how do you figure out if there is something that can't be cloned? Well what I do is I come
over here into PowerShell and we are going to run this cmdlet here, get-ADDC, Active
Directory domain controller, CloningExcludedApplicationList, boom! We run that
cmdlet on this machine and we are told there are no excluded applications. Okay good, that is
going to make cloning this domain controller easier, right.
Now what would I do if there were an application that showed up here that was not allowed to
be cloned? Well if it is a Microsoft application the suggestion is that you remove that role from
the machine, take it off. If it is a non-Microsoft application, check with the vendor and see
whether or not the vendor says the service can be cloned. If they say it can be cloned, then
what you do is you create a custom ADCCloneConfig application file and you allow that third-
party application to be cloned.

[The DefaultDCCloneAllowList Notepad file is open. This file includes the following partially
visible code: <DefaultCloneConfig> <AllowList> <!-- Service types --> <Allow>
<Name>ADWS</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AeLookupSvc</Name> <Type>Service</Type> </Allow> <Allow>
<Name>ALG</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AllUserInstallAgent</Name> <Type>Service</Type> </Allow> <Allow>
<Name>AppIDSvc</Name> <Type>Service</Type> </Allow> <Allow> The
instructor navigates to PowerShell, in which the C:\Users\administrator> prompt is displayed.
At this prompt, the instructor runs the command get-ADDCCloningExcludedApplicationList and
the output "No excluded applications were detected" is displayed.]

Now when we validated or made allowances for the excluded applications, the next thing to do
then is to run the New-ADDCCloneConfigFile cmdlet. And this is going to generate an
XML file with all of the specifics for cloning this machine and doing so in such a way as to
differentiate it from the machine, which is being cloned, right. So we have got to supply unique
IP addressing information, right. I am going to give the clone machine an IP address of
10.0.0.56, which is assigned to no other machine on the network. I am going to specify the
default gateway, I am going to specify this IPv4SubnetMask, I am going to specify the DNS
server address. Now notice how that is written here. It is IPv4DNSresolver and I specify
that address. I want this IP address to be static, so I say Static. I want it in the site Corp, so
I specify SiteName Corp and then I specify the ClonecomputerName as Clone-DC1,
domain controller hosting that.

So now what we are seeing happening here are the prerequisite checks happening and so as
part of the process of running the cmdlet it checks to validate that the PDC emulator is in fact a
Windows Server 2012 or 2012 R2 box and I see that it passes that test.

[The Windows PowerShell command prompt is open and at the C:\Users\administrator>


prompt, the command get-ADDCCloningExcludedApplicationList has already been run and its
output "No excluded applications were detected" is displayed. At the C:\Users\administrator>
prompt, the instructor runs the following command: New-ADDCCloneConfigFile -IPv4address
10.0.0.56 -IPv4Defaultgateway 10.0.0.102 -IPv4Sub 255.0.0.0 -IPv4DNSresolver 10.0.0.1 -
Static -SiteName Corp -ClonecomputerName Clone-DC1 As a result, the following output is
displayed: Running in 'Local' mode. Starting PDC test: Verifying that the domain controller
hosting the PDC FSMO role is running Windows Server 2012... Passed: The domain controller
hosting the PDC FSMO role (EWR-DC1.Corp.Brocadero.com) was located and running
Windows Server 2012 or later. Verifying authorization: Checking if this domain controller is a
member of the 'Cloneable Domain Controllers' group. Located the local domain controller:
(EWR-DC1.Corp.Brocadero.com). Querying the 'Cloneable Domain Controllers' Group... Pass:
The local domain controller is a member of the 'Cloneable Domain Controllers' group. Starting
test: Validating the cloning allow list. No excluded applications were detected. Pass: No
excluded applications were detected. No valid clone configuration files were found at any of
the supported locations. All preliminary validation checks passed. Starting creation of the clone
configuration file... Finding the path to the Directory Service database... The clone
configuration file was generated at: C:\Windows\NTDS\DCCloneConfig.xml Generating the
clone configuration file content... The clone configuration file has been created.]

Local domain controller is a member of the 'Cloneable Domain Controllers' group. I can see
that as part of this process it runs the get-ADDCCloningExcludedApplicationList
and it reports that no excluded applications were detected.

'All preliminary validation checks passed. Starting the creation of clone configurations file', I
see where it is. It is in Windows\NTDS\DCCloneConfig.xml. And guys we want to know that,
that is where it is always creating right, that is where it has got to live. Test tip -
Windows\NTDS. So now if I come back out here, oops, come back out here and we go back to
the Windows directory, in the Windows directory, we will find the NTDS directory. And in that
NTDS directory, we should now see a DCCloneConfig file and we can open this in Notepad
and we can see the underlying XML, we can see all of our settings have been captured and
this data can now be used to generate a clone of this domain controller. Let's take a look at
how to do that.

[The Windows PowerShell command prompt is open and the following command has already
been run: New-ADDCCloneConfigFile -IPv4address 10.0.0.56 -IPv4Defaultgateway 10.0.0.102
-IPv4Sub 255.0.0.0 -IPv4DNSresolver 10.0.0.1 -Static -SiteName Corp -ClonecomputerName
Clone-DC1 As a result, the following output is displayed: Running in 'Local' mode. Starting
PDC test: Verifying that the domain controller hosting the PDC FSMO role is running Windows
Server 2012... Passed: The domain controller hosting the PDC FSMO role (EWR-
DC1.Corp.Brocadero.com) was located and running Windows Server 2012 or later. Verifying
authorization: Checking if this domain controller is a member of the 'Cloneable Domain
Controllers' group. Located the local domain controller: (EWR-DC1.Corp.Brocadero.com).
Querying the 'Cloneable Domain Controllers' Group... Pass: The local domain controller is a
member of the 'Cloneable Domain Controllers' group. Starting test: Validating the cloning allow
list. No excluded applications were detected. Pass: No excluded applications were detected.
No valid clone configuration files were found at any of the supported locations. All preliminary
validation checks passed. Starting creation of the clone configuration file... Finding the path to
the Directory Service database... The clone configuration file was generated at:
C:\Windows\NTDS\DCCloneConfig.xml Generating the clone configuration file content... The
clone configuration file has been created. The instructor navigates to Windows Explorer and
opens the Windows folders from Local Disk (C:). As a result, a list of folders from the Windows
folder is displayed in the view pane. From this list of folders, the instructor opens the NTDS
folder, which includes several files. From these files, the instructor opens the DCCloneConfig
XML file as a Notepad document. The DCCloneConfig - Notepad file includes the following
code: <?xml version="1.0?> <d3c:DCCloneConfig
xmlns:d3c="uri:microsoft.com.schemas:DCCloneConfig"> <ComputerName>Clone-
DC1</ComputerName> <SiteName>Corp</SiteName> <IPSettings> <IPv4Settings>
<StaticSettings> <Address>10.0.0.56</Address> <SubnetMask>255.0.0.0</SubnetMask>
<DefaultGateway>10.0.0.102</DefaultGateway> <DNSResolver>10.0.0.1</DNSResolver>
</StaticSettings> </IPv4Settings> </IPvSettings> </d3c:DCCloneConfig>]

So the next thing to do is actually shut the machine down. I want to shut the virtual machine
down and then I want to export it. And so I am going to come up here, I am going to close
down all these windows and applications and services that are running. And we are going to
come over here and into Settings and we will go ahead and we will shut this baby down. And
once that is shut down, out here on the Hyper-V host, I will go ahead and open up PowerShell.
And in PowerShell I want to export the VM. The name of the VM is EWR-ReplicaDC and the
path that I want to export it to is onto my d:\ExportedVMs, right, and I have a folder there
with that name. And this is one of the funny exceptions to the name and identity switch rules.

[The DCCloneConfig - Notepad file is open and the following code is displayed: <?xml
version="1.0?> <d3c:DCCloneConfig
xmlns:d3c="uri:microsoft.com.schemas:DCCloneConfig"> <ComputerName>Clone-
DC1</ComputerName> <SiteName>Corp</SiteName> <IPSettings> <IPv4Settings>
<StaticSettings> <Address>10.0.0.56</Address> <SubnetMask>255.0.0.0</SubnetMask>
<DefaultGateway>10.0.0.102</DefaultGateway> <DNSResolver>10.0.0.1</DNSResolver>
</StaticSettings> </IPv4Settings> </IPvSettings> </d3c:DCCloneConfig> The instructor closes
the Notepad file and the files within NTDS folder are displayed in Windows Explorer. The
instructor closes Windows Explorer, closes the Active Directory Users and Computers
Console, then closes Windows PowerShell, then closes the Server Manager, and Desktop is
displayed. Then the instructor shuts down the system and then the Hyper-V Manager is
displayed. Next the instructor opens Windows PowerShell and the C:\Users\Administrator>
prompt is displayed. At the prompt, the command Export-VM -Name EWR-ReplicaDC -Path
d:\ExportedVMs is already entered.]

Normally, or you would think it was at first, at least on viewing it, right. If you have heard some
of my discussions about PowerShell in the past guys, where the rule of thumb for when you
use the name and when you use the identity switch is, if the object already exists, I use the
identity switch and if I am creating the object new, I use the name switch. And you may
wonder, you may say to yourself, "Well, Murph! The VM EWR-ReplicaDC already exists. Why
am I calling the name switch?" And in fact, what you are doing is you are creating a new
exported VM, right guys? I mean, I know it seems like a stretch, but that I think is the thinking
behind it.

[The Windows PowerShell command prompt is open and at the C:\Users\Administrator>


prompt, the command Export-VM -Name EWR-ReplicaDC -Path d:\ExportedVMs is already
entered. The instructor navigates to Windows Explorer and in the view pane, the EWR-
ReplicaDC folder is displayed, which is located at Cold Storage (D:) - ExportedVMs.]

If we jump over here into that ExportedVMs directory for a second, we can see that this is in
progress, right. The base folder has already been created and we can probably open this up
right, there are the Snapshots, Virtual Hard Disks, Virtual Machines, right, and all that data is
being written over. Now how big this thing is, let's see. It is not without some size so it may
take just a little while. Okay, so it looks like that is complete, so we will come over here to
Windows Explorer, right. And if we take a look here right in Cold Storage (D:), ExportedVMs,
there we see EWR-ReplicaDC, Virtual Machines. And I am going to need this information that I
see right here. I am going to copy this path, I am going to come down here, right. I am going to
Copy the name of this XML file, this long complex globally unique identifier, or GUID, because
I need to use this as part of the import cmdlet. And so we come back over to PowerShell and
you can see, right, I didn't want you to sit here while I type this, so it is all typed in already, but
here it is, here is the parameter value, right, or the variable.
[The Windows Explorer window is open and in the view pane, the EWR-ReplicaDC folder is
displayed, which is located at Cold Storage (D:) - ExportedVMs. The instructor opens the
EWR-ReplicaDC folder, which includes the folders Snapshots, Virtual Hard Disks, and Virtual
Machines. Then the instructor the Hot Storage (E:), which includes the folders VHDs and VMs.
Next the instructor opens the VMs folder, which includes many folders. From these folders, the
instructor opens EWR-ReplicaDC folder that comprises folders Virtual Hard Disks and Virtual
Machines. The instructor opens the Virtual Hard Disks folder, which includes the hard drive
EWR-ReplicaDC.vhdx bearing size 167,936 KB. Then the instructor navigates to PowerShell,
in which the C:Users\Administrator> prompt is displayed. At the prompt, the following
command is already entered: $newCloneDC=import-VM -Path "D:\ExportedVMs\EWR-
ReplicaDC\Virtual Machines\54247546-6987-8760-D4016BC743D8.XML" -Copy -
GenerateNewID -VHDDestinationPath "E:\VHs\CloneDCs" Next the instructor navigates to
Windows Explorer, in which the 54247546-6987-8760-D4016BC743D8.XML document is
displayed that is located at Cold Storage (D:) - ExportedVMs - EWR-ReplicaDC - Virtual
Machines. Then the instructor copies the name of this XML document, navigates to
PowerShell in which the command is already entered.]

I am going to define a variable of $NewCloneDC, we are going to call the cmdlet import-
VM the -Path to the file to import right and there that is where I would paste that long GUID in
there, specify the –Copy cmdlet, specify –GenerateNewID because we want this to be
treated as a new machine. And then the destination path for that will be on our E: in the
\VHDs directory \CloneDCs directory. So we will go ahead and run that. Okay, so that looks
like it is completed right, now dig it. Because of the way that this process works, right, we
actually now have two EWR-ReplicaDCs in here, so we have a problem, right. Now you can
see the original I have rebooted so that it would be running when we came out of here so I
could tell the difference between them. And if we come back over here into PowerShell, we
can rename the VM right here in PowerShell, right, we will Rename-VM, which VM?

[The Windows PowerShell command prompt is open and at the C:\Users\Administrator>


prompt, the following command is already entered: $newCloneDC=import-VM -Path
"D:\ExportedVMs\EWR-ReplicaDC\Virtual Machines\54247546-6987-8760-
D4016BC743D8.XML" -Copy -GenerateNewID -VHDDestinationPath "E:\VHs\CloneDCs" The
instructor executes this command and no output is displayed. Then the instructor navigates to
Hyper-V Manager, in which the navigation pane includes the tab TARDIS1. TARDIS1 is open
and its tabbed page includes the Virtual Machines section consisting of six columns: Name,
State, CPU Usage, Assigned memory, Uptime, and Status. The Name column includes a list of
virtual machines, in which two virtual machines with the name EWR-ReplicaDC are displayed.
For one machine, the Status is Running, CPU Usage is 0%, Assigned Memory is 512 MB, and
Uptime is 18.03:18:38. For the second machine with name EWR-ReplicaDC, the State is Off
and all other columns are blank. The instructor navigates to PowerShell and at the
C:\Users\Administrator> prompt, enters the command Rename-VM -VM $NewCloneDC -
Newname Clone-DC.]

Well remember, we defined a variable the, $NewCloneDC, right, and we are going to give it a
–NewName Clone-DC. And if we come back in here, we can see now we only have one
ReplicaDC and there is our Clone-DC and now we should be able to power this thing up and
Connect to it. Now here we can see Domain Controller cloning is at 21% complete and there
is an important distinction to be made here guys, right.
When we imported the VM in, it kept that same name for the purposes of management in the
Hyper-V console, but remember in the XML file, the config file, we specified a new computer
name as Clone-DC. And so a unique IP address, right, DNS server settings all of that is being
read out of the XML file and is being written into this new DC, making it unique among
machines on the network.

[The Windows PowerShell command prompt is open and at the C:\Users\Administrator>


prompt, the command Rename-VM -VM $NewCloneDC -Newname Clone-DC is already
entered. The instructor executes the command and no output is displayed. Then the instructor
navigates to Hyper-V Manager, in which the Virtual Machines section now displays only one
virtual machine with name EWR-ReplicaDC. The name of the other virtual machine is now
changed to Clone-DC. The instructor right-clicks Clone-DC and from the shortcut menu, the
instructor clicks Start. As a result, the State of Clone-DC changes from Off to Running and the
other columns display information as follows: CPU Usage 0%, which keeps increasing,
Assigned Memory 512 MB, Uptime 00:00:00, and Status Started. Then the instructor right-
clicks Clone-DC and from the shortcut menu, clicks Connect. As a result, the Clone-DC on
TARDIS1 - Virtual Machine Connection window is launched, which displays the message
"Domain Controller cloning is at 21% completion..."]

That rename the VM cmdlet is really just for the purposes of renaming the VM in the settings in
Hyper-V, right. You could do the same thing over here, if I just right-clicked and went to
Settings and then change the name here. And now our Clone DC should be starting up for the
first time really...there we go. That is we want to see. And we will log in here and the Server
Manager console will launch. And if we come over here to Local Server, we see it has got the
name we specified, right, CLONE-DC1.

