Scribd
Upload
106 views6 pages

Securing Windows 2000 Active Directory

This document discusses backing up and restoring Active Directory. It notes that Active Directory should be backed up as part of securing it, and that system state backups on domain controllers are the recommended method. The system state backup includes Active Directory, Sysvol, the registry, and other components. Regular backups within the tombstone lifetime of 60 days are suggested to ensure restorability. The document provides details on what is backed up, limitations of restores, best practices for backing up Active Directory, and the directory service component.

Uploaded by

Emraan Khan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
106 views6 pages

Securing Windows 2000 Active Directory

This document discusses backing up and restoring Active Directory. It notes that Active Directory should be backed up as part of securing it, and that system state backups on domain controllers are the recommended method. The system state backup includes Active Directory, Sysvol, the registry, and other components. Regular backups within the tombstone lifetime of 60 days are suggested to ensure restorability. The document provides details on what is backed up, limitations of restores, best practices for backing up Active Directory, and the directory service component.

Uploaded by

Emraan Khan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 6

Securing Windows 2000 Active Directory

(Part 3) - Backup and Restoration


In this article I will focus on the active directory process. As part of
securing your active directory you need to ensure that as a contingency
plan you are able to restore your active directory in event of disaster.
• Published: Jan 06, 2003
• Updated: Jul 23, 2004
• Section: Articles :: Windows OS Security
• Author: Ricky M. Magalhaes
• Rating: 3.2/5 - 144 Votes

In this article I will focus on the active directory process. As part of securing your active directory you
need to ensure that as a contingency plan you are able to restore your active directory in event of disaster.
(For those that missed the first two articles in this series may click here to be taken to Part 1 and here to be
taken to Part 2).

When backing up active directory Microsoft only supports one type of backup, you can only perform a full
backup on active directory. Incremental and differential backups tend not to work correctly on active
directory it is recommended that these options are not used. AD uses an advanced Jet database that exports
a backup interface similar to Exchange 5.5. The reason for dropping support for incremental and
differential backups is that most backup applications bind to the local client-side DLL that have entry
points defined in ntdsbcli.h.

What will you be backing up?


When backing up active directory you need to note that active directory will be treated part of the system
state data.

The contents of the system state are as follows.

1. Boot files, including the system files, and all files protected by Windows File Protection (WFP).
2. Active Directory (on a domain controller only).
3. Sysvol (on a domain controller only).
4. Certificate Services (on certification authority only).
5. Cluster database (on a cluster node only).
6. The registry.
7. Performance counters configuration information.
8. Component Services Class registration database.

System state backups facts

1. Login in as Administrator or Backup Operator.


2. Only domain controllers contain AD in the system state.
3. System state backups can be incorporated into typical backup jobs.
4. System state backups are online.
5. Third party tools should be used when remotely backing up and restoring system state. Windows
backup will only work on the local machine!

Limitations of system state backup.

1. The backup and restore of the system store can not be set to backup or restore individual
components due to dependencies among the system state components.
2. System state data restores can be redirected alternate locations in which only the registry files,
Sysvol directory files, and system boot files are restored (the remote redirection is not complete
restore).
3. The Active Directory database, Certificate Services database, and Component Services Class
Registration database are not restored to the alternate location. This means that if you need to test
restore you will run into issues when restoring in a lab environment.

Where is the Active Directory?


Active directory does not reside on any one domain controller, but rather collectively across the domain
controllers. It is a good idea to backup the system state of the entire team of domain controllers concerned
when backing up active directory, but excludes the relative ID (RID) master domain controller. Missing
one of the domain controllers can result in you being unable to restore the active directory. It is vital that
no one else is able to add domain controllers to your domain controller work team.
The diagram above represents a computer that has been selected to be backed up using a popular backup
package. Note the system state is available for backing up.

Backing up the Active Directory


It is important that you backup the whole of active directory as well the underlying services and
dependencies. Active directory relies heavily on DNS. If you are using active directory- integrated DNS
then you will not need to explicitly backup the zone files.

It is recommended that you backup the system disk as well as the system state as backing up the system
disk will incorporate the DNS zone data. Backing up active directory will prove to be very spread spectrum
as good practice dictated that database files and log files be placed on separate disks. Note: you will not
have to specify where these files are even if they are on separate disks as backing up the system state
automatically consolidates the files into one location for backup purposes.

Warning!
If the last backup you have is older than the tombstone lifetime set in Active Directory, your backup is
considered to be ineffective. It is recommended that you perform at least two backups within the tombstone
lifetime; this means that every 29 days a backup should be made as the tombstone life time is 60 days. If
this method is not followed you will find inconsistency within your active directory I strongly recommend
that a weekly backup should be the absolute minimum backup horizon considered.

Below are the files that complete the Active Directory.

1. ntds.dit (The database file.)


2. edb.chk (Checkpoint file.)
3. edb*.log (Transaction log files.)
4. res1.log and res2.log (Reserved transaction log files.)

to start the backup of your active directory…

1. click on start then click on run then type in ntbackup and click ok.
2. You should be presented with the ntbackup utility; click on tools, then click on backup wizard, then
click next.
3. Select only back up the system state.
4. Select the location of where you would like to backup your system state to. If you backup to a hard
disk ensure that the disk is formatted with NTFS.

5. Check you settings and then click Finish. If you would like to configure scheduling, hardware
compression, media labels, data verification, or append it to a different job you can do this by clicking on
the advanced button on this screen. Data verification can be viewed in the event viewer.

Directory service

The directory service is the mechanism that AD uses to trace and classify users and resources existing in a
distributed system. The directory service should be considered within your overall AD backup and restore
strategy. Directory service information can be replicated to other domain controllers in the same domain
environment. It is vital that a recovery plan is in place before attempting a restore. All changes encountered
during backup are stored in a temporary log and appended to the end of the backup set when the backup is
complete.

Summary
Windows 2000 stores all its security information is stored in the Active Directory. This article has
described the process that needs to take place in order to backup the active directory, ensuring that it
remains secure.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy