Training Guide Administering Windows Server 2012 R2 (2014)
Chapter 4. Administering Active Directory
There is more to managing Active Directory than deploying domain controllers. It’s important for administrators of Windows Server 2012 and Windows Server 2012 R2 domains to be familiar with the function and placement of flexible single-master roles, read-only domain controllers, and Global Catalog servers. It’s also important for systems administrators to be able to defragment and optimize the Active Directory Domain Services (AD DS) database and perform efficient backup and recovery operations.
Lessons in this chapter:
Lesson 1: Managing domain controllers
Lesson 2: Maintaining domain controllers
Lesson 3: Recovering Active Directory
Before you begin
To complete the practice exercises in this chapter:
You need to have deployed computers SYD-DC, MEL-DC, and ADL-DC, as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Managing domain controllers
In this lesson, you will learn about the flexible single master operations roles, the functionality and deployment strategies for Global Catalog servers, and management of read-only domain controllers. You’ll also learn about the conditions under which you can clone a virtualized domain controller.
After this lesson, you will be able to:
Manage operations master roles.
Deploy Global Catalog servers.
Utilize universal group membership caching.
Manage read-only domain controllers.
Implement domain controller cloning.
Estimated lesson time: 45 minutes
Managing operations masters
There are five operations masters in a single domain Active Directory forest. Two of these operations masters are unique to the forest. There can only be one instance of each of these operations masters in the forest. Three operations masters are present in each domain in the forest. You can determine the location of the forest-level operations masters by running the Get-ADForest cmdlet. You can determine the location of the domain-level operations masters by running the Get-ADDomain cmdlet. You can also determine the location of the domain-level operations masters by right-clicking the domain in Active Directory Users And Computers and then clicking Operations Masters. This process displays the Operations Masters dialog box, shown in Figure 4-1. Both cmdlets are part of the Active Directory Windows PowerShell module, which is invoked automatically when run on a Windows Server 2012 or Windows Server 2012 R2 domain controller.
FIGURE 4-1 Domain operations masters
Real World: Don’t put all your eggs in one basket
In many organizations, the first domain controller deployed holds all the operations master roles (also known as flexible single master operations or FSMO roles) because many administrators simply forget that operations master roles exist. Systems administrators remember the operations master roles only after something happens to that first domain controller or when something that is dependent on functional operations master roles stops working. Where practical, you should spread operations master roles across two or more domain controllers in your organization’s primary site. When decommissioning a domain controller (or if a domain controller fails), do a quick check to determine whether the domain controller hosted any of the operations master roles.
Schema master
The domain controller that hosts the schema master role is responsible for processing updates to the Active Directory schema. This forest-level operations master is present on a domain controller in the forest root domain. Some products that need to update the Active Directory Schema, such as Microsoft Exchange, must run that process in the same site as the schema master. Other products that need to update the schema may need to run on the computer that hosts the schema master.
You can locate the schema master using the Active Directory Schema snap-in for the Microsoft Management Console (MMC). This snap-in is available only if you register the schmmgmt.dll by running the following command from an elevated command prompt.
Regsvr32.exe Schmmgmt.dll
More Info: Active Directory Schema snap-in
You can learn more about deploying the Active Directory Schema snap-in at http://technet.microsoft.com/en-us/library/cc737499(v=WS.10).aspx.
After the Active Directory Schema snap-in has been added, you can open the Change Schema Master dialog box, shown in Figure 4-2, by right-clicking Active Directory Schema, and then clicking Operations Master. You can also use this dialog box to transfer the schema master role to another computer.
FIGURE 4-2 Schema master
Domain naming master
The domain naming master is a forest-level operations master role, meaning that there is only one domain controller that holds this role in an Active Directory forest. The domain naming master is responsible for managing the addition and removal of domains and application partitions in the forest. The computer that hosts this role is also responsible for handling references to domains in forests that have a trust relationship with the source forest. You can move the domain naming master role using the Operations Master dialog box, available through the Active Directory Domains And Trusts console, and shown in Figure 4-3.
FIGURE 4-3 Domain naming master
PDC emulator
The PDC emulator is a domain-based role that manages the following:
Changing domain account passwords The PDC emulator ensures that password changes replicate to other domain controllers as soon as possible.
Time synchronization across domain members As PDC emulators within child domains in a forest perform time synchronization against the PDC emulator in the root domain, you should ensure that you configure the PDC emulator in the root domain to perform time synchronization against a trusted external time source. Doing this ensures that all computers in the forest keep correct time.
Group Policy changes The PDC emulator ensures that there are no conflicts in the event that the same Group Policy Object (GPO) is being edited by two or more different people at the same time.
Domain master browser The PDC emulator provides clients with a list of workgroups and domains when the client is browsing the network.
You can move the PDC emulator to another domain controller using the Operations Masters dialog box, which is available by right-clicking the target domain in Active Directory Users And Computers. This dialog box is shown in Figure 4-4.
FIGURE 4-4 Locating the PDC emulator
Infrastructure master
The domain controller that holds the infrastructure master role keeps track of changes made in other domains in the forest, and their impact on objects in the local domain. There is a domain controller hosting the infrastructure master role in each domain in a forest. Unless each domain controller in a domain also holds the Global Catalog server role for performance reasons, you should avoid placing the infrastructure master role on a domain controller that also functions as a Global Catalog server. You can move the infrastructure master to another domain controller using the Operations Masters dialog box, which is available by right-clicking the target domain in Active Directory Users And Computers. This dialog box is shown in Figure 4-5.
FIGURE 4-5 Locating the infrastructure master
RID master
The RID master is a domain-level operations master role that processes requests for relative identifiers (RIDs). Whenever a user, group, or computer account is created on a domain controller, that object is assigned a security identifier (SID). SIDs consist of both a domain SID and a unique RID generated by the RID master. When moving objects between domains using tools including movetree.exe, you must perform the move on the domain controller that holds the RID master role for the source domain. You can move the RID master to another domain controller using the Operations Masters dialog box, which is available by right-clicking the target domain in Active Directory Users And Computers. RID masters provide domain controllers with blocks of RIDs. Domain controllers will be unable to create user, group, or computer accounts if they exhaust their assigned block of RIDs and are unable to procure more from a RID master.
Seizing operations master roles
If a domain controller that is hosting an operations master role fails, you might not be able to transfer that role to another domain controller using the methods outlined earlier. If you can’t transfer an operations master role using the previously mentioned tools, you can seize the operations master role by using the Force parameter with the Move-ADDirectoryServerOperationMasterRole cmdlet. This is also known as seizing the operations master role. For example, to seize the RID master, infrastructure master, and domain naming master roles and place them on server MEL-DC, use the following command.
Move-ADDirectoryServerOperationMasterRole –Identity MEL-DC –OperationMasterRole
DomainNamingMaster,InfrastructureMAster,RIDMaster –Force
You can also seize operations master roles using the ntdsutil.exe utility, although this operation is significantly more complex than using the Move-ADDirectoryServerOperationMasterRole cmdlet. Using Windows PowerShell is the recommended way to manage the placement of operations master roles on Windows Server 2012 and Windows Server 2012 R2.
More Info: Using NTDSutil.exe to seize Operations master roles
You can learn more about using NTDSutil.exe to seize operations master roles at http://support.microsoft.com/kb/255504.
Quick check
Which operations master role is responsible for processing account password changes in a domain?
Quick check answer
The PDC emulator role is responsible for processing account password changes in a domain.
Global Catalog servers
Global Catalog servers contain partial information about all objects in all domains in a forest and are often used to provide information on universal group membership in forests that have multiple domains. When a local domain controller authenticates users, it uses the Global Catalog server to determine whether the user account it is authenticating is a member of any universal groups. Global Catalog servers are extremely important in environments in which you have deployed products such as Microsoft Exchange.
The first domain controller in a new domain is a Global Catalog server by default. You can configure a domain controller to be a Global Catalog server in the Domain Controller Options page of the Active Directory Domain Services Configuration Wizard, as shown in Figure 4-6. Both a traditionally deployed and a read-only domain controller can function as a Global Catalog server.
FIGURE 4-6 Installing a new domain controller as a Global Catalog server
You can convert an existing domain controller so that it functions as a Global Catalog server or remove the Global Catalog role from a domain controller in the NTDS Settings Properties dialog box. To access this dialog box, you have to open the Active Directory Sites And Services console, locate the site the domain controller is in, select the domain controller, and then edit the properties of the NTDS Settings item. This dialog box is shown in Figure 4-7.
FIGURE 4-7 Configuring a domain controller to function as a Global Catalog server
Consider the following when choosing to deploy Global Catalog servers:
For optimal performance, make every domain controller a Global Catalog server in a single domain forest.
In multidomain forests, deploy at least one Global Catalog server to each site that has more than 100 users.
The drawback to deploying Global Catalog servers in multidomain environments (and the reason why this role isn’t enabled by default) is replication. In multidomain forests in which universal groups are in use, Global Catalog servers can be responsible for a substantial amount of replication traffic across branch-office wide area network (WAN) links. If a site has fewer than 100 users, you can enable universal group membership caching to achieve a similar result without the bandwidth utilization that deploying a Global Catalog server incurs.
Universal group membership caching
Universal group membership caching (UGMC) performs a function similar to the one that a Global Catalog server performs. UGMC is suitable for small sites that don’t have enough users to justify deploying a Global Catalog server. You enable UGMC at the site level instead of at the Global Catalog server level by configuring NTDS Site Settings properties, as shown in Figure 4-8.
FIGURE 4-8 Enabling UGMC
Read-only domain controllers
A read-only domain controller (RODC) is a special type of domain controller that stores the passwords of only some users, but not all. You deploy a RODC when you are concerned about the physical security of a domain controller. For example, suppose that you need to have a domain controller at a branch office site, but the branch office site doesn’t have a special secure locked server room, and the local servers instead sit in a cabinet in the same room that holds the shared printer, photocopier, and fax machine.
If a domain controller is stolen, the best security practice is to change all the passwords of all accounts in the domain. It’s theoretically possible (although exceptionally unlikely) that the person who stole the domain controller isn’t looking for some computer hardware to sell off at the pub, but is instead a master hacker who can extract user name and password data from the Active Directory database. Although having someone extract the password of Sam in sales may not seem like much of a security risk, if the password of Anna the systems administrator is cracked, the organization has an even bigger security problem.
RODCs store only a select set of user account passwords. If someone misappropriates the branch office domain controller, you can quickly ascertain which user accounts have passwords that are potentially vulnerable. You can then reset these passwords without having to worry about having to reset every password of every account in the domain. If you choose to deploy an RODC at a site, you should deploy RODCs only at that site. There is no point deploying an RODC next to a typical domain controller because you have concerns about the security of the location, and then hoping that anyone who wants to steal a computer from the site chooses the one that doesn’t have local copies of all domain account passwords.
RODCs have the following requirements:
Forest functional level must be set to Windows Server 2003 or higher.
If the forest is not running at the Windows Server 2012 or higher functional level, it must be prepared for RODC deployment. You can do this by running the command adprep/rodcprep using a user account that is a member of the Enterprise Admins group. Adprep.exe is located in the Support\Adprep folder of the Windows Server 2012 and Windows Server 2012 R2 installation media.
A domain controller running Windows Server 2008 or higher must be present in any domain in which you want to deploy an RODC.
To deploy an RODC, perform the following steps:
1. Run the Add Roles And Features Wizard, and add the Active Directory Domain Services role and all features required to support that role to the computer that will function as the RODC.
2. Run the Active Directory Domain Services Configuration Wizard, and choose to add a domain controller to an existing domain, as shown in Figure 4-9. RODCs require that an existing writable domain controller be present in a domain and can’t be the first domain controller in a domain.
FIGURE 4-9 Adding a domain controller to an existing domain
3. On the Domain Controller Options page, you need to select the Read Only Domain Controller (RODC) option, choose the site that the domain controller will be located in, and enter a Directory Services Restore Mode (DSRM) password, as shown in Figure 4-10. You can also configure the RODC as a DNS server. When you do this, the DNS server does not process updates, but instead passes updates to a writable domain controller for processing.
FIGURE 4-10 Configure a domain controller as an RODC
4. On the RODC Options page, shown in Figure 4-11, you can configure the list of accounts that can replicate to the new RODC. You can also modify the list of accounts that are blocked from replicating passwords to the RODC. You can change these options after you have deployed the RODC.
FIGURE 4-11 RODC options
5. The rest of the options in the Active Directory Domain Services Configuration Wizard are the same as those presented when you deploy a typical domain controller. When you complete the wizard, the computer that will host the RODC role restarts.
You can create a prestaged RODC computer account by clicking Pre-create A Read-Only Domain Controller Account in the Active Directory Administrative Center, as shown in Figure 4-12, or by using the Add-ADDSReadOnlyDomainControllerAccount cmdlet. For example, to create a prestaged account for an RODC named Sydney-RODC in the Sydney site of the Contoso domain, execute the following command.
Add-ADDSReadOnlyDomainControllerAccount –DomainControllerAccountName Sydney-RODC –
DomainName Contoso –SiteName Sydney
FIGURE 4-12 Prestaging an RODC account
After an RODC is deployed, you need to determine which accounts can have passwords replicated to the RODC. A user whose account has not replicated to the RODC can still sign on at a site that has only RODCs; it’s just that authentication for that user will require communication with a domain controller at another site. If the link to a domain controller that stores the password is down, any user who doesn’t have a password replicated to the RODC and who needs to be authenticated by the RODC can’t sign on.
By default, accounts located in the Allowed RODC Password Replication Group domain-based security can replicate to the RODC. Accounts that are in the following groups are blocked from replicating to the RODC:
BUILTIN\Administrators
BUILTIN\Server Operators
BUILTIN\Backup Operators
BUILTIN\Account Operators
DOMAIN\Denied RODC Password Replication Group
Accounts that are members of any denied security group do not replicate to the RODC, even if they are members of a group that has been explicitly allowed. You can configure which accounts are blocked and allowed to have password data replicated to an RODC by editing the properties of each RODC and selecting the password replication policy, as shown in Figure 4-13.
FIGURE 4-13 Password replication policy
You can use the Advanced Password Replication Policy dialog box, shown in Figure 4-14, to determine which passwords have been replicated to the RODC. You can use this dialog box if someone steals the RODC and you want to assess which accounts might be compromised. You can use the Prepopulate Passwords option to replicate the passwords of all users who are subject to the Password Replication Policy. You can use the Resultant Policy tab to calculate whether a particular user account password will be replicated to the RODC.
FIGURE 4-14 Passwords on RODC
Deploying a domain controller as an RODC is only the first step in ensuring that a branch office domain controller is secure. If you are concerned about security, ensure that you configured the computer hosting the RODC with BitLocker. An RODC deployed as a virtual machine on a Hyper-V host that uses BitLocker to encrypt the hard drive and protect the boot environment is extremely difficult for an attacker to compromise. Even so, if the BitLocker-protected computer hosting the RODC virtual machine is stolen from the branch office, you should still change the passwords of all user accounts that may have been affected.
Real World: Very specific usage scenarios
RODCs have a very specific usage scenario. You put them in locations in which you can’t guarantee the physical security of the domain controller. If you have confidence in the security of a branch office location, you’re better off deploying a traditional domain controller. In the future, you might also choose to use Microsoft Azure Active Directory as an alternative to deploying domain controllers at locations in which physical security is questionable.
A user must normally be a member of a group such as the Domain Admins group to perform administration tasks on a domain controller. Since RODCs are designed to be deployed in locations remote from your organization’s head office, you can delegate administration of RODCs so that it’s possible for a user to sign on and perform administrative tasks without having to make them a member of a group that has extensive privileges in the domain. You can do this on the Managed By tab of the RODC’s computer account properties, as shown in Figure 4-15.
FIGURE 4-15 Branch office technicians
More Info: Deploying RODCs
You can learn more about deploying RODCs at http://technet.microsoft.com/en-us/library/jj574152.aspx.
Quick check
What console can you use to configure a domain controller as a Global Catalog server or enable UGMC at a site?
Quick check answer
You use the Active Directory Sites And Services console to configure a domain controller as a Global Catalog server or enable UGMC at a site.