[The Clone-DC on TARDIS1 - Virtual Machine Connection window is open and the message
"Domain Controller cloning is at 40% completion..." is displayed. The Domain Controller
cloning completes and the instructor navigates to Hyper-V Manager, in which for the virtual
machine Clone-DC, the State is Running, CPU Usage is 1%, Uptime is 00:02:49, and Status is
blank. The instructor right-clicks Clone-DC and from the shortcut menu, clicks Settings, which
launches the Settings for Clone-DC on TARDIS1 dialog box. This dialog box includes a drop-
down list from which Clone-DC is already selected. Then the instructor navigates to the Clone-
DC on TARDIS1 - Virtual Machine Connection window, which now includes the
CORP\administrator field. In the CORP\administrator field, the instructor enters a password
and hits Enter on the keyboard, and the Server Manager Console is displayed. In the
navigation pane, the Server Manager Console includes three tabs: Dashboard, Local Server,
and All Server, from which Dashboard is selected by default. The instructor clicks the Local
Server tab and its tabbed page displays PROPERTIES For CLONE-DC1 as follows: Computer
name is CLONE-DC1, Domain is Corp.Brocadero.com, Windows Firewall has Domain: On,
Remote management is Enabled, Remote Desktop is Disabled, NIC Teaming is Disabled,
Corp is 10.0.0.56, IPv6 enabled, and Ethernet is 169.254.94.49. IPv6 enabled.]

There is our IP address, 10.0.0.56. Oh! now look at...for the second network connection, I
didn't specify an IP address so it has given itself a self-assigned IP address there, right, so we
have got to do something about that NIC card. But that is the process guys for cloning a DC.
You know, if I save these cmdlets in a text file, then all it is to do it is just copy and paste them
one after another and just reset the specific settings. And I can provision a domain controller
literally in under an hour as opposed to, you know, maybe what it used to take you to do.
[The PROPERTIES For CLONE-DC1 tabbed page of Local Server is open displaying the
properties as follows: Computer name is CLONE-DC1, Domain is Corp.Brocadero.com,
Windows Firewall has Domain: On, Remote management is Enabled, Remote Desktop is
Disabled, NIC Teaming is Disabled, Corp is 10.0.0.56, IPv6 enabled, and Ethernet is
169.254.94.49. IPv6 enabled.]
Configuring RODC in Windows Server 2012
R2
Learning Objective
After completing this topic, you should be able to
◾ match RODC installation methods with their descriptions

1. Read-only domain controllers


In Windows Server 2008, we introduced read-only domain controllers, or RODC. These are
non-writable domain controllers, or DCs, that is to say that they host a read-only copy of the
Active Directory database and the Domain System Volume, or SYSVOL. These domain
controllers are intended for those low security environments where we have concerns that may
be a server might go missing right. And if you have never had that happen, believe me, it is the
worst thing in the world that you could have happen. Suddenly all the password hashes for all
of your user accounts are available out there wherever, whosoever got the server right. And
they have got physical access to it, so they can crack those babies. With read-only domain
controllers, most of the passwords are not on that thing. Only just the passwords that we have
said to be there and the read-only domain controller has a functionality that lets me
automatically reset those user passwords in the event that the server is lost or stolen or
compromised in another fashion.

What are the advantages of RODCs? Why are we interested in these things? Because they
are wildly more secure, that is one of the principal reasons. Guys, when we think about...now
you think about this with me. I have a remote office somewhere. That remote office has, you
know, couple dozen people in it, right. They are all sales reps, plus maybe a receptionist and
two administrative assistants that is it, no IT personnel. But all of their user authentication has
to travel over the wide-area link to hit the domain controllers in headquarters. And we are
consuming all this bandwidth just on authentication and the WAN link is down because then
nobody in the office can even log in, right? So I want to put a domain controller there but I am
worried because there is no security. The thing is going to sit under the receptionist's desk and
we have had things go missing from that office before.

And if I put a domain controller out there and that thing goes missing, who so ever got it has
the keys to the kingdom right. And they are going to start knocking on the doors with...and they
are going to start trying to use those keys. With a read-only domain controller, very few...just
the passwords I say to be on that machine, are on that machine. And in the event that it is
compromised, I just reset all those passwords, boom. We are for...I can say to executive
management with confidence, we will suffer no hacks because of this.

[An RODC is secure, manageable, and scalable.]

So how is an RODC installed? Well guys, a lot of you may be familiar with Dcpromo. Dcpromo
was the way that we used to take a member server and promote it to being a domain
controller. Dcpromo no longer exists and so on the test guys, for all you test takers out there,
Dcpromo will never be the right answer because Dcpromo is removed from Server 2012 R2. It
was originally deprecated in 2012 and it does not exist anymore at all. So Dcpromo is never
the right answer. So what do you do? Well you go into a Server Manager or you could use the
PowerShell commands. You add the Active Directory Domain Services, or AD DS, role and
then you run the Active Directory Configuration Wizard to configure it.

Now you can also do this from the command-line using an unattended file right, the way that
we have traditionally done. And that is what we would call a standard RODC installation. We
install the server, we install the role, we run the Active Directory Configuration Wizard, we are
done. But guys, think about what we are talking about. We are talking about a server that is
going to be in an unsecured remote location where we might not have any IT staff, so there is
support for staged RODC installations.

[RODC installation can be done using the following two options, Standard RODC installation
and Staged RODC installation. An RODC can be installed using one of the following methods:
1. Active Directory Users and Computers console GUI 2. PowerShell cmdlets 3. Active
Directory Administrative Center GUI 4. Command line 5. Remote install using 2012 Server
Manager]

So what is a staged RODC installation? It does not mean that it happens in phases, it means
that I set it up for somebody else to do it, right, somebody maybe that does not have
administrative rights. I have that remote office, I have got two dozen sales guys, one
receptionist and two administrative assistants, no IT support at all. But there is a server out
there. I want that server to be an RODC. So what I do is I go into Active Directory Users and
Computers and in Active Directory Users and Computers, I create an RODC computer
account, okay. So we set the account up even though the RODC does not exist. We delegate
the rights to perform the promotion, the domain controller promotion to a user who maybe has
no other administrative rights at all. And for these kinds of one-offs, this staged RODC
installation will support the installation that remote office where I have no IT staff.

And I can even combine this with a particular kind of backup, an Install from media backup, so
that I send the NT Directory Services, or NTDS, database and the SYSVOL on a CD, digital
video disc, or DVD, right or a universal serial bus, or USB, device to that guy in the remote
office, and then we avoid all of that initial replication over the WAN link.

2. Demo: Installing an RODC


Ladies and Gentlemen, you can see here we are, we are on the LGA-RODC, right. I see it is
joined to Corp.Brocadero.com and we have installed the Active Directory services role and we
are prompted Promote this server to a domain controller, right. Guys there is no more
Dcpromo. In Server 2012, Dcpromo has been deprecated and so the Dcpromo will never be
the right answer on the test, unless it is talking about an earlier version of the operating system
like decommissioning your 2003 servers, right.

So we look in here, what do we want to do? I want to Add a domain controller to an existing
domain, so the Domain is Corp.Brocadero.com. We have this remote office out at
LaGuardia, we want to put an RODC in there so that local users authenticate locally rather
than coming across the wide area connection, right. But I don't want to put a writable domain
controller, or WDC, out there because that environment is not as secure, this thing is going to
be sitting under the receptionist desk, right. Close the server room door, there is no server
room in LaGuardia. You know what the cost per square footage is for that office? But we are
near the supply chain.

[The Server Manager window is open in the browser. The navigation pane includes the
following tabs: Dashboard, Local Server, All Servers, AD DS, and File and Storage Services.
The Local Server tabbed page is already open in the view pane, which includes the
PROPERTIES section. This section is partially visible and displays the properties for LGA-
RODC. The Computer name is LGA-RODC, Domain is Corp.Brocadero.com, the value for
Windows Firewall is 'Domain: all', Remote management is Enabled, Remote Desktop is
Disabled, NIC Teaming is Disabled, Operating system version is Microsoft Windows Server
2012 R2 Datacenter, and Hardware information is Microsoft Corporation Virtual Machine. The
instructor clicks the exclamation icon, which displays the two tasks that are required to be
performed. The first task is Post-deployment Configuration that is required for Active Directory
Domain Services at LGA-RODC. The instructor clicks the 'Promote this server to a domain
controller' link in the task detail and the Active Directory Domain Services Configuration Wizard
is displayed. This wizard includes the following tabs in the navigation pane: Deployment
Configuration, Domain Controller Options, Additional Options, Paths, Review Options,
Prerequisites Check, Installation, and Results. The Deployment Configuration tabbed page
includes the 'Select the deployment operation' parameter that includes the following options:
Add a domain controller to an existing domain Add a new domain to an existing forest Add a
new forest The 'Add a domain controller to an existing domain' option is already selected. The
'Specify the domain information for this operation' parameter includes the Domain as
'Corp.Brocadero.com' and this parameter also includes a Select button associated with it. The
'Supply the credentials to perform this operation' parameter includes 'CORP\administrator
(Current user)' as the credentials and it includes a Change button associated with it. This
tabbed page also contains the 'More about deployment configurations' link. The instructor
clicks Next and navigates to the Domain Controller Options tab.]

Okay, now we are prompted for...What do we want on this machine? I want it to be a Domain
Name System (DNS) server right, so that the guys out there in that remote office they are
pinging that local DNS server it is that all that DNS lookup traffic coming across the wide area
link. I don't want it to be a Global Catalog (GC) because the overhead of Global Catalog
replication out there, I am concerned about that. So I am not initially going to make it a Global
Catalog (GC) at least. I am going to make it a Read only domain controller (RODC) right,
because I am concerned about security out there that is another reason I don't want the Global
Catalog out there. For now we are going to associate it with the Default-First-Site-Name, but
later I will move it into the LaGuardia subnet, and at that time we will update in Active Directory
Sites and Services. Here we are going to specify Active Directory Services Restore Mode
password. Guys this is a password for the local account, for the local administrator account on
this machine. Once we make it a domain controller, you don't have access to that account.

And so in those cases where I need to recover Active Directory, I need to document this Active
Directory Services Restore Mode password, so that I can reboot the machine without the
Active Directory services running and log in with the local account and perform that local
management.

[The Domain Controller Options tabbed page in the Active Directory Domain Services
Configuration Wizard is open. This tabbed page includes the 'Specify domain controller
capabilities and site information' parameter, which includes the following options under it:
Domain Name System (DNS) server Global Catalog (GC) Read only domain controller
(RODC) The 'Domain Name System (DNS) server' and 'Global Catalog (GC)' options are
already selected. 'Default-First-Site-Name' is already selected as the Site name and the 'Type
the Directory Services Restore Mode (DSRM) password' parameter includes two text fields,
Password and Confirm password. The instructor clears the 'Global Catalog (GC)' option and
selects the 'Read only domain controller (RODC)' option. This tabbed page also contains the
'More about domain controller options' link. Then the instructor enters the password and re-
enters the same password in the Confirm password text field, clicks Next, and navigates to the
RODC Options tab under the Domain Controller Options tab. The RODC Options tabbed page
includes the 'Delegated administrator account' field, which has the value as '<Not provided>'. A
Select button is associated with it to change the same value. The account added to the
'Accounts that are allowed to replicate passwords to the RODC' is 'CORP\Allowed RODC
Password Replication Group'. The accounts added to the 'Accounts that are denied from
replicating passwords to the RODC' are as follows: BUILTIN\Administrators BUILTIN\Server
Operators BUILTIN\Backup Operators BUILTIN\Account Operators CORP\Denied RODC
Password Replication Group Each of the two parameters has an Add button and a Remove
button associated with it. This tabbed page also contains the 'More about RODC options' link.]

So now in here RODC Options, accounts that are allowed to replicate passwords to the
RODC and you can see by default, in Active Directory, we have created this Allowed RODC
Password Replication Group. And this is all about whose password gets cached on the RODC.
Why are we making it an RODC out at LaGuardia? Because it is going to be sitting under the
receptionist desk.

We have had servers disappear from there before. The last thing I want is some guy that
knows what he is doing that has got physical access to a domain controller and all the stored
password hashes of every user in the place. So what I do is I put an RODC out there. Now
here is the tricky bit. If the RODC does not have any password hashes on it, then how do the
local users out there authenticate and save me the WAN traffic? Because, doesn't that mean
that they are all going to have to still authenticate to a writable DC back at HQ? The answer is
yes by default.

What I can do is I can add the users that are out at LaGuardia into the Allowed RODC
Password Replication Group and I can say these people, because they are out there, we are
going to cache their password hashes on the domain controller at LaGuardia, you dig it. That is
the idea here. Now you notice down here there is a whole slew of groups whose passwords
are...did explicitly denied from being cached on the RODC because these are all administrative
groups and if you are member of them you have all kinds rights on the network, so we don't
ever want to expose them on the RODC.

[The RODC Options tabbed page in the Active Directory Domain Services Configuration
Wizard is open. This tabbed page includes the 'Delegated administrator account' field, which
has the value as '<Not provided>'. A Select button is associated with it to change the same
value. The account added to the 'Accounts that are allowed to replicate passwords to the
RODC' is 'CORP\Allowed RODC Password Replication Group'. The accounts added to the
'Accounts that are denied from replicating passwords to the RODC' are as follows:
BUILTIN\Administrators BUILTIN\Server Operators BUILTIN\Backup Operators
BUILTIN\Account Operators CORP\Denied RODC Password Replication Group Each of the
two parameters has an Add button and a Remove button associated with it. This tabbed page
also contains the 'More about RODC options' link.]

Now that immediately presents a problem guys, because if you have got IT staff that goes out
to LaGuardia to service those machines and therein anyone of these groups and the WAN link
is down, right, because of the password hashes and on the RODC, what does the RODC do?
It forwards the request to a writable DC back at Newark, right, in this example. If they are out
there, because the WAN link is down, then you have got a problem because they are not even
going be able to log in.

So what do we do about that? Well what we do is maybe we add a particular group of users
and we delegate them administrative privileges over the resources in that site. But they are not
members of any of these groups and we allow their password replication. And we will take a
look once we create this, we will take a look at actually doing that.

[The RODC Options tabbed page in the Active Directory Domain Services Configuration
Wizard is open. This tabbed page includes the 'Delegated administrator account' field, which
has the value as '<Not provided>'. A Select button is associated with it to change the same
value. The account added to the 'Accounts that are allowed to replicate passwords to the
RODC' is 'CORP\Allowed RODC Password Replication Group'. The accounts added to the
'Accounts that are denied from replicating passwords to the RODC' are as follows:
BUILTIN\Administrators BUILTIN\Server Operators BUILTIN\Backup Operators
BUILTIN\Account Operators CORP\Denied RODC Password Replication Group Each of the
two parameters has an Add button and a Remove button associated with it. This tabbed page
also contains the 'More about RODC options' link. The instructor clicks Next and navigates to
the Additional Options tab. The Additional Options tabbed page includes the 'Specify Install
From Media (IFM) Options' parameter, which includes the 'Install from media' option. It also
includes the Specify additional replication options parameter, which contains the 'Any domain
controller' option already selected from the 'Replicate from' list box. This tabbed page also
contains the 'More about additional options' link.]

Now here if I was doing the install out at LaGuardia instead of here in HQ in Newark, I might
burn the NTDS directory and the SYSVOL to a CD, right, or DVD and then ship it to the guy in
LaGuardia that is going to do the install and they could choose Install from media. But
instead, because I don't have any guy out there I can ship it to right, I got to do it here.

So I am going to install it here and I will just let normal replication on the local area network
replicate the database and SYSVOL to this new domain controller. Here I can specify the
paths for the Database folder, the transaction log files, and the SYSVOL. And guys, if I were in
any kind of scaled environment right, greater than a 1,000 users, I might do things like buy
separate disks and have separate disk arrays in the machine. And I might offload the Log files
to a striped array, I might offload the SYSVOL to a mirrored array, I might offload the Database
to RAID-5 array, right? And so in a scale that is particularly for large businesses where there
is...where you got a corporate campus with 30,000 users on it, that is one of the things that we
think about when we are building those machines.

[The Additional Options tabbed page in the Active Directory Domain Services Configuration
Wizard is open. This tabbed page includes the 'Specify Install From Media (IFM) Options'
parameter, which includes the 'Install from media' option. It also includes the Specify additional
replication options parameter, which contains the 'Any domain controller' option already
selected from the 'Replicate from' list box. This tabbed page also contains the 'More about
additional options' link. The instructor clicks Next and navigates to the Paths tab. This tabbed
page is used to specify the location of the AD DS database, log files, and SYSVOL. It contains
'C:\\Windows\NTDS\' path for the Database folder, 'C:\\Windows\NTDS\' path for the Log files
folder, and 'C:\\Windows\SYSVOL' path for the SYSVOL folder. This tabbed page also
contains the 'More about Active Directory paths' link. The instructor clicks Next and navigates
to the Review Options tab. This tabbed page displays the summary of the options selected in
the previous steps and also contains the 'More about installation options' link.]

