In this Class we will See?
*Who Killed off the Ops Department?
*The Two types of Restorations
-Use Windows Server Backup to do Non Authoritative Restoration
- Use NTDSUTIL and WBADMIN to do an Authoritative Restoration.
* How to Put Resurrected Users Back into Groups using Backlinks.
Scenario:
One Morning the entire New York OPS department can no Longer login. When you go to see what's happening, you notice that the New York Ops OU is gone. You trace of OPS department.
*When You check your Security Log, you see that account was Deleted by an account belonging to one of your new IT staff who had been given Account Operator permissions, successfully deleted the entire OU last night at 1AM.
* Fortunately, at mid night, a system state backup of your entire Domain controller was successfully completely. You need to restore the OPS OU for NewYork.
There are two options for doing restoration of an OU:
- Non-Authoritative Restore : Most often done using Windows Server Backup, you can restore the entire domain Controller.
- Authoritative Restore : Using WBADMIN and NTDSUTIL, you can restore an OU, an individual User account, or any other AD object after doing a System State Restore and make it as Authoritative.
*What makes a Restore "Authoritative"?
-The Update sequence Number in the AD database is increased by 10000 so other DC know that the restored object is the most recent.
How to Run Non-Authoritative Restore?
1) To run a Non Authoritative restore, just go to Windows Server Backup.
2) Click Recover.
3) Use the most recent backup file set that was created before the deletion.
4) You're done (Sort of you may have problems with this type of restore).
How to run Authoritative Restore?
1) Restart the DC and go to Directory Services Recovery Mode (Hit F8 on the keyboard during reboot to get this option).
2) Login with ./administrator and the Domain Recovery Mode password you set up when you ran DCPROMO.
3) Type "wbadmin get versions" then it will show all the backed up data timings, version ID, backed up target so you can restore accordingly.
4) Type "wbadmin get versions -backuptarget backuplocation, where backup location is the location where your back up files live.
4) Figure out which version you want to restore.
5) Type wbadmin startsystemstaterecovery -version:ID -backuptarget: Backuplocation Ex: wbadmin start systemstaterecovery -version :08/14/2008-04:01
6) After the restore, type ntdsutil activate instance NTDS
7) Type authoritative restore to get into the right NTDSUTIL Context
8) Type restore object "distinguishedName" for a single account or restore subtree "distinguishedName" if you're restoring an entire OU.
9) Reboot normally.
If for some strange reason your Server 2008 DC is running under a Server 2000 Functional level Domain:
*In a Server 003 and Server 2008 Functional Domain/Forest NTDSUTIL users what we call Linked Value Replication to restore Group Membership to restored accounts (You can ignore this whole slide if you're in a server 2k3 / 2k8 Functional level)
* When you do an authoritative restore in a server 2000 functional level domain, you end up losing group membership on your users accounts. Of course, you could go back and recreate them manually. (No, you can't you don't have that kind of time on your hands)
*During the authoritative restore, at least one file called an LDIP file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file.
1) After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type
repadmin /syncall DCNAME/a/d/A/P/q where DCNAME is the name of your DC that you just restored.
2) Change to the Directory where your LDIF files ended up.
3) Type ldifde -i-k-f filename where filename is the name of your LDIF file you need.
4) Rinse and repeat step 3 for each file that was created by the NTDSUTIL restore process.
Notes:
*Authoritaive Restore : A process in which objects or an entire directory can be restored and maked as "Authoritative" by increasing the Update Sequence Number by 10,000 to let all other DC's know to use this object in replication.
*Non - Authoritative Restore - A simple restoration process that can be accomplished either from windows server backup or by using Directory Restore Mode and WBADMIN (If you really want to)
*Update Sequence Number - A value in an AD Object that helps Domain Controllers know which objects need to be updated in the Directory during replication.
* Linked Value Replication (LVR) - A magical process available in a server 2003 or 2008 Functional Level Domain that restores Group membership back to restored accounts automatically.
After this class, now you can:
1) Perform an Non - Authoritative Restore using Windows Server Backup on a DC.
2) Perform an Authoritative Restore using Directory Services Restore Mode, WBADMIN, and NTDSUTIL.
3) Restore Group membership from Backlinks using ldifde (If for some weird reason you're not running a server 2003 or server 2008 Domain Functional Level)
*Who Killed off the Ops Department?