Domain controller cloning
Domain controller cloning is a new feature in Windows Server 2012 and later that enables you to create copies of virtualized domain controllers under specific conditions. These conditions are as follows:
The hypervisor supports VM-GenerationID. VM-GenerationID is a special 128-bit cryptographically random integer that uniquely identifies a snapshot. Hyper-V 3.0, which is the version available with Windows Server 2012, supports VM-GenerationID. Some third-party hypervisor solutions also support this feature. VM-GenerationID is also supported with the version of Hyper-V available in Windows Server 2012 R2.
The domain controller must be running Windows Server 2012 or Windows Server 2012 R2
The PDC emulator operations master role must be online, available, and held by a computer running Windows Server 2012 or Windows Server 2012 R2
The domain controller that will be cloned must be a member of the Cloneable Domain Controllers security group.
After these conditions are met, you need to create a new XML configuration file named DCCloneConfig.xml. This file stores all the settings that the cloned domain controller has when it boots, including computer name, network settings, DNS, and Active Directory site name. You can generate the DCCloneConfig.xml file by using the New-ADDCCloneConfig Windows PowerShell cmdlet. Prior to running this command, you should run the Get-ADDCCloningExcludedApplicationsList cmdlet, which checks the source computer to determine whether it is running any services that might cause problems when cloned. For example, you can’t clone a domain controller if it is currently functioning as a DHCP server, and you’ll have to remove this role before the domain controller can be successfully cloned.
More Info: Domain controller cloning
You can learn more about cloning domain controllers at http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx.
Lesson summary
There are five operations masters. Schema master controls updates to the schema. The domain-naming master manages additions and removals of domains in the forest. The PDC emulator master processes password changes and manages time synchronization. The infrastructure master keeps track of changes made in other domains that affect objects in the local domain. The RID master processes requests for relative IDs.
Global Catalog servers assist with determining the universal group membership of user accounts in multiple-domain forests.
You can control password replication to RODCs by configuring the RODC Password Replication Policy.
Cloning domain controllers requires that the virtualization platform supports VM-GenerationID, the domain controller must be running Windows Server 2012 or later, and the PDC emulator must be online and also running Windows Server 2012 or later.
The source domain controller must be a member of the Cloneable Domain Controllers security group.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You want to create a copy of a virtualized domain controller. Which of the following conditions must be met before you can accomplish this goal? (Choose all that apply.)
A. The hypervisor must support VM-GenerationID.
B. The source domain controller must be a member of the Cloneable Domain Controllers security group.
C. The schema master must be online and running the Windows Server 2012 or Windows Server 2012 R2 operating system.
D. The PDC emulator must be online and running the Windows Server 2012 or Windows Server 2012 R2 operating system.
2. Which operations master is responsible for ensuring that clocks are set consistently across members of a domain?
A. Infrastructure master
B. PDC emulator
C. RID master
D. Domain naming master
E. Schema master
3. You need to make updates to the Active Directory schema. Which operations master must be online for you to accomplish this goal?
A. Infrastructure master
B. PDC emulator
C. RID master
D. Domain naming master
E. Schema master
4. Which infrastructure master generates pools of unique relative identifiers to ensure that domain SIDs are unique? (Choose all that apply.)
A. Infrastructure master
B. PDC emulator
C. RID master
D. Domain naming master
E. Schema master
5. You want to add several new application partitions in the forest. Which operations master must be available to complete this task? (Choose all that apply.)
A. Infrastructure master
B. PDC emulator
C. RID master
D. Domain naming master
E. Schema master
Lesson 2: Maintaining domain controllers
Ensuring that domain controllers perform as well as they can is an important part of a systems administrator’s job. Having poorly performing domain controllers means extended logon times for users, and the longer it takes users to sign on, the less happy they are. You can take the following steps to ensure that Active Directory is functioning efficiently: Defragment the database, check the integrity of the file that hosts the database, and perform a semantic analysis to check the logical integrity of the database. In this lesson, you will learn how to accomplish these tasks. You will also learn how to perform metadata cleanup, and how to create and view database snapshots.
After this lesson, you will be able to:
Implement Active Directory database optimization.
Implement Active Directory metadata cleanup.
Implement Active Directory snapshots.