Here we can see the review of our options, here the prerequisite check is going to run. When
the machine is identified as meeting the prerequisites, we can see in here there are a couple of
warnings, but it is nothing that I am worried about. We don't have any backward support here.

This is what I am really looking for, All prerequisite checks passed successfully, right. We don't
have these issues up here. Here we see the warnings again and we can view detailed
operation results above. If you take a look at the warnings with me, 'Windows Server 2012 R2
domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" for backward compatibility, right. So when clients
try to negotiate RC4, Advanced Encryption Standard, or AES 128, AES 256 say Kerberos
encryption for authentication, the server will always negotiate to the highest level of encryption
available.

Now what this is saying is that this supports backward compatibility to the Windows NT 4
generation. And so what I can do at a later date is I can change that setting, so that we don't
support that low-level cryptographic response. And here we can see the automatic reboot is
happening. The other warning in there is about the configuration of the network card. Currently
the network card is configured as a Dynamic Host Configuration Protocol, or DHCP, client.
When I reboot the machine I want to assign a static IP address to that card.

[The Review Options tabbed page in the Active Directory Domain Services Configuration
Wizard is open. This tabbed page displays the summary of the options selected in the previous
steps and also contains the 'More about installation options' link. The instructor clicks Next and
navigates to the Prerequisites Check tab. The Prerequisites Check tabbed page runs the
prerequisites check and displays the results. It also contains the 'More about prerequisites'
link. The instructor clicks Next and navigates to the Installation tab, which displays the
progress of the installation and some warnings in the View detailed operation results section.
Once the installation is complete, a confirmation box is displayed with the following message:
You're about to be signed out The computer is being restarted because Active Directory
Domain Service was installed or removed. The instructor clicks Close and the system restarts.]

When I do that and I want that machine to dynamically reregister its records in Active
Directory, right, in DNS and all of the service records that provide support for Active Directory
lookups. What am I going to do to get it to dynamically reregister all those service records? I
am going to start and stop the NetLogon service, so do it net stop, net logon, net start or go
into the services console right, restart the NetLogon service. Running ipconfig/registerdns only
forcibly reregisters the A in Pointer, or PTR, records and so the reverse lookup record in the
host record or quad A records if the machine is configured for IPv6. So to get a domain control
anytime you change the IP address on a DC, not only run ipconfig/registerdns to reregister the
host and pointer records, but also restart and restop the NetLogon service and that will force
the reregistration of all the service records.
So here we are going to come on in here and now not as corp yeah, as CORP\administrator.
We didn't change the domain. We just added a domain controller to the domain right, of type
read-only domain controller.

[The Restarting screen of the system is open. The system reboots and the following instruction
is displayed: Press Ctrl+Alt+Delete to sign in. The instructor follows the instruction and the sign
in screen is displayed, where the user name is set as CORP\administrator. The instructor
enters the password and clicks the arrow button to sign in. As a result, the Server Manages
window is displayed.]

So you saw that red there as this is starting up and it looks like they were probably some
Services that were at delayed start that took a second to come on. We can see there is still
some red in Services there right, so let us just take a look real quick. There are a couple of
ways to verify the successful installation. I don't see anything there that strikes me, right, there
are the security warnings and I will bet you when we look those up you are almost certainly
going to be around that warning that we were warned about before about low-level
cryptographic support. One of the things I can do is launch Active Directory Users and
Computers and I want to see in here that Active Directory has replicated. I see all my
organizational units, or OUs, and I see my Sales User account, right, if we look in Managed
Service Accounts, I see my managed service accounts that is what we want to see. In Servers,
I should see my servers there we go.

And we can validate the successful domain controller promotion if we access Active Directory
Users and Computers. There are a lot of ways to do that guys, right. I could run Nslookup, I
could do a check for service records for this domain controller, or I can look here in Active
Directory Users and Computers in the Domain Controllers OU. And I can see there is the
account for it, right, and if I look at the Properties for it there is a particular property set we
want to look at here and that is the Password Replication Policy.

[The Server Manager window is open. The Dashboard tabbed page is already open, which
includes the ROLES AND SERVER GROUPS section that includes the following groups: AD
DS, DNS, File and Storage Services, and Local Server. The Local Server group includes the
following options: Manageability, Events, Services, Performance, and BPA results. The
instructor clicks the Services option. As a result, the Local Server tabbed page is displayed.
The instructor selects the Tools menu and then selects the Active Directory Users and
Computers option from the menu. As a result, the Active Directory Users and Computers
window is displayed, which contains 'Active Directory Users and Com…' as the root node in
the navigation pane. The root-node includes two sub-nodes, Saved Queries and
Corp.Brocadero.com. The instructor expands the 'Corp.Brocadero.com' sub-node that contains
the folders such as Builtin, Computers, Domain Controllers, IT Users, and so on. The instructor
navigates back the Dashboard tabbed page of the Server Manager, then selects the Tool
menu, and selects the Active Directory Users and Computers option from the menu. As a
result, the Active Directory Users and Computers window is displayed. The Domain Controllers
folder is already selected in the navigation pane and the details of the contents are displayed
in the form of a table in the view pane. The table includes five columns, Name, Type, DC Type,
Site, and Description, and three rows. The instructor right-clicks the third row with details of
LGA-RODC and selects the Properties option from the shortcut menu. As a result, LGA-RODC
Properties dialog box is displayed, which contains the following tabs: General, Operating
System, Member Of, Delegation, Password Replication Policy, Location, Managed By, and
Dial-in. The general tab was open. The instructor navigates to the Password Replication Policy
tab, which provides the following information: This is a Read-only Domain Controller (RODC).
An RODC stress users and computer passwords according to the policy below. Only
passwords for accounts that are in the Allow groups and not in the Deny groups can be
replicated to the RODC. This tab also includes the 'Groups, users and computers' table that
contains three columns, Name, Active Directory Domain, and Setting, and six rows. This tab
also contains three buttons, Advanced, Add, and Remove.]

Now there is the default Password Replication Policy. Remember what this is about, I don't
want users password hashes on that domain controller, but I want that domain controller to be
able to authenticate the users that are in that office. So what I do is I come in here right. Here
is the Allowed RODC Password Replication Policy. Now I mean you can create your own
groups and you can add your own groups in here. But for most of us right, if you have got less
than 500 users is probably only a handful people in that office. So what I do is I come in here
and I grab the lga_users group and I add them to the Allowed RODC Password Replication
Group Policy. Now when I do that, what happens is the first time a user in that office logs in,
this RODC sends a request to a writable domain controller, authenticates the user, and then
caches the password hash locally. So after the first time this user authenticates, the password
will be cached on the machine.

[The Password Replication Policy tab of the LGA-RODC Properties dialog box is open. This
tab provides the following information: This is a Read-only Domain Controller (RODC). An
RODC stress users and computer passwords according to the policy below. Only passwords
for accounts that are in the Allow groups and not in the Deny groups can be replicated to the
RODC. This tab also includes the 'Groups, users and computers' table that contains three
columns, Name, Active Directory Domain, and Setting, and six rows. This tab also contains
three buttons, Advanced, Add, and Remove. The first row in the table contains 'Account
Operators' as the Name, 'Corp.Brocadero.com/Users' as the Active Directory Domain, and
'Deny' as the Setting. The second row in the table contains 'Administrators' as the Name,
'Corp.Brocadero.com/Users' as the Active Directory Domain, and 'Deny' as the Setting. The
third row in the table contains 'Allowed RODC Passw…' as the Name,
'Corp.Brocadero.com/Users' as the Active Directory Domain, and 'Allow' as the Setting. The
fourth row in the table contains 'Backup Operators' as the Name, 'Corp.Brocadero.com/Users'
as the Active Directory Domain, and 'Deny' as the Setting. The fifth row in the table contains
'Denied RODC Passwo…' as the Name, 'Corp.Brocadero.com/Users' as the Active Directory
Domain, and 'Deny' as the Setting. The sixth row in the table contains 'Server Operators' as
the Name, 'Corp.Brocadero.com/Users' as the Active Directory Domain, and 'Deny' as the
Setting. The instructor selects the third row of table and the 'Allowed RODC Password
Replication Group Properties' dialog box that contains the following tabs: General, Members,
Members Of, and Managed By. 'Allowed RODC Password Replication Group' is set as the
Group name (pre-Windows 2000), 'Members in this group can have passwords replicat…' is
set as the Description, and the E-mail is empty. The Group scope section contains three
options, Domain local, Global, and Universal, where the 'Domain local' option is already
selected. The Group type section contains two options, Security and Distribution, where the
'Security' option is already selected. The instructor navigates to the Members tab, which
includes the Members table. This table contains two columns, Name and Active Directory
Domain Services Folder. The instructor clicks Add and the 'Select Users, Contacts,
Computers, Service Accounts, or Groups' dialog box is displayed. The 'Users, Service
Accounts, Groups, or Other objects' option is selected for the 'Select this object type',
'Corp.Brocadero.com' option is selected for the 'From this location', and then the instructor
enters 'lga_users' for the 'Enter the object names to select' parameter. The instructor clicks OK
and navigates back to the Members tab of the 'Allowed RODC Password Replication Group
Properties' dialog box. The table in the tab now contains the details of the new group.]

Now remember we said there is a problem here. Make sure the users out in that remote office
will now all be able to authenticate and even if...and once they have done that even if the WAN
link is down, their credentials are stored on that machine so they can authenticate. But what
about our IT guys, right? The guys that we send out there who are not members of Domain
Admins, they are not members of Backup Operators right, they are not members of any of
these denied password replication. They have been delegated administrative rights over
objects in the LaGuardia office and that is it.

[The Members tab of the 'Allowed RODC Password Replication Group Properties' dialog box is
open. The Members table in the tab contains 'LGA_Users' as the Name and
'Corp.Brocadero.com/Sales Users' as the Active Directory Domain Services Folder. The
instructor added group called the RemoteIT. As a result, the table in the Members table shows
the details of the new group in the second row. The instructor clicks OK and navigates back to
the Password Replication Policy tab in the LGA-RODC Properties dialog box.]

But suppose they go out there on a site call because the WAN link is down, are they going to
be able to log in? They are not, right? We are not so much worried about the LGA_Users
because they are in there everyday so their password is always getting refreshed, always
getting cached, right. But this guy...these guys they may not be out there for months at the
time, so here is what I want to do. For those of you testing, you must be aware that adding
users or groups of users to the Allowed RODC Password Replication Group does not
automatically cache their passwords out on that RODC. To do that, I have to forcibly
prepopulate from the Advanced choice. And that is a look at RODCs, great solution for low
security environments where I want to enable local authentication.

[The Password Replication Policy tab of the LGA-RODC Properties dialog box is open. The
instructor selects the third row of table and the 'Allowed RODC Password Replication Group
Properties' dialog box. Then the instructor navigates to the Members tab, which includes the
Members table. This table contains two rows and two columns. The first row contains
'LGA_Users' as the Name and 'Corp.Brocadero.com/Sales Users' as the Active Directory
Domain Services Folder. The second row contains 'RemoteIT' as the Name and
'Corp.Brocadero.com/IT Users'. The instructor clicks Cancel, navigates back to the Password
Replication Policy tab of the LGA-RODC Properties dialog box, and then clicks the Advanced
button. As a result, the Advanced Password Replication Policy for LGA-RODC dialog box is
displayed. This dialog box contains two tabs, Policy Usage and Resultant Policy. The instructor
clicks Cancel and navigates back to the Password Replication Policy tab of the LGA-RODC
Properties dialog box.]
Backing Up Active Directory in Windows
Server 2012 R2
Learning Objective
After completing this topic, you should be able to
◾ recognize the considerations for protecting Active Directory in Windows Server 2012
R2

1. Protecting Active Directory


Now my friends, can you imagine anything more critical to the smooth functioning of your
organization than the database that contains all the security principles for your network? All the
computer accounts, the user accounts, the group accounts, the Group Policy Objects, right,
they are stored in the Domain System Volume, or SYSVOL. Everything that I need for anybody
to log in, for anybody to be authenticated, authorized for any network access, lives on those
domain controllers. So it is critical that as part of our standard operating procedures, we are
doing regular backups on our domain controllers. And it is critical that it is part of somebody's
job that every month or so, they take those backup files and they do a test restore, so that we
know that we can restore Active Directory, or AD, according to the service-level agreement, or
SLA, that we have for them.

[An Active Directory can be protected by monitoring critical services, backing up entire
volumes, securing your backups, scheduling frequent backups, and backing up critical domain
controllers. The backup up of the following type of domain controllers can be created: Global
Catalog servers DCs with custom application partitions DCs located near critical operations
DCs serving large user populations DCs serving remote locations An Active Directory is
critical and so to avoid disaster it is necessary to plan and protect it.]

Guys I got to tell you, if you are just getting into this business today, in so many ways your life
is so much easier than it used to be. My favorite thing on this slide, do you see that choice,
Protect object from accidental deletion? That has saved me so many times since they first
introduced it in 2008. And it really makes a difference. It means that even though I have all the
rights in the world, if I accidentally delete an organizational unit, which deletes all the objects in
it right, all the user accounts, computer account, group account, if I delete that thing, it is gone,
and I am going to the backup tapes.

And that is a nightmare, right, like I am not getting to my son's football game on Saturday
morning, if I am in that boat. We do not have that worry today because we have this built-in
protect objects from accidental deletion. Then beyond that, right, there is the nature of
backups. I do backups, I do test restores. I backup the critical volumes, I backup the SYSVOL
in there. I ensure that the backups are stored in a safe location. And I do not just store them
on-site but I send a copy of them and they get stored off-site in a fireproof safe someplace; that
is how I want to manage Active Directory backups.

[For successful backups ensure the following: 1. Utilize the 'Protect object from accidental
deletion'. option 2. Take daily backups of critical volumes, unique data, including domain
directory partitions. 3. Ensure speedy backups. 4. Ensure that backups are stored in a secure
location. 5. Store additional backup files off-site. 6. Remember that Active Directory–integrated
DNS zone data is captured as part of system state and critical-volumes backup on domain
controllers hosting the DNS service. 7. Test any major changes to domain controller registry or
directory information prior to implementation of the production system.]

One of the backup types that are supported by Windows backup and supported by a lot of
third-party backup applications, and guys look, I know almost nobody is using Windows
Backup, right. You have some third-party backup applications, that is what your backup
procedures are based on. But some of this you want to know for the test, absolutely. And one
of the things you want to know is what Microsoft calls the system state backup. And when I
think about the system state backup, what I am really thinking about is that information that is
on the machine that makes it unique.

So when I think about the registry, the COM+ component database, I think about, on my
domain controllers, the Active Directory database and the collection of Group Policy Objects
stored in the system volumes, the SYSVOL; that is what I am going to capture in any system
state backup of my domain controllers. If I do a system state backup on my Active Directory
Certificate Servers, I get a copy of the Certificate Services database, right. It is unique on that
machine, so I grab that. We want to perform system state backups on our domain controllers
as part of our regular backup routines.

Now the Windows Backup Utility is built into Server 2012 R2 but it is not installed by default.
You actually have to go in and add it as a feature. So I launch the Add Roles and Features
Wizard and I add the backup feature if I want to use it, right. And when I look in there...and
again for you test-takers, you want to know the distinctions here. When I look in there and I
see the Windows Backup Utility, it supports different kinds of backup types. We talked about
the system state backup already, right, everything that is unique on that machine. One of the
backups that we do immediately after we build a server out and put it into production is a full
server backup, I want to grab the whole thing, right. Then on an ongoing basis, we want to do
critical-volume backups. Now what is a critical volume? Well we are thinking about the domain
controllers, so think about what the critical-volumes on a domain controller are.

You have got the operating system partition, that is going to be a critical volume. Then if you
have offloaded, as we commonly do, the Active Directory database to its own disk array, right,
I am running that thing on a RAID-5 volume, that is going to be a critical volume. The
transaction logs, if they are on their own stripe array, they are going to be a critical volume.
The SYSVOL, if I have offloaded that to its own mirror disk array, that is going to be a critical
volume. So we can identify critical volumes and we can do critical-volume backups to capture
the contents of those critical volumes.

Now as we have said, the Windows backup features are no longer installed by default. If you
want them, you got to add them in from the Add Roles and Features Wizard or using the
PowerShell cmdlets. Now once you do that, there are two principal interfaces and that is not
even true anymore, there are really three principal interfaces. There is the GUI, right, the
Windows Backup Utility. Then there is the Wbadmin command-line tool, which, guys, if you are
testing, you must memorize the basic switches for using wbadmin like carve out study time
and memorize them. Then there is the backup module for PowerShell. And again, if you are
testing, I would familiarize myself with those commands as well.
[The wbadmin - [Windows Server Backup (Local)\Local Backup) window contains 'Windows
Server Backup...' as the root node and Local Backup node under it. The Local Backup page is
open in the view pane and includes two sections: Messages (Activity from last week, double
click on the message to see details) and Status. The Actions pane in the left of the window
contains the following options in the Local Backup section: Backup Schedule... Backup Once...
Recover... Configure Perform... View Help Also the Administrator: Command Prompt window
includes the following code: C:\Users\administrator.EASYNOMAD>Wbadmin.exe /? wbadmin
1.0 Backup command-line tool <C> Copyright 2013 Microsoft Corporation. All rights reserved. -
------- Commands Supported --------- ENABLE BACKUP -- Creates or modifies a daily backup
schedule. DISABLE BACKUP -- Disables the scheduled backups. START BACKUP --
Runs a one-time backup. STOP JOB -- Stops the currently running backup or recovery
operation. GET VERSIONS -- Lists details of backups that can be recovered from a
specified location. GET ITEMS -- Lists items contained in a backup. START RECOVERY --
Runs a recovery. GET STATUS -- Reports the status of the currently running operation. GET
DISKS -- Lists the disks that are currently online. GET VIRTUALMACHINES -- Lists current
Hyper-V virtual machines. START SYSTEMSTATERECOVERY -- Runs a system state
recovery. START SYSTEMSTATEBACKUP -- Runs a system state backup. DELETE
SYSTEMSTATEBACKUP -- Deletes one or more system state backups. DELETE BACKUP
-- Deletes one or more backups. C:\Users\administrator.EASYNOMAD>]

2. Demo: Backing up Active Directory


Because Active Directory defines the security context as well as the replication context and the
authentication context for our Active Directory forest, we want to back it up, we want to protect
it, right. And one of the things that is on the test guys is using Windows Server Backup, and
that is both the graphical utility and the Wbadmin command-line tool. So if you are testing, you
want to spend some time with Windows Server Backup and particularly as it relates to
securing Active Directory.

Now one of the things to know today is that the feature is not installed by default, right.
Microsoft knows that folks do not use this. Now I know some of us do, right, but a lot of us turn
to third-party backup solutions; may be it is because we want mailbox level backups of our
Exchange servers. And so we buy a license for some backup utility that has that feature set
and we use that backup utility. We prefer it because it has more fine granular control and that
is fine, right. But Microsoft tests on its solutions. So if you are testing, you want to take a look
at Windows backup.

[The Add Roles and Features Wizard is open. The navigation pane includes the following tabs
in the navigation pane: Before You Begin, Installation Type, Server Selection, Server Roles,
Features, Confirmation, and Results. The Features tab is open that enables the instructor to
select one or more features that are to be installed on the selected server. The 'Windows
PowerShell (2 of 5 installed)' option is already selected in the Features list box. The instructor
clicks Next and navigates to the Confirmation tabbed page, which includes the summary of all
the options that are selected. The instructor clicks Next and navigates to the Results tab, which
displays the progress of the installation process.]

So the first thing that we are going to do here is we are going to go ahead and install the
backup feature, and then we will take a look at using Windows Server Backup to create a
system state backup. And when we think about a system state backup, system state backups
are everything about this machine that makes it unique. So the registry on this machine, the
COM+ component database, and because it is a domain controller, the SYSVOL, the Active
Directory database, the transaction log files, that all gets captured as part of a system state
backup. If this machine were an Active Directory Certificate Services Server, the Active
Directory Certificate Services database would get backed up as part of the system state
backup.

Now of course, we can go through and we can do a backup based on file, but the system state
is going to capture everything that is most critical to me in one backup operation for this
domain controller. And we can see that the installation succeeded. So we can go ahead and
Close that wizard and then when we look up here on the Tools menu, and we come down
here to Windows Server Backup. And we will go ahead and we will launch the backup
console. And the Windows backup console launches for the first time, right, so we see, we
have not done a backup before. There are no backup schedules, there are no available
backups, et cetera.

[The Results tabbed page of the Add Roles and Features wizard is open. This tabbed page
displays the progress of the installation process. Once the installation is complete, the
instructor closes the Add Roles and Features Wizard and navigates to the Local Server tabbed
page in the Server Manager window. Then the instructor expands the Tools menu and selects
the Windows Server Backup option from the menu. As a result, the Windows Server Backup
window is displayed. The navigation pane of this window includes 'Windows Server Backup
(Local)' as the root node and Local Backup as the sub-node under it. The root node is already
selected and the view pane includes the various sections such as Local Backup and Online
Backup. The Local Backup section includes details about Last Backup Status, Next Backup
Time, and Number of available backups. The Online Backup section includes the following
information along with a partially visible link: You can subscribe to Windows Azure Backup to
backup your critical data automatically.]

And I can come down here to Local Backup and we could schedule an ongoing backup, right,
so that the backup happens every evening; or we can do a one-off, which is what we are going
to do here. And here we can see right, there it is, Backup Schedule, so I could set a schedule
so that the process is automated and ongoing; or we could specify here Backup Once and
this will give us an opportunity to see the backup options and features. We do not have a
schedule chosen, so the first choice is grayed out. Do I want to do a Full server
(recommended) or a Custom backup? If I had just installed this machine and we were getting
ready to put it into production, and I test it and I felt like it was all set to go, I would want to do a
Full server (recommended) backup and get a snapshot of this machine, right.

[The Windows Server Backup window is open. The instructor selects the Local Backup node in
the navigation pane and the view pane displays the details about Local Backup. The view pane
includes two sections, Messages (Activity from last week, double-click on the message to see
details) and Status. The Messages (Activity from last week, double-click on the messages to
see details) section includes a table with three columns, Time, Message, and Description, The
Actions pane includes the following options under the Local Backup section: Backup Schedule,
Backup Once, Recover, Configure Performance, View, and Help. Next the instructor selects
the 'Backup once' option and the Backup Once Wizard is displayed. The navigation pane of
this wizard includes five tabs, Backup Options, Select Backup Configuration, Specify
Destination Type, Confirmation, and Backup Progress. The Backup Options tab is open, which
includes the following options: Scheduled backup options Choose this option if you have
created a scheduled backup and want to use the same settings for this backup. Different
options Choose this option if you have not created a scheduled backup or to specify a location
or items for this backup that are different from the scheduled backup. To continue, click Next.
The 'Different options' option is already selected. The instructor clicks Next and navigates to
the 'Select Backup Configuration' tabbed page, which enables the instructor to select the type
of configuration that is to be scheduled. This page includes the following options: Full Server
(recommended) I want to back up all my server data, applications and system state. Backup
size: 10.85 GB Custom I want to choose custom volumes, files for backup. The 'Full server
(recommended)' option is already selected. The instructor selects the 'Custom' option.]

For our purposes though, we want to explore some of the other backup choices. Here is the
Custom backup and I could Add Items. And now I could drill down, right, I could pick the
Active Directory database, the transaction log files, et cetera, but I do not want to do that. I
could specify particular volumes in here, the Recovery partition, the EFI System Partition. I
could specify I want to do a backup for Bare metal recovery or for our purposes, I am going to
grab everything I need in a System state backup - the registry of this machine, the COM+
component database on this machine, the Active Directory database, the SYSVOL, the
transaction log files; I am going to grab them. Where do we want to store this? I have got a
share that I direct the backups to and that is on the file server \\TARDIS1\ in the Share
directory, in the ADbak folder. Did you see that there? You see, it actually reads the share,
right, so I could just pick it from the list. 'A folder named 'WindowsImageBackup' will be created
inside the specified share to store the backup'. Do I want to Inherit the permissions from that
remote folder or not inherit, and I am going to say Inherit. I have already secured that folder. I
am going to run a system state backup and say Backup.

[The Select Backup Configuration tabbed page of the Backup Once Wizard is open. The
Custom option is already selected. The instructor clicks Next and navigates to the Select Items
for Backup tab. This tabbed page enables to select the items that the instructor needs to back
up. This tabbed page includes the Name list box, which is empty, and three buttons, Add
Items, Remove Items, and Advanced Settings. The instructor clicks Add Items and the Select
Items dialog box is displays, which includes the following items: Bare metal recovery, System
state, EFI System Partition, Local disk (C:), and Recovery. The instructor selects the 'System
state' option, clicks OK, and navigates back to the Select Items for Backup tabbed page in the
wizard. The instructor clicks Next and navigates to the Specify Destination Type tabbed page,
which enables the instructor to select the type of storage for the backup from the following
options: Local drives Example: local disk (D:), DVD drive (E:) Remote shared folder Example:
\\MyFile Server\SharedFolderName The 'Local drives' option is already selected. The instructor
selects the 'Remote shared folder' option, clicks Next, and navigates to the Specify Remote
Folder tab. This tabbed page includes the Location text field and two Access control options,
Do not inherit and Inherit, where the 'Inherit' option is already selected. The instructor enters
'\\TARDIS1\Share\ADbak' as the Location and clicks Next. As a result, the instructor navigates
to the Summary tab, which displays the summary of all the options selected. The instructor
clicks the 'Backup' button and the instructor navigates to the Backup Progress tab, which
displays the progress of the backup.]

Here we can see the backup application inventoring the applications that are to be included as
part of the backup.
We can see already, it has found some 40,000 files totaling to about 4 GB of data, remember
that SYSVOL and the Active Directory database again. If you got a lot of Group Policy Objects,
it can be quite substantial in and of itself. So you can see here, thanks to the magic of video,
100% of the backup is completed, 6.42 GB of 6.42 GB has transferred and it is just finishing up
now. We could actually take a look over here, right. I could browse the network out here to the
Share, to ADbak, there is the WindowsImageBackup, there is the server name, there is the
backup Catalog, metadata, the actual backup itself, and we see its size there, and that looks
about the same as we saw reported in the console now.

[The Backup Progress tabbed page of the Backup Once Wizard is open. This tabbed page
displays the progress of the backup process. Once the backup process is complete, the
following details are displayed in the Status details section: Backup location: \\TARDIS1
\Share\ADbak Data transferred: 6.42 GB The Status details section also includes a table with
three columns, Item, Status, and Data transferred, and one row. The first row contains 'System
state' as the Item, 'Completed.' as the Status, and '6.42 GB of 6.42 GB' as the Data
transferred. The instructor then navigates to the File Explorer window and then navigates to
'Share (\\TARDIS1)(Z:)' folder on the network, which includes the ADbak folder. The instructor
opens the ADbak folder, which includes the WindowsImageBackup folder. This folder includes
the EWR-DC1 sub-folder in it, which includes three folders, Backup 2014-02-07 202939,
Catalog, and SPPMetadataCache, and a file named 'Mediald'. The instructor opens the
Backup 2014-02-07 202939 folder, which includes multiple XML documents and a Hard Disk
Image of size 6,909,952 KB.]

Again guys, you want to know that not only do you have this interface, but you have the
command-line interface too. So if I come over here into a command prompt and I type
wbadmin help, and I get some help on wbadmin. Here we can see the syntax for the
Wbadmin command-line, I want to enable a backup. I can specify a START
SYSTEMSTATEBACKUP, if I wanted to do a system state backup from the command-line. And
this is potentially important, if you are managing Server Core installs, right guys.

If you are managing Server Core installs and you want to use the Windows Backup Utility with
them, you are going to want a script those backups using the Wbadmin command-line utility.
Some of the things to know about this – the backup target location for this command-line
cannot be the boot partition or the partition that stores the system files, the operating system
files, so commonly C, that cannot be a backup target location. The volume that you are
backing up cannot be a backup target location. And so take a look at this command-line, take a
look at the console and have some familiarity with Windows backup, if you are testing.

[The Backup 2014-02-07 202939 folder is open. This folder includes multiple XML documents
and a Hard Disk Image of size 6,909,952 KB. The instructor closes this window and navigates
back to the Backup Progress tabbed page of the Backup Once Wizard. The instructor clicks
Close and navigates to the Windows Server Backup window. Then the instructor navigates to
the command prompt window, which includes the following cmdlet:
c:\Users\Administrator>wbadmin/? The instructor enters the 'wbadmin help' cmdlet, which
displays the following output: wbadmin 1.0 Backup command line tool <C> Copyright 2013
Microsoft Corporation. All rights reserved. Commands Supported ENABLE BACKUP --
Creates or modifies a daily backup schedule. DISABLE BACKUP -- Disables the scheduled
backups. START BACKUP -- Runs a one-time backup. STOP JOB -- Stops the currently
running backup or recovery operation. GET VERSIONS -- Lists details of backups that can
be recovered from a specified location. GET ITEMS -- Lists items contained in a backup.
START RECOVERY -- Runs a recovery. GET STATUS -- Reports the status of the
currently running operation. GET DISKS -- Lists the disks that are currently online. GET
VIRTUALMACHINES -- Lists current Hyper-V virtual machines. START
SYSTEMSTATERECOVERY -- Runs a system state recovery. START
SYSTEMSTATEBACKUP -- Runs a system state backup. DELETE SYSTEMSTATEBACKUP
-- Deletes one or more system state backups. DELETE BACKUP -- Deletes one or more
backups. C:\Users\Administrators>]
Recovering Active Directory in Windows Server
2012 R2
Learning Objectives
After completing this topic, you should be able to
◾ match the Active Directory and Active Directory data restore methods to their
descriptions
◾ identify the possible states in the deleted Active Directory Object container

1. Types of restores
Now if you have done your job and you have been running backups, sooner or later something
is going to fail and you are going to have to do a restore, right. So what are the restore
options? Well I can do critical-volume recovery, from a critical-volume backup, I can do that
critical-volume recovery; that also supports the install from media backup type. Remember, we
said, if I wanted to install a domain controller in a remote location rather than have the
replication overhead of the Domain System Volume, or SYSVOL, and the database over the
WAN link, I burn it all to disk and I ship it to the guy. How do I burn it to disk? I do an Install
from Media, or IFM, backup and then of course they do an IFM recovery, boom, could do a Full
server recovery. Now there are times when the Active Directory database becomes corrupt.
Now if that is isolated to a single domain controller, I can do what is called a nonauthoritative
restore. I grab the database off the last backup tape, I restore it to the same location as the
corrupt file, and normal Active Directory replication updates it. But sometimes, we are restoring
the database because an object has been deleted from the database that we have to get back.

And see the problem is if I do a nonauthoritative restore, I just put the old database back that
includes the copy of that object. Normal Active Directory replication is going to say to the
restore database, "Hey buddy! What are you doing with that user account? We all deleted that,
you delete it too." And normal Active Directory replication deletes the object. An authoritative
restore says, No, that user account should be put back. Don't...I am not going to delete it. I am
going to replicate its existence to all of you and you are going to take it.

[The nonauthoritative restore need at least a system state backup. The steps involved in
nonauthoritative restore are as follows: 1. Restart the domain controller, or DC, into DSRM 2.
Restore the system state 3. Restart the server (unless performing an authoritative restore next)
The authoritative restore follows the steps of the nonauthoritative restore. The steps involved
in authoritative restore are as follows: 1. Stop the Active Directory, or AD, service if not
stopped already 2. Mark the objects authoritative with NTDSutil 3. Restart the domain
controller, or DC, and synchronize it The requirements for a full server recovery are: 1. It
requires full server backup. 2. It needs OS DVD or WINRE installed. 3. It needs sufficient
storage. The steps involved in full server recovery are as follows: 1. Boot into WINRE 2. Select
Windows Complete PC Restore 3. Select backup set 4. Exclude disks if necessary 5. Execute
restore and reboot server The critical-volumes recovery process is used for alternate location
restores and IFM install. Wbadmin is used to indicate the new destination.]
2. Demo: Performing a restore
Now let us take a look at using the recovery options, right, or the restore options. One of the
things I can do, I can come up here, I can Recover, and the Windows backup and Recovery
Wizard will open here. What do I want to do? I want to grab a backup that is stored on, in
another location, right, because we store everything off onto the network and so it is out there
in a Remote shared folder. And that backup location was on our file server that we call
\\TARDIS1\ and it is actually in the root of C there, that C$ sign, that is the hidden
administrative share at the root of C of every server, right. Go ahead and grab it. What do we
want to grab the data for? For that EWR-DC1 backup, right. Here we see the available
backups and the date and time, Recoverable items, these were System state backups and
this is the one we are going to grab here. What do I want to restore? I want to restore the
System state. You could see, I could restore whole Volumes or I could restore Files and
folders to select just the files that I wanted to restore out of this backup. For our purposes, I
want to grab the System state and I am going to put it out to an Alternate location, right, out
here on the local drive. I have a directory called Restore and we will go ahead and we will copy
those out.