*The Two types of Restorations
-Use Windows Server Backup to do Non Authoritative Restoration
- Use NTDSUTIL and WBADMIN to do an Authoritative Restoration.
* How to Put Resurrected Users Back into Groups using Backlinks.
Scenario:
One Morning the entire New York OPS department can no Longer login. When you go to see what's happening, you notice that the New York Ops OU is gone. You trace of OPS department.
*When You check your Security Log, you see that account was Deleted by an account belonging to one of your new IT staff who had been given Account Operator permissions, successfully deleted the entire OU last night at 1AM.
* Fortunately, at mid night, a system state backup of your entire Domain controller was successfully completely. You need to restore the OPS OU for NewYork.
There are two options for doing restoration of an OU:
- Non-Authoritative Restore : Most often done using Windows Server Backup, you can restore the entire domain Controller.
- Authoritative Restore : Using WBADMIN and NTDSUTIL, you can restore an OU, an individual User account, or any other AD object after doing a System State Restore and make it as Authoritative.
*What makes a Restore "Authoritative"?
-The Update sequence Number in the AD database is increased by 10000 so other DC know that the restored object is the most recent.
How to Run Non-Authoritative Restore?
1) To run a Non Authoritative restore, just go to Windows Server Backup.
2) Click Recover.
3) Use the most recent backup file set that was created before the deletion.
4) You're done (Sort of you may have problems with this type of restore).
How to run Authoritative Restore?
1) Restart the DC and go to Directory Services Recovery Mode (Hit F8 on the keyboard during reboot to get this option).
2) Login with ./administrator and the Domain Recovery Mode password you set up when you ran DCPROMO.
3) Type "wbadmin get versions" then it will show all the backed up data timings, version ID, backed up target so you can restore accordingly.
4) Type "wbadmin get versions -backuptarget backuplocation, where backup location is the location where your back up files live.
4) Figure out which version you want to restore.
5) Type wbadmin startsystemstaterecovery -version:ID -backuptarget: Backuplocation Ex: wbadmin start systemstaterecovery -version :08/14/2008-04:01
6) After the restore, type ntdsutil activate instance NTDS
7) Type authoritative restore to get into the right NTDSUTIL Context
8) Type restore object "distinguishedName" for a single account or restore subtree "distinguishedName" if you're restoring an entire OU.
9) Reboot normally.
If for some strange reason your Server 2008 DC is running under a Server 2000 Functional level Domain:
*In a Server 003 and Server 2008 Functional Domain/Forest NTDSUTIL users what we call Linked Value Replication to restore Group Membership to restored accounts (You can ignore this whole slide if you're in a server 2k3 / 2k8 Functional level)
* When you do an authoritative restore in a server 2000 functional level domain, you end up losing group membership on your users accounts. Of course, you could go back and recreate them manually. (No, you can't you don't have that kind of time on your hands)
*During the authoritative restore, at least one file called an LDIP file is created. You can use this file to restore group membership to all the users you restored quickly by using what are called Backlinks from the LDIF file.
1) After the Authoritative Restore is complete and the DC has been restarted normally, open a command prompt and type
repadmin /syncall DCNAME/a/d/A/P/q where DCNAME is the name of your DC that you just restored.
2) Change to the Directory where your LDIF files ended up.
3) Type ldifde -i-k-f filename where filename is the name of your LDIF file you need.
4) Rinse and repeat step 3 for each file that was created by the NTDSUTIL restore process.
Notes:
*Authoritaive Restore : A process in which objects or an entire directory can be restored and maked as "Authoritative" by increasing the Update Sequence Number by 10,000 to let all other DC's know to use this object in replication.
*Non - Authoritative Restore - A simple restoration process that can be accomplished either from windows server backup or by using Directory Restore Mode and WBADMIN (If you really want to)
*Update Sequence Number - A value in an AD Object that helps Domain Controllers know which objects need to be updated in the Directory during replication.
* Linked Value Replication (LVR) - A magical process available in a server 2003 or 2008 Functional Level Domain that restores Group membership back to restored accounts automatically.
After this class, now you can:
1) Perform an Non - Authoritative Restore using Windows Server Backup on a DC.
2) Perform an Authoritative Restore using Directory Services Restore Mode, WBADMIN, and NTDSUTIL.
3) Restore Group membership from Backlinks using ldifde (If for some weird reason you're not running a server 2003 or server 2008 Domain Functional Level)
No comments:
Post a Comment