Estimated lesson time: 25 minutes
Active Directory database optimization
There are several steps you can take to optimize your Active Directory database, including defragmenting the database, performing a file integrity check, and performing a semantic integrity check. When you defragment the Active Directory database, a new copy of the database file, Ntds.dit, is created. You can defragment the Active Directory database or perform other operations only if the database is offline. You can take the Active Directory database offline by stopping the AD DS service, which you can do from the Update Services console or by issuing the following command from an elevated Windows PowerShell prompt.
Stop-Service NTDS –force
You use the ntdsutil.exe utility to perform the fragmentation, as shown in Figure 4-16. Issue the following command.
ntdsutil.exe "activate instance ntds" files "compact to c:\\" quit quit
FIGURE 4-16 Defragmenting the Active Directory database
After the defragmentation has completed, copy the defragmented database over the original located in C:\windows\NTDS\ntds.dit and delete all log files in the C:\windows\NTDS folder.
You can check the integrity of the file that stores the database using the ntdsutil.exe command, as shown in Figure 4-17. You can perform this check by issuing the following command from an elevated prompt when the AD DS service is stopped.
ntdsutil.exe "activate instance ntds" files integrity quit quit
FIGURE 4-17 Database integrity check
To verify that the AD DS database is internally consistent, you can run a semantic consistency check. The semantic check, shown in Figure 4-18, can also repair the database if problems are detected. You can perform a semantic check using ntdsutil.exe by issuing the following command.
ntdsutil.exe "activate instance ntds" "semantic database analysis" "verbose on" "go
fixup" quit quit
FIGURE 4-18 Semantic analysis
Quick check
What is the default location of the file that hosts the AD DS database?
Quick check answer
The default location of the file that hosts the AD DS database is C:\Windows\NTDS\ntds.dit.
Active Directory metadata cleanup
The graceful way to remove a domain controller is to run the Active Directory Domain Services Configuration Wizard to remove AD DS, as shown in Figure 4-19. You can also remove the domain controller gracefully by using the Uninstall-ADDSDomainController cmdlet. When you do this, the domain controller is removed, all references to the domain controller in Active Directory are also removed, and any operations master roles that the domain controller hosted are transferred to other domain controllers in the domain.
FIGURE 4-19 Removing Active Directory
Active Directory metadata cleanup is necessary if a domain controller has been forcibly removed from Active Directory. Here’s an example: An existing domain controller catches fire or is accidentally thrown out of a window by a systems administrator having a bad day. When this happens, references to the domain controller within Active Directory remain. These references, especially if the domain controller hosted operations master roles, can cause problems if not removed. Metadata cleanup is the process of removing these references.
If you use the Active Directory Users And Computers or Active Directory Sites And Services console to delete the computer account of a domain controller, the metadata associated with the domain controller are cleaned up. The console will prompt you, as shown in Figure 4-20, when you try to delete the account of a domain controller that can’t be contacted. You confirm that you can’t contact the domain controller. When you do this, metadata cleanup occurs automatically.
FIGURE 4-20 Deleting the domain controller
To remove server metadata using ntdsutil, issue the following command, where <ServerName> is the distinguished name of the domain controller whose metadata you want to remove from Active Directory.
Ntdsutil "metadata cleanup" "remove selected server <ServerName>"
More Info: Active Directory metadata cleanup
To learn more about cleaning up Active Directory metadata, consult the following TechNet webpage at http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx.
Active Directory snapshots
You can use ntdsutil.exe to create snapshots of the Active Directory database. A snapshot is a point-in-time copy of the database. You can use tools to examine the contents of the database, as it existed at that point in time. It is also possible to transfer objects from the snapshot of the Active Directory database back into the version currently used with your domain’s domain controllers. The AD DS service must be running to create a snapshot.
To create a snapshot, execute the following command.
Ntdsutil snapshot "Activate Instance NTDS" create quit quit
Each snapshot is identified by a GUID. You can create a scheduled task to create snapshots on a regular basis. You can view a list of all current snapshots on a domain controller by running the following command.
Ntdsutil snapshot "list all" quit quit
To mount a snapshot, make a note of the GUID of the snapshot that you want to mount and then issue the following command.
Ntdsutil "activate instance ntds" snapshot "mount {GUID}" quit quit
Note: Mounting snapshots
When mounting snapshots, you must use the {} braces with the GUID. You can also use the snapshot number associated with the GUID when mounting the snapshot with the ntdsutil.exe command. This number is always an odd number.