[The Windows Server Backup window is open. The navigation pane includes 'Windows Server
Backup (Local)' as the root node and Local Backup as the sub-node, which is already selected.
The view pane contains the Local Backup page, which is divided into two sections, Messages
and Status. The Message section displays the details of the activities from last week. It
includes a table with three columns, Time, Message, and Description, and two rows. The first
row contains '2/14/2012 12:29 PM' as the Time, 'Backup' as the Message, and 'Successful' as
the Description. The second row contains '2/7/2014 12:29 PM' as the Time, 'Backup' as the
Message, and 'Successful' as the Description. The instructor can double-click on the message
to view its details. The instructor right-clicks the 'Local Backup' node in the navigation pane
and selects the 'Recover' option from the shortcut menu. As a result, the Recovery Wizard is
displayed, which includes the following tabs in the navigation pane: Getting Started, Select
Backup Date, Select Recovery Type, Select Items to Recover, Specify Recovery Options,
Confirmation, and Recovery Progress. The Getting Started tabbed page is already open and
asks the instructor to select the location where the backup is stored that has to be used for the
recovery. It includes two options, This server (EWR-DC1) and A backup stored on another
location. The 'This server (EWR-DC1) option is already selected. The instructor selects the 'A
backup stored on other location' option, clicks Next, and navigates to the Specify Location
Type tab. The Specify Location Type tabbed page enables the instructor to select the location
type where the backup is stored. It includes the following options: Local drives: Example: local
disk (D:), DVD drive (E:) Remote shared folder Example: \\MyFileServer\SharedFolderName
The 'Local drive' option is already selected. The instructor selects the 'Remote shared folder'
option, clicks Next, and navigates to the Specify Remote Folder tab. This tabbed page enables
the instructor to enter the Universal Naming Convention (UNC) path to the remote shared
folder that contains the backup that is to be used. The instructor enters '\\TARDIS1\C$' as the
path, clicks Next, and navigates to the Select Server tab. This tabbed page includes the Server
list box, which includes the following servers: Backup 201-02-07 202939, Catalog, EWR-DC1,
and SPPMetadataCache. The instructor selects the 'EWR-DC1' server, clicks Next, and
navigates to the Select Backup Date tab. This tabbed page includes the following information:
Oldest available backups: 2/14/2014 12:29 PM Newest available backups: 2/14/2014 12:29
PM This tabbed page also includes the 'Available backups' section that enables the instructor
to select the date of the backup that can be used for recovery. The calendar for the month of
February is displayed where the date '14th' is in bold and it is available for recovery. The
backup date is already set to 2/14/2014, the Time is set to 12:29 PM and 'System state' option
is selected for the Recoverable items parameters. The instructor clicks Next and navigates to
the Select Recovery Type tab, which enables the instructor to select the type of data that is to
be recovered. The Select Recovery Type tabbed page includes the following options: Files and
folders You can browse volumes included in this backup and select files and folders. Hyper-V
You can restore virtual machines to their original location, another location or copy the virtual
hard disk files of a virtual machine. Volumes You can restore an entire volume, such as all
data stored on C:. Applications You can recover applications that have registered with
Windows Server Backup. System state You can restore just the system state. Out of the five
options, the Hyper-V and Applications options are disabled and the 'Files and folders' option is
already selected. The instructor selects the 'System state' option, clicks Next, and navigates to
the 'Select Location for the Syste...' tab. This tabbed page enables the instructor to select the
destination folder where the instructor wants to recover the active Directory backup. It includes
two options, Original location and Alternate location. The 'Original location' option is already
selected. The instructor selects the 'Alternate location' option and clicks the Browse button
associated with it. As a result, the Browse For Folder' dialog box is displayed. Then the
instructor selects the 'Restore' folder in the Local drive (C:) and clicks OK. As a result, the
following URL is auto-populated in the text field associated with the 'Alternate location' option:
C:\Restore. The instructor clicks Next and navigates to the Confirmation tab. The Confirmation
tabbed page displays the summary of all the options selected. The instructor clicks Recover
and navigates to the Recovery Progress tab, which displays the progress of the recovery
process.]

And so now these, the files will be extracted out of there. They will be placed in the Restore
directory and I will be able to walk that file system once this restore is complete. So if I needed
to grab files that had changed since the last backup, I could pull them off the backup this way.
This of course is a domain controller, so as part of the system state, we have captured the
Active Directory database. If I needed to recover an object as part of an authoritative restore
process, I could grab that ntds.dit database out of here.

Now there is more to it than that, right, for that particular process. But that is why we try to
avoid that so much today by using the Active Directory Recycle Bin, so that hopefully you guys
will not have to muck around with that. But basically, what you do is you use NT Directory
Services Utility, or Ntdsutil, to mark the object as authoritative. And if you watched any of the
other demos that use Ntdsutil, you know that, that command-line tool depends on an
understanding of the distinguished names of the objects. And so I have to know that
distinguished name of that object that I am trying to recover out of the database.

[The Recovery Progress tabbed page in Recovery Wizard is open. This tabbed page displayed
the progress of the recovery process.]

When I mark it as authoritative, it does not get purged when that domain controller comes back
online as part of normal Active Directory replication, right. Commonly, we do not have to
restore the Active Directory database to get back missing objects as much as we have to
restore it because the server failed for some reason or we had a hard drive crash on that
machine. So we are restoring the data and we are not concerned about the inconsistencies in
the data because normal Active Directory replication will bring that copy of the database up
speed, right. But in those rare exceptions when we got to get an object back, oh! it is just an
authoritative restore process, you just mark the object as authoritative. And we can see here
that has completed. Now I could come out to the file system, I could drill down here into that
Restore directory, down into C_. I could recover any of these files in here. I could come out
down here, right, there is the Active Directory database. If I needed to remount that copy of the
database, I could do so from here.

[The Recovery Progress tabbed page in Recovery Wizard is open. This tabbed page displayed
the progress of the recovery process. Once the recovery process is complete, the instructor
clicks Close. As a result, the wizard gets closed and the instructor navigates to the File
Explorer and open the Restore folder in the Local Drive (C:). The Restore folder contains the a
folder called 'C_', which contains the following sub-folders: Program Files, Program Files (x86),
ProgramData, Users, and Windows. The instructor open the Windows sub-folder first and then
opens the NTDS folder under it. The NTDS folder includes the following files: edb.chk, edb.log,
and ntds.dit.]

3. The Recycle Bin


Now before Windows Server 2008 R2, if I accidentally deleted an object from Active Directory,
I deleted a whole organizational unit, I deleted your user account, I deleted a group account. It
does not do any good to just recreate that account with the same name because it gets a new
security identifier, or SID, and so it is a totally different account, dig it. So what we used to
have to do is we actually used to have to turn a domain controller off, restart it, hit F8 to go into
the Advanced Startup Options, reboot the machine in Active Directory Services Restore Mode,
login with a local administrator password, which nobody had ever written down and it was a big
hassle, and then we had to go through this authoritative restore process.

Yes, really a lot of overhead guys. But today, we enable something called the Active Directory
Recycle Bin. And so today when I delete an object, that object is easily restored from the
Active Directory Recycle Bin using the Active Directory Administrative Center. And we do not
need the backup tapes, we do not need to restart the machine, we do not even have to stop
the Active Directory Services. We just restore the object right out of the Recycle Bin, just like
pulling a file that you did not mean to delete out of your trash can. We can pull your user
account right out of the Active Directory Recycle Bin.

[Before Windows Server 2008 R2, backup was performed using Windows Server Backup utility
or authoritative restore. It was performed in the Active Directory Restore Mode where the
domain controller was required to be offline. Tombstoned reanimation was used and objects'
link-valued attributes were not always recovered. For Windows Server 2008 R2 and later
versions, Active Directory Recycle Bin was introduced that was built on tomstone reanimation.
The Active Directory Recycle Bin preserved all link-valued and non-linked valued attributes
and also restored the objects completely.]

Now timestamps are really important in Active Directory. And so when an object is deleted
from Active Directory, it is not actually deleted, it is what they call tombstoned. And then it sits
there that way for 180 days before a process called the garbage collection process removes
those tombstoned objects permanently from the directory. So the important thing here guys is,
look after 180 days, you are not getting it back at all, no matter what, right. Now with the
Recycle Bin enabled for that 180 day period, we can pull it out of the Active Directory Recycle
Bin quite readily, quite easily, with no server restarts, no service shutdowns, boom, just right
out of the Recycle Bin; but again subject to that 180 days.

Now here is the way that Active Directory always worked. If I deleted your user object, or you
know, whether intentionally or accidentally, which is one of the reasons why I personally never
delete user objects, right. I disable a user object and I move it into a disabled organizational
unit, or OU, and then we assess those accounts, you know, on an ongoing basis and purge
them as appropriate, but we do not ever delete anything right away; because once we do, that
object gets tombstoned and so the object still exists in the directory, but it is not active, it is not
available, it is not accessible in any of the standard consoles or methods. And every 12 hours
there is a process that runs called the garbage collection interval or the garbage collection
process. And every 12 hours a sweep gets done looking for ex-tombstones that have expired
within that time and those objects are then permanently deleted from the database. And that is
the way things always worked before we had the Active Directory Recycle Bin and the way
they still work if the Recycle Bin is not enabled.

Now today in Active Directory for Windows Server 2012 R2...and this is the way it is been
since 2008 R2. Today when we delete an object from Active Directory, rather than simply
being tombstoned if we have enabled the Active Directory Recycle Bin, the object attribute
isDeleted is set from the binary value of zero (false) to the binary value of one (true). And
the object exists in the deleted items container for a period of 180 days, right, same as the
tombstone lifetime. Within that 180 days, I can pull it out. Commonly, this is done with the
Active Directory Administrative Center, which is an easy to use web interface, it is a graphical
interface. That really makes the recovery of Active Directory objects that have been
accidentally or mistakenly deleted, readily available to anybody that has enabled the Recycle
Bin.

4. Demo: Using the Recycle Bin


In Active Directory for Windows Server 2008 R2, Microsoft introduced one of the most widely
useful features ever – the Active Directory Recycle Bin. And you know, it used to be, if you
deleted a user account object by accident, you had to do an authoritative restore of Active
Directory and it was a lot of work, right. Now if a user account gets deleted, we can put it back
quite readily with the Active Directory Recycle Bin. Now if I take a look, the way we used to do
this, right, in Server 2008 R2 and you can still do it in Server 2012, I look here, there is this
cmdlet, enable-ADOptionalFeature, right.

And if I would ask for examples on ADOptionalFeature, I see here is the one,
ADOptionalFeature 'Recycle Bin Feature'. So I could run this command-line
specifying a domain controller to connect to, to perform the operation.

[The Server Manager window is open. The navigation pane includes the following tabs:
Dashboard, Local Server, All Servers, AD DS, DHCP, DNS, and File and Storage Services.
The AD DS tabbed page is already open. This page includes two sections, SERVERS and
EVENTS. The SERVERS section includes a table that is partially displayed. The following
columns are visible: Server Name, IPv4 Address, Manageability, and Last Update. The first
row contains 'EWR-DC1' as the Server Name, '10.0.0.1, 192.168.1.117' as the IPv4 Address,
'Online - Performance counters not started' as the Manageability, and '2/7/2014 1:10:31 PM' as
the Last Update information. Next the instructor navigates to the PowerShell window, which
includes the following cmdlet: PS C:\Users\Administrators The instructor enters the 'get-help
enable-ADOptionalFeature -examples' cmdlet in the command prompt, which displays the
following output: NAME Enable an Active Directory optional feature. ------------------ EXAMPLE
1 ----------------------- C:\PS>Enable-ADOptionalFeature 'Recycle Bin Feature ' -Scope
ForestOrConfigurationSet -Target 'fabrikam.com' -server dc1 Description --------------- Enable
the optional feature 'Recycle Bin feature' for the forest 'fabrikam.com'. This operation must be
performed on the Domain Controller that holds the naming master FSMO role. ------------------
EXAMPLE 2 -- --------------------- C:\PS>Enable-ADOptionalFeature 'Feature1' -Scope
ForestOrConfigurationSet -Target 'CN=Configuration, CN={0241853A-6BBF-48AA-8AE0-9C35
D0C91B7B}' -server lds.fabrikam.com:50000 Description --------------- Enable the optional
feature 'Recycle Bin Feature' for the AD LDS instance lds.fabrikam.com. This operation must
be performed on the AD:DS instance that holds the naming master FSMO role. C:\PS.Set-
ADObject -Identity "CN=Partitions, CN=Configuration, CN={4F971828-5BE4-4E94-B532-
58F2BFB6A3A5}" -REP... @{"msDS-Behavior-Version"=4}]

But for our purposes today, if I look over here on the Tools menu, right, in Server 2012 and
2012 R2, we have this great tool called the Active Directory Administrative Center. And if I
open up the Active Directory Administrative Center, I see over here, if I can go to the local
domain, and when I go to that local domain our Corp (local) domain, I have this choice right
here. Look at Enable Recycle Bin. Isn't that a thing of beauty?

Right, so yes, I want to enable that Recycle Bin. I want to make my life a lot easier. 'Are you
sure you want to perform the action? Once the Recycle Bin has been enabled, it cannot be
disabled.' Yes, I want to perform that action. So that takes a second run and then it says,
"Please refresh the AD Administrative Center now. Active Directory directory services has
begun enabling the Recycle Bin for this forest", right. It is a forest-wide function and so the
Active Directory forest has to be at least 2008 R2.

[The PowerShell command prompt window is open. This window contains the following output:
NAME Enable an Active Directory optional feature. ------------------ EXAMPLE 1 ---------------------
-- C:\PS>Enable-ADOptionalFeature 'Recycle Bin Feature ' -Scope ForestOrConfigurationSet -
Target 'fabrikam.com' -server dc1 Description --------------- Enable the optional feature 'Recycle
Bin feature' for the forest 'fabrikam.com'. This operation must be performed on the Domain
Controller that holds the naming master FSMO role. ------------------ EXAMPLE 2 -- -----------------
---- C:\PS>Enable-ADOptionalFeature 'Feature1' -Scope ForestOrConfigurationSet -Target
'CN=Configuration, CN={0241853A-6BBF-48AA-8AE0-9C35 D0C91B7B}' -server
lds.fabrikam.com:50000 Description --------------- Enable the optional feature 'Recycle Bin
Feature' for the AD LDS instance lds.fabrikam.com. This operation must be performed on the
AD:DS instance that holds the naming master FSMO role. C:\PS.Set-ADObject -Identity
"CN=Partitions, CN=Configuration, CN={4F971828-5BE4-4E94-B532-58F2BFB6A3A5}" -
REP... @{"msDS-Behavior-Version"=4} The instructor navigates to the AD DS tabbed page of
the Server Manager window and clicks the Tools menu. Then the instructor points to the Active
Directory Administrative Center option from the drop-down menu. Then the instructor
navigates to the Active Directory Administrative Center window that is already open. The
Overview tabbed page is already open and the instructor selects the Corp (local) tabbed page,
which displays a list of domains and their details in a tabular format. Then the instructor scrolls
to the right and selects the Empty Recycle Bin in the Tasks pane. As a result, a confirmation
message is displayed that contains the following message: Are you sure you want to perform
this action? Once Recycle Bin has been enabled, it cannot be disabled. The instructor clicks
OK and another message box is displayed, which contains the following message: Please
refresh AD Administrative Center now. AD DS has begun enabling Recycle Bin for this forest.
The Recycle Bin will not function reliably until all domain controllers in the forest have
replicated the Recycle Bin configuration change. The instructor clicks OK and navigates back
in the view pane of the Active Directory Administrative Center window.]

Now let us take a look at how to use this thing. When the console refreshes, we see that we
now have this Deleted Objects choice. And if we come over here to Active Directory, if I go to
Tools, to Active Directory Users and Computers, and if I look in my Sales Users OU, we
have created an object there called Delete ThisUser. And if I go ahead and I Delete this
guy..."Am I sure?" Yes, I want to delete the user, boom!

Now in just a few iterations of the operating system ago, if I wanted to get that guy back, the
only thing I could do would be to turn off a domain controller, reboot in an Active Directory
Services Restore Mode, restore a backup tape, perform an authoritative restore against the
distinguished name of that object; you are talking about hours of work.

[The Active Directory Administrative Center window is open. The view pane includes a list of
domain controllers and its details are displayed in a tabular format that contains three columns,
Name, Type, and Description. Then the instructor refreshes the window and selects the
Deleted Objects container. As a result, the contents of this container are displayed in the view
pane. in this case, the container is empty. Then the instructor navigates to the Active Directory
Users and Computers option from the Tools menu. As a result, the Active Directory Users and
Computers window is displayed. The navigation pane of this window includes two sub-nodes
under the 'Active Directory Users and Computers' node, Saved Queries and
Corp.Brocadero.com. The Corp.Brocadero.com sub-node includes multiple folders under it
such as Builtin, IT Users, Computers, Domain Controllers, and so on. The instructor selects
the Sales Users folder, which includes the following users: Andrew Wiggin, Delete ThisUser,
and LGA_Users. Next the instructor right-clicks the 'Delete ThisUser' option and selects the
Delete option from the shortcut menu. As a result, a confirmation message is displayed. The
instructor clicks Yes and the details of this user are deleted from the view pane.]

Now I go over here, now you can do this in Active Directory Service Interfaces, or ADSI Edit,
too. But I can go over here to Deleted Objects in the GUI, right, let us refresh that, there is
Delete ThisUser and now look at this. If I want to restore it to the organizational unit that it was
originally in, I just say Restore.

If I want to restore it to another location, I can say Restore To and then I can specify the
organizational unit that I want it to be restored to, maybe it should not be in that Sales Users
OU at all, let us put it back in the IT Users. It is gone from there. We come over here to Active
Directory, we look in IT Users, and look we do not even have to refresh the console; there it is.
So just, I mean guys, for anybody whoever gave up a Saturday of your life, how great is this.

[The Active Directory Users and Computers window is open. Then the instructor navigates to
the Active Directory Administrative Center window and then selects the Deleted Objects tab
from the navigation pane. The contents of the Deleted Objects tabbed page is displayed in the
view pane. Then the instructor refreshes the window and details of a deleted object are
displayed in a tabular format in the view pane. The table includes five columns, Name, When
Deleted, Last known pa..., Type, and Description. The row contains 'Delete ThisUser' as the
Name, '2/7/2014 1:24...' as the When Deleted information, 'OU=Sales User...' as the Last
known pa..., and 'User' as the Type. Then the instructor right-clicks the row and selects the
'Restore To' option from the shortcut menu, which displays the Restore to dialog box. Then the
instructor selects the 'IT Users' option from the list box and clicks OK. As a result, the first row
gets deleted from the Deleted Objects window. Then the instructor navigates to the Active
Directory Users and Computers window and opens the IT Users folder in the window. The view
pane contains 'Delete ThisUser' object.]
Optimizing Active Directory in Windows Server
2012
Learning Objective
After completing this topic, you should be able to
◾ match offline Active Directory maintenance tasks with their description

1. AD maintenance tasks
Before Windows Server 2008 came along, managing Active Directory was a lot harder than it
is today. If I wanted to do any kind of Active Directory database management, if I wanted to
compact the database, I wanted to move the database to another location, I needed to restore
objects authoritatively to the database that had been accidentally purged, I only had one
choice. I had to shut the machine down, restart it, hit F8, go into the Advanced Startup Options
and reboot the machine in Active Directory Services Restore Mode, which would restart the
domain controller with the Active Directory Services disabled and access to the local Security
Accounts Manager, or SAM, file database available. And so I could login locally to the machine
rather than to the domain; that all changed in 2008 when we got restartable Active Directory
services.

So today guys, on the test, all you test-takers out there, the first thing you do before you
perform Active Directory maintenance is not reboot the machine in Active Directory Services
Restore Mode, you stop the Active Directory services. And what is the last thing you do, not
reboot the domain controller normally, you restart Active Directory services.

[The restartable AD DS is used for offline maintenance tasks such as: 1. performing routine
maintenance tasks on the DC 2. stopping the DC and restarting it without shutdown 3.
reducing time to perform tasks 4. improving availability of other services while AD DS is
stopped]

Today in Windows Server 2012 R2, and this is true from 2008 on, Active Directory services are
just services like any other service. And if I look in the services console, I see the service there
and I can Stop it there, I can Start it there, right; and those are two of the states that the
service can be in – started or stopped. Then the third state is the traditional way that we would
manage Active Directory database management tasks, right, you know, database compaction,
offline defragmentation, et cetera. We would shut the machine down and reboot it in the
Directory Services Restore Mode, which would bring the machine back online without the
Active Directory authentication and authorization services active, but still allow for local login
and access to the database for those management tasks.

[The Active Directory Domain Services Properties (Local Computer) dialog box includes four
tabs, General, Log On, Recovery, and Dependencies. The General tab is already selected.
The Service name is set as NTDS, the Display name is set as Active Directory Domain
Services, and the Description is "AD DS Domain Controller service. If this service is stopped,
users will be unable to log on to the...", which is partially visible. The 'Path to executable' value
is 'C:\\Windows\System32\Isass.exe', the Startup type is set to 'Automatic', and the Service
Status is 'Running'. This dialog box also includes the 'Help me configure service startup
options.' link and four buttons, Start, Stop, Pause, and Resume. A text field is also provided to
specify the start parameters that apply when you start the service from here. Apart from the
Start and Stop states, the machine can also be shut down and rebooted in the Directory
Services Restore Mode (DSRM).]

2. AD database optimization
When I think about the kind of file management task that I have to do on the Active Directory
database...and this is a good example for anybody that is test taking, right, like this is the kind
of question that you could have, 'Put these steps in order' - kind of question. There are times
when the database may need to be compacted, particularly after the deletion of large numbers
of Active Directory objects. So I think about the financial crisis of 2008, I think about the
company that I was working for at that time. We laid off 5000 people, right, about 5% of the
workforce, boom! Gone. So what did we do? Well with 5000 user objects deleted and plus they
all had computers, so another 5000 computer accounts, it made sense to compact the
database.

So what does that look like? I stop Active Directory services, that is step one. I use the NT
Directory Services, or NTDS, utility to defragment the database, which generates another copy
of the database. I would then run the semantic checks, I am sorry, the integrity check first then
the semantic checks with the Go Fixup switch to make sure that the database is integral. I then
copy the database over to the original file location, replacing the uncompacted database; and
those are the steps that I would go through in that process. And the reality is that restartable
Active Directory services support all of those kinds of file management tasks without rebooting
the machine today.

[Active Directory optimization involves: Defragmentation Compaction Integrity checking


Semantic database analysis Go Fixup Database file management]

3. Demo: Optimization tasks


One of the things that Microsoft tests on is Active Directory database maintenance and
particularly how to compact to an offline compaction of the Active Directory database. So if we
look down here in the Windows directory, everything is in the default location here. So
Windows - NTDS, and here is the Active Directory database, right, the .dit database. When we
look in here, we can see there is the checkpoint file. The checkpoint file tells me which of the
log entries have been committed to the database. And then we see down here these temp
files, which are staging areas for data as they move between the logs and the database.

And then these here, the edbres logs, these are emergency logs. In the event that I ran out of
disk space, the last few transactions that could be written before Active Directory shutdown
would be written to these logs here. So one of the things that I want to highlight here guys is
not just how to do this, but the reality that you almost never have to do this, okay. You have to
know it for the test and it is something that you want to know because there may be an
occasion when you have to do it. But for the most part, you never, you can go your whole
career and never have to do this.
And the reason why is because today Active Directory is in a constant state of cleaning itself
up. Every 12 hours there is a maintenance cycle running on the database that does this
essentially.

[The Server Manager window is open in the browser. The navigation pane of Server Manager
includes the following tabs: Dashboard, Local Server, All Servers, AD DS, DNS, and File and
Storage Services. The Dashboard tab is already selected and the view pane contains the
WELCOME TO THE SERVER MANAGER page. This page includes three sections, QUICK
START, WHAT’S NEW, and LEARN MORE. The QUICK START section includes the following
links: 1. Configure this local server 2. Add roles and features 3. Add other servers to manage
4. Create a server group The instructor opens the File Explorer and then opens the Local Disk
(C:) folder, which contains the following folders: Compact, PerfLogs, Program Files, Program
Files (x86), ProgramData, Share, Users, and Windows. Then the instructor opens the
Windows folder that includes multiple sub-folders such as ADFS, ADWS, AddCompat,
apppatch, and so on. Next the instructor opens the NTDS sub-folder, which includes the
following files in it: edb.chk, edb.log, edbres00001.jrs, edbres00002.jrs, edbtmp.log, ntds.dit,
and temp.edb. The instructor then navigates to the Administrator: Command Prompt window,
which includes the following cmdlet: Microsoft Windows [Version 6.3.9600] <c> 2013 Microsoft
Corporation. All rights reserved. C:\Users\administrator.CORP>]

Now for our purposes, we are going to come in here and the first thing we got to do is we got
to stop the Active Directory services. And I could do that in the services console, of course, but
I have to be in the command prompt anyway. So I just type in net stop ntds to stop the
Active Directory services.

Today in Server 2012, we know Active Directory services are restartable, right, so that is
always going to be the right answer on the test. What is the first thing you do? You stop the
Active Directory services, not reboot into Active Directory Services Restore Mode. We do not
have to do that anymore, for you guys that have been around a while. So I go ahead and I stop
the Active Directory services and then what I need is the NTDS utility. And this is the
command-line utility for performing maintenance on the Active Directory database.

When I come in here...now we just stopped the Active Directory services, right, so I have to
give the command-line utility access to Active Directory, so I activate instance ntds.
Now ntdsutil has access to the Active Directory services on this machine. If this were
Active Directory Lightweight Directory Services, I would activate the instance of Active
Directory Application Mode, or ADAM, right, we call Active Directory Lightweight Directory
Services from the command-line ADAM.

[The Administrator: Command Prompt window is open. This window includes following code:
Microsoft Windows [Version 6.3.9600] <c> 2013 Microsoft Corporation. All rights reserved.
C:\Users\administrator.CORP> Then the instructor enters the 'net stop ntds' cmdlet, which
displays the following output: The following services are dependent on the Active Directory
Domain Services service. Stopping the Active Directory Domain Services service will also stop
these services. Kerberos Key Distribution Center Intersite Messaging DNS Server
DFS Replication Do you want to continue this operation? <Y/N> [N]: Then the instructor
types 'y' and presses the ENTER key. As a result, the following output is displayed: The
Kerberos Key Distribution Center service was stopped successfully. The Intersite Messaging
service is stopping. The DNS Server service is stopping. The DNS Server service was stopped
successfully. The DFS Replication service was stopped successfully. The Active Directory
Domain Services service is stopping. C:\Users\administrator.CORP> Next the instructor enters
the following cmdlets to provide the NTDS utility access to the Active Directory:
C:\Users\administrator.CORP>ntdsutil ntdsutil: activate instance ntds Active instance set to
"ntds". ntdsutil:]

Now I want to enter the file maintenance prompts so I type file, and now I am in the file
maintenance prompt.

And if I ask for help in here, you can see there are a bunch of command lines in here and the
one that we are interested in is that third one down – Compact to %s. And then I see that
percent sign so I know that, that is a variable right, and in all the older Microsoft command-line
tools that percent sign indicates a variable. In this case, the s denotes the specified directory
in which to compact the database to. So we go ahead and we say compact to, and I have a
directory on the C drive called compact, and I can show it to you, here you go. Come back
up here, there is the directory. You can see that there is nothing in it right now, come over here
and we will go ahead and we will compact that to Compact. And we see that right now this is
test slab, there are very few user accounts, there is no real activity here so it happens in a
heartbeat. It will not go like this in real life, if you had a reason to do this.

[The Administrator: Command Prompt window is open. This window includes following code:
C:\Users\administrator.CORP>ntdsutil ntdsutil: activate instance ntds Active instance set to
"ntds". ntdsutil: Then the instructor enters the 'ntdsutil: file' cmdlet and enters into the file
maintenance prompt. Then the instructor enters the 'help' cmdlet in the file maintenance
prompt, which displays a list of command lines and their corresponding descriptions. The
instructor refers to the 'Compact to %s' cmdlet that is used to compact the database to a
specified directory. Then the instructor enters the 'file maintenance: compact to c:\compact' in
the command prompt window, which displays the following output: Initiating
DEFRAGMENTATION mode… Source Database: C:\Windows\NTDS\ntds.dit Target
Database: c:\compact\ntds.dit Defragmentation Status <% complete>
0 10 20 30 40 50 60 70 80 90 100 |------|-----|-----|-----|----
--|-----|-----|-----|-----|-----| --------------------------------------------------------------------- It is
recommended that you immediately perform a full backup of this database. If you restore a
backup made before the defragmentation, the database will be rolled back to the state it was in
at the time of that backup. Compaction is successful. You need to: copy "c:\compact\ntds.dit"
"C:\Windows\NTDS\ntds.dit" and delete the old log files: del C:\Windows\NTDS\*.log file
maintenance:]

Now why would you have a reason to do this? Well I think about 2008. Back in 2008 when the
financial crisis hit...and you can see what I am going to do here, I am going to take this is the
compacted version of the database and what we got to do is we got to take it out of here and
we have to replace the original version, so I am doing that here now. But why you would do
this guys? Back in 2008, a lot of folks had just deployed Server 2008, they had just upgraded,
right. And what happened next was they were told to layoff 20% of their people, right. So you
had a company of 20,000 people, 20,000 computers, plus servers, plus group accounts, so
you had 60,000 objects in Active Directory. And now suddenly, you reduce that by a significant
portion, that is the time that you would want to compact the database. So again, there is very
little of this. It is uncommon that you have to do this, but they want you to know it for the test.
So set up a little test machine like I have got here and walk through it a few times.
[The Administrator: Command Prompt window is open. This window includes the following
output: Initiating DEFRAGMENTATION mode… Source Database:
C:\Windows\NTDS\ntds.dit Target Database: c:\compact\ntds.dit
Defragmentation Status <% complete> 0 10 20 30 40 50
60 70 80 90 100 |------|-----|-----|-----|------|-----|-----|-----|-----|-----| --
------------------------------------------------------------------- It is recommended that you immediately
perform a full backup of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state it was in at the time of that
backup. Compaction is successful. You need to: copy "c:\compact\ntds.dit"
"C:\Windows\NTDS\ntds.dit" and delete the old log files: del C:\Windows\NTDS\*.log file
maintenance: The instructor navigates to the File Explorer window and then opens the
Compact sub-folder in Local Disk (C:), which includes the ntds.dit file. Then the instructor right-
clicks the ntds.dit file and selects the Copy option from the shortcut menu and pastes it in the
NTDS sub-folder contained in the Windows folder.]

Now when I come back in here, what I want to do is I want to delete any file that has got a '.log'
extension, right. I don't delete the edbres logs there, I just delete the .log files. And I am not
worried about the .log files because when I stop the Active Directory services, the services
made sure that everything from the log files was committed to the Active Directory database
before we did the compaction. And the edb.chk file should reflect that, that everything from the
current transaction logs had been written into the database, so I feel good about that.

And we can feel better about it too. If I come back over here, I can run an integrity check right.
So I type integrity. Integrity check is successful. Now it says, you should also run the
semantic database analysis. Okay, so I will do that. Now to do that, I have to go back up to the
ntdsutil prompt. So I type quit to go up one level, to quit the file maintenance prompt. And
then back up here, because I am a person who likes to take shortcuts, I am going to type sem
data analy, boom! You could also type the full semantic database analysis if you want,
right, but I prefer to shorten whenever I can.

[The NTDS sub-folder contained in the Windows folder is open. This sub-folder includes the
following files: edb.chk, edb.log, edbres00001.jrs, edbres000002.jrs, edbtmp.log, and ntds.dit.
The instructor deletes two files, edb.log and the edbtmp.log. Then the instructor navigates to
the Administrator: Command Prompt window and executes the following cmdlet: file
maintenance: integrity The following output is displayed: Doing Integrity Check for db:
C:\Windows\NTDS\ntds.dit Checking database integrity. Scanning Status
<% complete> 0 10 20 30 40 50 60 70 80 90 100 |------|-
----|-----|-----|------|-----|-----|-----|-----|-----| ----------------------------------------------------------
----------- Integrity check successful. It is recommended you run semantic analysis to ensure
semantic database consistency as well. file maintenance: Then the instructor enters the 'quit'
cmdlet to exit from the file maintenance command prompt. Next the instructor enters the
following cmdlet to run the semantic data analysis: ntdsutil: sem data analy semantic checker:]

And then go fixup. And this is going to go take a look at the database, scan the records in
there, fix anything that it can, takes us back to the semantic database checker, which we are
quite done with. So I can quit that. I can quit ntdsutil. We have compacted the database
file, we have moved it back to its original location, we have run the integrity check, we have run
the semantic database analysis, we should now be ready to net start ntds and restart the
Active Directory services on this domain controller. And we are told that Active Directory
Domain Services restarted successfully.

[The Administrator: Command Prompt window is open. This window includes the following
code: Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit Checking database integrity.
Scanning Status <% complete> 0 10 20 30 40 50 60
70 80 90 100 |------|-----|-----|-----|------|-----|-----|-----|-----|-----| ----------
----------------------------------------------------------- Integrity check successful. It is recommended
you run semantic analysis to ensure semantic database consistency as well. file maintenance:
quit ntdsutil: sem data analy semantic checker: The instructor enters the 'go fixup' cmdlet,
which displays the following output: Fixup mode is turned on Opening DIT database… Done.
Done. ………..Done. Writing summary into log file dsdit.dmp.1 SDs scanned: 218
Records scanned: 4322 Processing records…Done. Elapsed time 0 seconds. semantic
checker: Then the instructor enters the following cmdlets to exit the semantic checker and the
NTDS utility: semantic checker: quit ntdsutil: quit Then the instructor enters the 'net start ntds'
cmdlet to start the Active Directory Domain Services service. As a result, the following output is
displayed: The Active Directory Domain Services service is starting. The Active Directory
Domain Services service was started successfully. C:\Users\administrator.CORP>]

4. Active Directory snapshots


Now guys, if you work in a small, smaller environment, right, in that core small business, lower,
mid-market space of less than 500 users. It is likely that you wear all the hats and it is likely
that there are not that many people that could even delete objects from Active Directory. So
when things get deleted, you know about it. But when we scale up to the enterprise space, you
have got admins, may be, in multiple domains with the rights to add and remove objects from
Active Directory. Sometimes those objects get removed accidentally and the people who
should know about it, do not know about it until much later. And now they have to go back to
the backup tape and they do not even know when the object got deleted. How are they going
to find the right backup tape?

And so one of the things that we do is we take snapshots of Active Directory. We use the
NTDS utility to do this and you view them with the Dsamain utility. And what this does...was
taking snapshots, creates point in time looks at Active Directory. And when I load these
snapshots up, I can browse them just like I was in Active Directory Users and Computers, and
I can figure out, oh! here it is, it is the January 8th backup that we got to go back to, to get that
object back.

[An Active Directory snapshot uses VSS of volumes that contain AD database and log files to
create a shadow copy of Active Directory. The tools used for creating an AD snapshot are
Dsamain.exe and NTDSutil.exe.]

5. Demo: Using AD snapshots


So folks, here we are in Active Directory and one of the questions that come up sometimes is,
'How do I know what backup tape I have to go to if I need to retrieve some object that has
been deleted from Active Directory?' Right. So here is an organizational unit called delete this
organizational units, or DTOU, and in there, there is a user called Delete ThisUser. Now if I
work in a scaled enterprise environment where there are lots of folks creating and deleting
objects, then if this object happened to be deleted accidentally or intentionally, but by mistake,
how do I know? Its disappearance may not be noticed right away, right. How do I know which
backup tape to go to? Well one of the things that we can do today is we can create Active
Directory snapshots.

[The Active Directory Users and Computers window is open. The navigation pane in the
window includes 'Active Directory Users and Computers [EWR-DC1.Corp.Brocadero.com]' as
the root node and two sub-nodes under it: Saved Queries and Corp.Brocadero.com. The
'Corp.Brocadero.com' node is already expanded and the list of the sub-folders contained under
the sub-node is displayed in the view pane. The instructor selects the DTOU folder in the
navigation pane, which contains Delete ThisUser in it. The instructor navigates to the
Administrator: Command Prompt window, which includes the following code:
C:\Users\Administrator>ntdsutil ntdsutil:]

We launch NTDSutil. We give it access to the current, running instance of Active Directory by
activating the instance of ntds. We enter the snapshots prompt by typing snapshot and I
could do a couple of things in here, right, I could list all and I see the snapshots that have
been taken previously. I see that for every snapshot there are two entries. And because this is
volume-based, if the log files and the database files were on separate volumes, where I see
that C:, I would have an entry for each volume that the files had been distributed across. In the
example here, each of the snapshots is associated with only one volume because both the log
files and the database files are on the same volume. And there is a list mounted
command, so we could see if there was anything mounted. Currently, there is nothing
mounted. I could do help here and you can see all the command lines associated with this.

[The Administrator: Command Prompt window is open. This window contains the following
code: C:\Users\Administrator>ntdsutil ntdsutil: Then the instructor enters the following cmdlets
to activate the instance of ntds and enter the snapshot command prompt:
C:\Users\Administrator>ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds".
ntdsutil: snapshot snapshot: Then the instructor enters the 'snapshot: list all' cmdlet to view the
details of the previously taken snapshots. As a result, the following output is displayed: 1:
2014/02/14:09:56 <318747773c-4be1-a5fb-b35264103765> 2: C: <24ed9117-a618-475b-
8c68-da0433696412> 3: 2014/02/14:09:59 <466c2f57-e6ba-438d-904d-b82ed37af4ec> 4:
C: <555d25c6-7f24-482e-b57e-5475033fb1fb> snapshot: Then the instructor enters the
'list mounted' cmdlet, which displays the following message: No snapshots found. Then the
instructor enters the 'snapshot: help' cmdlet, which displays the following output: ?
-- Show this help information Activate Instance %s -- Set "NTDS" or a
specific AD LDS instance as the active instance. Create -- Create a snapshot
Delete %s -- Delete snapshot with index or guid %s. Specify * to delete all
snapshots Help -- Show this help information List All -- List
snapshots List Mounted -- List mounted snapshots Mount %s -- Mount
snapshot with index or guid %s Quit -- Return to the prior menu Unmount
%s -- Unmount snapshot with index or guid %s. Specify * to unmounts all mounted
snapshots snapshot:]

And what we are interested in is, we are interested in creating, we are going to create a
snapshot here.

And this is going to take a picture of the current Active Directory instance. And so we go ahead
and we tell it create the snapshot, we see it creating. We see, I have got snapshots up above
there of 1 and 3. If we do a list all now, now we will see there are five, right. And if I
wanted to mount that snapshot so I could view it, I could do that with the mount command.
Now you can type the long width there or you can just type the numeric identifier like in this
example – mount 5. And here is what we are going to do, I am going to come back over here.
Now here is this DTOU and the first thing I am going to do is I am going to go into the
Properties for it. And in the properties, on the Object tab, there is a little checkbox – Protect
object from accidental deletion. So it is uncommon that this happens anymore guys, but
sometimes it does, right. Let us say, I really think I am supposed to delete this thing, so I go in
there and I change that, and I come out here, and I go ahead and Delete it, boom! Yes, I want
to delete it. Yes, I want to delete everything that is in there, boom! It is gone. So there we are
in the current Active Directory and there is no more DTOU, right.

[The Administrator: Command Prompt window is open. This window includes the following
code: snapshot: help ? -- Show this help information Activate Instance
%s -- Set "NTDS" or a specific AD LDS instance as the active instance. Create
-- Create a snapshot Delete %s -- Delete snapshot with index or
guid %s. Specify * to delete all snapshots Help -- Show this help
information List All -- List snapshots List Mounted -- List mounted
snapshots Mount %s -- Mount snapshot with index or guid %s Quit
-- Return to the prior menu Unmount %s -- Unmount snapshot
with index or guid %s. Specify * to unmounts all mounted snapshots snapshot: The instructor
enters the 'snapshot: create' cmdlet, which displays the following output: Creating snapshot…
Snapshot set <39f0f6d6-0b51-40ea-a9ec-e37b041becc3> generated successfully. snapshot:
Then the instructor enters the 'snapshot: list all' cmdlet, which displays the following output: 1:
2014/02/14:09:56 <318747773c-4be1-a5fb-b35264103765> 2: C: <24ed9117-a618-475b-
8c68-da0433696412> 3: 2014/02/14:09:59 <466c2f57-e6ba-438d-904d-b82ed37af4ec> 4:
C: <555d25c6-7f24-482e-b57e-5475033fb1fb> 5: 2014/02/14:11:50 <39f0f6d6-0b51-
40ea-a9ec-e37b041becc3> 6: C: <d9349691-89ec-47e5-b6bf-6517ee92f717> snapshot:
Then the instructor enters the 'snapshot: mount 5' cmdlet and navigates to the Active Directory
Users and Computers window. Next the instructor right-clicks the DTOU folder in the
navigation pane and selects the Properties option from the shortcut menu. As a result, the
DTOU Properties dialog box is displayed. The DTOU Properties dialog box contains six tabs,
General, Managed By, Object, Security, COM+, and Attribute Editor. The General tab is
already open. The instructor navigates to the Object tab, which contains
'Corp.Brocadero.com/DTOU' as the Canonical name of the object, 'Organizational Unit' as the
Object class, '2/14/2014 9:58:22 AM’ as the Created detail, ‘2/14/2014 9:58:22 AM' as the
Modified detail, the 'Protect object from accidental deletion' option, and the Update Sequence
Numbers (USNs) section. This section includes the following values: Current: 135462 Original:
135461 The instructor clears the 'Protect from accidental deletion' option, closes the dialog
box, and then navigates back to the Active Directory Users and Computers window. Then the
instructor right-clicks the DTOU folder and selects the Delete option from the shortcut menu.
As a result, a confirmation message box is displayed that asks the instructor to confirm the
deletion. The instructor clicks Yes and then the 'Confirm Subtree Deletion' confirmation
message box is displayed, which includes the following message with the 'Use Delete Subtree
server control' option: Object DTOU contains other objects. Are you sure you want to delete
DTOU and all of the objects it contains? If you cancel the running deletion, the objects deleted
thus far will not be recovered. WARNING: if you select Use Delete Subtree server control
check box, all objects within the subtree, including all delete-protected objects, will be deleted,
and the deletion cannot be canceled. The instructor clicks Yes and navigates back to the
Active Directory Users and Computers window where the DTOU folder does not exist
anymore.]

So we come back over here and it comes to my attention that this organizational unit, or OU,
has been deleted. Now I need to go back through my snapshots. I think, may be it is still there
in snapshot 5, but I am not sure, right, so I go ahead and I mount that. And we can see that in
fact, the snapshot gets mounted here, right to the root of C, right; and you can actually walk it
in Windows Explorer. If I want to go through here, I could drill down to the NTDS directory in
this snapshot. And there is the copy of the database that should still contain the DTOU OU.

[The Active Directory Users and Computers window is open. The instructor navigates to the
Administrator: Command Prompt window, which includes the following code and its
corresponding output: Snapshot: create Creating snapshot… Snapshot set <39f0f6d6-0b51-
40ea-a9ec-e37b041becc3> generated successfully. snapshot: list all 1: 2014/02/14:09:56
<318747773c-4be1-a5fb-b35264103765> 2: C: <24ed9117-a618-475b-8c68-
da0433696412> 3: 2014/02/14:09:59 <466c2f57-e6ba-438d-904d-b82ed37af4ec> 4: C:
<555d25c6-7f24-482e-b57e-5475033fb1fb> 5: 2014/02/14:11:50 <39f0f6d6-0b51-40ea-a9ec-
e37b041becc3> 6: C: <d9349691-89ec-47e5-b6bf-6517ee92f717> The instructor
executes the 'snapshot: mount 5' cmdlet, which displays the following output: Snapshot
<d9349691-89ec-47e5-b6bf-6517ee92f717> mounted as
c:\$SNAP_201402141150_VOLUMEC$\ snapshot: Then the instructor navigates to the Local
Disk (C:) drive, which includes the $SNAP_201402141150_VOLUMEC$ file folder. Next the
instructor opens the snapshot and then opens the Windows folder contained in it. Then the
instructor opens the NTDS sub-folder in the Windows folder, which includes the following files:
edb.chk, edb.log, edbres00001.jrs, edbres000002.jrs, ntds.dit, and temp.edb.]

Now we come back over here and we quit out of this because we cannot view it in the GUI
with this tool, so we need a different tool. We need dsamain. And with dsamain what we
need to do is we need to specify the database path. Where is that database file located that we
want to get to? And it is here in that snapshot, I am going to just Copy that path over. I am
going to make sure I add the name of the file, ntds.dit. And then the other thing that I am
going to need is that I am going to need the ldapPort number.

Now you guys know, 389 is in use on this box already, right, so commonly we use 51389. So
a high port, right, from the ephemeral port range, but we use 389 to indicate that it is a
Lightweight Directory Access Protocol, or LDAP, connection.

[The NTDS sub-folder of the Windows folder is open. It includes the following files: edb.chk,
edb.log, edbres00001.jrs, edbres000002.jrs, ntds.dit, and temp.edb. The instructor navigates
to the Administrator: Command Prompt window, which includes the following code: snapshot:
mount 5 Snapshot <d9349691-89ec-47e5-b6bf-6517ee92f717> mounted as
c:\$SNAP_201402141150_VOLUMEC$\ snapshot: Then the instructor enters the 'snapshot:
quit' cmdlet to quit the snapshot command prompt. Then the instructor enters the 'ntdsutil: quit'
cmdlet to quit the NTDS utility. Next the instructor enters the following cmdlet to start the
Dsamain utility: C:\Users\Administrator>dsamain –dbpath
C:\$SNAP_201402141150_VOLUMEC$\Windows\NTDS.dit –ldapPort 51389 As a result, the
following output is displayed: EVENTLOG <Informational>: NTDS Database / Internal
Processing : 2064 Active Directory Domain Services has detected that the quota-tracking table
is either missing or not completely built. The table will be rebuilt in the background <resuming
the progress of any previous rebuild, if possible>. Until it has completed, quota enforcement
will not be in effect. EVENTLOG: <Informational>: NTDS General / Service Control : 1000
Microsoft Active Directory Domain Services startup complete, version 6.3.9600.16384]

Now dig it! With that snapshot mounted and a unique port assignment associated with it, I can
now leverage Active Directory Users and Computers. I can come over here and I can see no
DTOU, right. But if I come in here and I say Change Domain Controller and here we are
going to look for EWR-DC1 at port 51389, right, not the standard LDAP port, we are going to
connect with the LDAP server instance that we have created by mounting that snapshot to
51389. Now we opened up and look at, there is that one, I know when this snapshot was
taken. Now I go to the backup tape that encompasses, you know, from around the time of this
snapshot. And I should be able to then restore this object. And that is a look at creating,
mounting, and viewing Active Directory snapshots in Server 2012 R2.

[The Administrator: Command Prompt window is open. This command prompt window
includes the following code: C:\Users\Administrator>dsamain –dbpath
C:\$SNAP_201402141150_VOLUMEC$\Windows\NTDS.dit –ldapPort 51389 EVENTLOG
<Informational>: NTDS Database / Internal Processing : 2064 Active Directory Domain
Services has detected that the quota-tracking table is either missing or not completely built.
The table will be rebuilt in the background <resuming the progress of any previous rebuild, if
possible>. Until it has completed, quota enforcement will not be in effect. EVENTLOG:
<Informational>: NTDS General / Service Control : 1000 Microsoft Active Directory Domain
Services startup complete, version 6.3.9600.16384 The instructor navigates to the Active
Directory Users and Computers window, which includes two sub-nodes, Saved Queries and
Corp.Brocadero.com, under the root node Active Directory Users and Computers [EWR-
DC1.Corp.Brocadero.com] in the navigation pane. The Corp.Brocadero.com sub-node
includes various folders such as Builtin, Computers, Domain Controllers, IT Users, and so on.
The instructor right-clicks the Corp-Brocadero.com sub-node and selects the Change Domain
Controller option from the shortcut menu. As a result, the Change Directory Server dialog box
is displayed that includes 'EWR-DC1.Corp.Brocadero.com' as the Current Directory Server.
The 'Change to' parameter includes two options, Any writable Domain Controller and This
Domain Controller or AD LDS instance, and a table. The table contains five columns, Name,
Site, DC Type, DC Version, and Status, and five rows. The first row is used to type a new
directory server name and the other four rows provide details about the existing servers. The
instructor enters 'EWR-DC1:51389' as the name of new directory server, clicks OK, and
navigates back to the Active Directory Users and Computers window. Next the instructor
expands the Corp.Brocadero.com node and then double-clicks the DTOU folder, which
includes Delete ThisUser.]

6. Demo: Cleaning up metadata


One of the things that used to happen with and still happens on occasion, you still get some
shrapnel from this. But when you have a domain controller die on you or disappear, right, gets
stolen, domain controller, or DC just goes missing, what do you do? Well I mean it used to be,
you could delete the object from Active Directory, but then there was all this shrapnel left
behind, the metadata for that object. Now the good news is that today there is an automated
process by which that metadata is removed. So let us say for example, this domain controller,
this REPLICADC were to go missing. It is under the secretary's desk at a branch office and
one day, you know, she comes in and bang! it is not there, right. What do we do? Well there
are a couple things. I come in here and I can literally just Delete it out of Active Directory. Are
you sure you want to delete this? Now remember, in the past this would have been a problem
because I would have still had all kinds of references to the object in the database and I would
then have to go into Active Directory Service Interfaces, or ADSI Edit, and purge them out.

[The Server Manager window is open in the browser. The navigation pane of Server Manager
includes the following tabs: Dashboard, Local Server, All Servers, AD DS, DNS, and File and
Storage Services. The Dashboard tab is already selected and the view pane contains the
WELCOME TO THE SERVER MANAGER page. This page includes three sections, QUICK
START, WHAT’S NEW, and LEARN MORE. The QUICK START section includes the following
links: 1. Configure this local server 2. Add roles and features 3. Add other servers to manage
4. Create a server group The instructor navigates to the Active Directory Users and Computers
window, which includes two sub-nodes, Saved Queries and Corp.Brocadero.com, under the
root node Active Directory Users and Computers [EWR-DC1.Corp.Brocadero.com] in the
navigation pane. The Corp.Brocadero.com sub-node includes various folders such as Builtin,
Computers, Domain Controllers, IT Users, and so on. The details about the contents of the
Domain Controller folder are displayed in the view pane in a tabular format. The table includes
five rows, Name, Type, DC Type, Site, and Description, and four rows. The first row contains
'CLONE-DC1' as the Name of the domain controller, 'Computer' as the Type, 'DC' as the 'DC
Type', and 'Corp' as the Site. The second row contains 'EWR-DC1' as the Name of the domain
controller, 'Computer' as the Type, 'GC' as the DC Type, and 'Corp' as the Site. The third row
contains 'EWR-REPLICADC' as the Name, 'Computer' as the Type, 'DC' as the DC Type, and
'Corp' as the Site. The fourth row contains 'LGA-RODC' as the Name, 'Computer' as the Type,
'Read-only, DC' as the DC Type, and 'Corp' as the Site. The Description column for all the four
entries is empty. The instructor right-clicks 'EWR-REPLICADC' and selects the Delete option
from the shortcut menu. As a result, a confirmation message is displayed asking the instructor
to confirm the deletion. The instructor clicks Yes and the 'Deleting Domain Controller' message
box is displayed, which contains the following message: You are attempting to delete the
Domain Controller without running the removal wizard. To properly remove the Domain
Controller from the domain, you should run the Remove Roles and Features Wizard in the
Server Manager, or the Active Directory Domain Services installation Wizard (DCPromo) for
Windows Server 2008 R2 or earlier. Domain Controller: EWR-REPLICADC This message box
also includes the following option: Delete this Domain Controller anyway. It is permanently
offline and can no longer be removed using the removal wizard.]

But today in 2012, Microsoft has automated that process. So we see here, 'Delete the Domain
Controller anyway. It is permanently offline and can no longer be removed using the removal
wizard', right. And when we say the removal wizard here, what they are talking about is
demoting a domain controller, right. It used to be, you would run DCpromo to do that. Today,
we use the Remove Roles and Features Wizard or the Remove-WindowsFeature cmdlet
in PowerShell.

So bang! Right, we can get rid of it that way. Now in the GUI, in the UI, you could also do that
over here, I could come into Active Directory Sites and Services. And here the concern is,
right, I want to manage the replication partners. So there are replication connection objects
between this domain controller and other DCs. Now again, the Metadata Cleanup Wizard will
handle that in Users and Computers; or I can delete the NTDS Settings in here, first purge
them to delete these connection objects, then go and delete the computer object. And so it is
kind of a two-step process there in Sites and Services.

[The Deleting Domain Controller confirmation message box is open. It includes the following
message: You are attempting to delete the Domain Controller without running the removal
wizard. To properly remove the Domain Controller from the domain, you should run the
Remove Roles and Features Wizard in the Server Manager, or the Active Directory Domain
Services installation Wizard (DCPromo) for Windows Server 2008 R2 or earlier. Domain
Controller: EWR-REPLICADC This message box also includes the following option: Delete this
Domain Controller anyway. It is permanently offline and can no longer be removed using the
removal wizard. The instructor selects this option, clicks Cancel, and then navigates to the
Active Directory Users and Computers [EWR-DC1.Corp.Brocadero.com] window. Then the
instructor navigates to the Active Directory Sites and Services window. The navigation pane
includes the Sites sub-node under the 'Active Directory Sites and Services…' root node in the
navigation pane. The Sites sub-node includes the following nodes: Inter-Site Transports,
Subnets, ATL, Corp, Default-First-Site-Name, and LGA. The Corp node includes the Servers
folder in it, which includes the following nodes in it: CLONE-DC1, EWR-DC1, and EWR-
REPLICADC1. The instructor expands the EWR-REPLICADC node that includes the NTDS
Settings sub-node under it. Then the instructor selects the NTDS Settings sub-node and the
details of its contents are displayed in the view pane in a tabular format. The table includes five
columns, Name, From Server, From Site, Type, and Description, and two rows. The first row
contains '<automatically generated>' as the Name, 'CLONE-DC1' as the From Server, 'Corp'
as the From Site, 'Connection' as the Type, and the Description column is empty. The second
row contains '<automatically generated>' as the Name, 'EWR-DC1' as the From Server, 'Corp'
as the From Site, 'Connection' as the Type, and the Description column is empty.]

Now additionally, you can use NTDSutil to do this. So I could come into an elevated command
prompt, and in the elevated command prompt, I can type ntdsutil. And then I want to do
the metadata cleanup, and so I come into the metadata cleanup prompt. And now I would
type remove server. And here guys, this is one of those cases, using NTDSutil you have to
be able to use the distinguished name of the object. So in this example, the common name, or
CN, is EWR_ReplicaDC, the organizational unit, or OU, that it is stored in is the Domain
Controllers OU. The domain component, or DC, is Corp, the domain component, or DC,
is Brocadero, and the domain component, or DC, is com, right. So the machine EWR-
ReplicaDC in the Domain Controllers OU of Corp.Brocadero.com. And you can see that I have
an underscore rather than a hyphen. So I am just going to fix that up and then that would
remove this object and its associated metadata from Active Directory.

[The Active Directory Sites and Services window is open. The NTDS Settings sub-node under
EWR-REPLICADC1 node is already selected and the details of its contents are displayed in
the view pane in a tabular format. The table includes five columns, Name, From Server, From
Site, Type, and Description, and two rows. The first row contains '<automatically generated>'
as the Name, 'CLONE-DC1' as the From Server, 'Corp' as the From Site, 'Connection' as the
Type, and the Description column is empty. The second row contains '<automatically
generated>' as the Name, 'EWR-DC1' as the From Server, 'Corp' as the From Site,
'Connection' as the Type, and the Description column is empty. The instructor navigates to the
Administrator: Command Prompt window and executes the following cmdlet:
C:\Users\Administrator>ntdsutil Then the instructor executes the following cmdlet to enter the
metadata cleanup command prompt: ntdsutil: metadata cleanup Then the instructor enters the
following cmdlet to remove the server: metadata cleanup: remove server CN=EWR-
ReplicaDC, OU=Domain Controllers, DC=Corp, DC=Brocadero, DC=com]
Performing Active Directory and DC
Maintenance Tasks
Learning Objective
After completing this topic, you should be able to
◾ configure Active Directory and DC maintenance tasks

1. Configuring domain controllers


Now that we have discussed configuration of domain controllers and maintaining Active
Directory, let's go ahead and try this exercise.

You are the server administrator at EasyNomad Travel. You have been given the responsibility
of

configuring and maintaining new and existing Windows Server 2012 R2 domain controllers on
the

organization's network. You are exploring Active Directory roles as well as backup and restore
features.

Question

You are completing some maintenance tasks and are asked to determine and record
the location of the relative identifier, or RID, and primary domain controller, or PDC,
flexible single master operations, or FSMO, roles.

Options:

1. Active Directory Users and Computers


2. Active Directory Domains and Trusts
3. Active Directory Schema

Answer

Option 1: To determine where the RID and PDC holders are within a selected
domain, you select the Active Directory Users and Computers snap-in.

Option 2: Selecting this snap-in will confirm the location of the Domain Naming
Master role and not the RID or PDC roles.

Option 3: The Active Directory Schema snap-in confirms the FSMO Schema Master
role and not the RID or PDC roles.
Correct answer(s):

1. Active Directory Users and Computers

Question

You are completing some domain controller service optimization and realize that you
have to reconfigure one of your operations masters and are required to transfer a
flexible single master operations, or FSMO, role within the Active Directory
implementation. Complete the code to transfer the FSMO role responsible for
maintaining the integrity of Active Directory objects and preventing intra-domain and
inter-domain naming conflicts from DC2 to DC1.

Code
C:\Users\System 32>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server DC1
Binding to DC1 ...
Connected to DC1 using credentials of locally logged on users
server connections: quit
fsmo maintenance: INSERT THE MISSING CODE
fsmo maintenance: quit

Answer

The FSMO role responsible for maintaining the integrity of Active Directory objects
and preventing intra-domain and inter-domain naming conflicts is the Infrastructure
Master role. You use the transfer infrastructure master command, while in
FSMO maintenance mode, to transfer the role from DC2 to DC1.

Correct answer(s):

1. transfer infrastructure master


Question

You are in the process of installing a read-only domain controller, or RODC, in one of
the branch offices in order to mitigate modifications or corruptions to the local version
of the Active Directory, or AD, database. You are using the staged installation method
and you have already completed stage 1 and prepared the RODC in Active Directory.
What is your next step in the RODC installation process?

Options:

1. Delegate a standard domain user at the branch location, the rights they
require, and have them complete the RODC installation
2. Select the deployment option to enable the domain controller to be
nominated as an RODC in the branch location at the beginning of stage 2
3. Prepare the answer file for the remaining RODC installation in stage 2
4. Complete stage 2 of the install using PowerShell cmdlets
5. At the branch location, create a domain admin account to complete stage 2 of
the installation of Active Directory Domain Services, or AD DS

Answer

Option 1: Correct. Once you have stage 1 completed and the RODC has been
prepared in AD, the remaining installation steps in stage 2 can be delegated to a
standard domain user in the branch or a remote location, when using a staged
installation.

Option 2: Incorrect. When using the standard install method, you have an option of
enabling the domain controller to be nominated as an RODC, but not when using the
staged method.

Option 3: Incorrect. You are not able to use answer files with a staged installation.
An answer file can be used for the install when using the standard method to install
the RODC.

Option 4: Incorrect. When using a staged installation, you are not able to install a
RODC using PowerShell cmdlets. PowerShell cmdlets are used when using a direct
installation method.

Option 5: Incorrect. Since the delegated RODC server administrator joins the server
to the previously created RODC account, the staged AD DS installation makes it
unnecessary to use a regular domain admin account in the branch office to complete
the installation of AD DS.

Correct answer(s):
1. Delegate a standard domain user at the branch location, the rights they require,
and have them complete the RODC installation

2. Maintaining domain controllers

Question

You are planning a backup strategy for your new and existing Windows Server 2012
R2 domain controllers on the organization's network within EasyNomad. Identify the
considerations when implementing your backup strategy to protect Active Directory
and to provide Active Directory data redundancy.

Options:

1. Critical volumes on domain controllers should be backed and scheduled


frequently
2. Ensure that it is never just a single backup hosted at a single location
3. You cannot use the system state backup to exclusively recover Active
Directory
4. The Domain System Volume, or SYSVOL, folder should not be part of the
system state and critical-volume backup information
5. As a best practice, the Active Directory, or AD, log files must reside in the
same folder as the ntds.dit database

Answer

Option 1: Correct. To protect Active Directory and to provide Active Directory data
redundancy, it is recommended that daily backups of critical volumes be created on
at least two unique domain controllers.

Option 2: Correct. Where domains exist in only one physical site location, additional
backup files should be stored off-site in a secure location to ensure that, that is never
just a single backup hosted at a single location.

Option 3: Correct. The system state backup cannot be used to exclusively recover
Active Directory and the use of a system state recovery is required to recover all
components within the backup.

Option 4: Incorrect. The SYSVOL folder is included in the system state and critical-
volume backup types by default.

Option 5: Incorrect. The AD log files can reside in a different folder from the ntds.dit
database; they are not required to reside in the same folder.
Correct answer(s):

1. Critical volumes on domain controllers should be backed and scheduled


frequently
2. Ensure that it is never just a single backup hosted at a single location
3. You cannot use the system state backup to exclusively recover Active Directory

Question

You have found out that an organizational unit, or OU, containing a large number of
users was accidentally deleted and must be restored to Active Directory. What type of
restore method should you use to revert only this Active Directory, or AD, object to its
state prior to deletion?

Options:

1. Authoritative restore
2. Nonauthoritative restore
3. Full server recovery
4. Critical-volume Recovery

Answer

Option 1: Correct. An authoritative restore procedure reverts a targeted AD object or


container of objects to its state prior to deletion and to the state and the time when it
was backed up, in this case, an OU containing a large number of users.

Option 2: Incorrect. This method is used when a domain controller needs to be


restored due to hardware or software related issues and not because an OU has
been deleted.

Option 3: Incorrect. Only one OU requires restoration. So in this case, the backup of
the complete contents on a domain controller includes all volumes on the domain
controller, including Universal Serial Bus, or USB, drives would not be required.

Option 4: Incorrect. A critical-volume recovery involves the backup of any volumes


that contain system state files and not just the deletion of a specific Active Directory
organizational unit, or AD OU.

Correct answer(s):

1. Authoritative restore
Question

You are using the Active Directory mounting tool to create and utilize snapshots. You
have created the ntds.dit snapshot and now want to mount the snapshot. Complete
the code that will mount snapshot with globally unique identifier, or GUID, "{8dfad7e7-
0041-4b73-80c7-227db14610ae}."

Code
C:\Users\System 32>ntdsutil
ntdsutil: activate instance ntds
Active instance set to “ntds”
ntdsutil: snapshot
snapshot: INSERT THE MISSING CODE

Answer

mount {8dfad7e7-0041-4b73-80c7-227db14610ae} is used to mount the snapshot.


When you list the snapshots, the output lists each mounted snapshot and a
corresponding index number. You can use the GUID or index number instead to
mount, unmount, or delete a snapshot.

Correct answer(s):

1. mount {8dfad7e7-0041-4b73-80c7-227db14610ae}

© 2018 Skillsoft Ireland Limited