When the snapshot mounts, take a note of the path associated with the snapshot. You use this path when mounting the snapshot with dsamain. For example, to use dsamain with the snapshot mounted as c:\$SNAP_201212291630_VOLUMEc$\, issue this command:
Dsamain /dbpath 'c:\$SNAP_201212291630_VOLUMEC$\Windows\NTDS\ntds.dit' /ldapport 50000
You can choose to mount the snapshot using any available TCP port number; 50000 is just easy to remember. Leave the Windows PowerShell windows open when performing this action. After the snapshot is mounted, you can access it using Active Directory Users And Computers. To do this, perform the following steps:
1. Open Active Directory Users And Computers.
2. Right-click the root node, and click Change Domain Controller.
3. In the Change Directory Server dialog box, shown in Figure 4-21, enter the name of the domain controller and the port, and click OK. You can then view the contents of the snapshot using Active Directory Users And Computers in the same way that you would the contents of the current directory.
FIGURE 4-21 Connecting to a snapshot
You can dismount the snapshot by using Ctrl+C to close dsamain, and then executing the following command to dismount the snapshot.
Ntdsutil.exe "activate instance ntds" snapshot "unmount {GUID}" quit quit
Lesson summary
The default location of the Active Directory database file is C:\Windows\NTDS\ntds.dit.
You can defragment the Active Directory database file using ntdsutil.exe. You can perform this operation only if the AD DS service has stopped.
You can check the integrity of the file that hosts the Active Directory database by using the ntdsutil.exe command. You can perform this operation only if the AD DS service has stopped.
You can check the integrity of the semantic metadata of the database using ntdsutil.exe, which checks whether the database is internally consistent. Ntdsutil.exe can also repair any problems that arise during this check.
You can perform metadata cleanup if a domain controller is forcibly removed from Active Directory by using Active Directory Users And Computers, or by using the Uninstall-ADDSDomainController cmdlet. You can also perform metadata cleanup using the ntdsutil.exe cmdlet.
You can use the ntdsutil.exe cmdlet to take snapshots of Active Directory. You must take snapshots while the AD DS database is online.
You use the dsamain command-line utility to mount Active Directory snapshots. You can navigate the mounted snapshot using Active Directory Users And Computers.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. Which of the following commands should you use to mount a snapshot of the AD DS database where {GUID} is the GUID associated with the snapshot?
A. Ntdsutil.exe “activate instance ntds” snapshot “unmount {GUID}” quit quit
B. Ntdsutil “activate instance ntds” snapshot “mount {GUID}” quit quit
C. Ntdsutil snapshot “Activate Instance NTDS” create quit quit
D. Ntdsutil.exe “activate instance ntds” “semantic database analysis” “verbose on” “go fixup” quit quit
2. Which of the following commands should you use to defragment the file that hosts the AD DS database?
A. Ntdsutil.exe “activate instance ntds” files integrity quit quit
B. Ntdsutil.exe “activate instance ntds” files “compact to c:\\” quit quit
C. Ntdsutil.exe “activate instance ntds” snapshot “unmount {GUID}” quit quit
D. Ntdsutil “activate instance ntds” snapshot “mount {GUID}” quit quit
3. Which of the following commands should you use to take a snapshot of the AD DS database?
A. Ntdsutil snapshot “Activate Instance NTDS” create quit quit
B. Ntdsutil.exe “activate instance ntds” “semantic database analysis” “verbose on” “go fixup” quit quit
C. Ntdsutil.exe “activate instance ntds” files integrity quit quit
D. Ntdsutil.exe “activate instance ntds” files “compact to c:\\” quit quit
4. Which of the following commands should you use to form a check of the integrity of the file that hosts the AD DS database?
A. Ntdsutil.exe “activate instance ntds” “semantic database analysis” “verbose on” “go fixup” quit quit
B. Ntdsutil.exe “activate instance ntds” files “compact to c:\\” quit quit
C. Ntdsutil.exe “activate instance ntds” files integrity quit quit
D. Ntdsutil “activate instance ntds” snapshot “mount {GUID}” quit quit
5. Which of the following commands should you use to check the logical integrity of the AD DS database?
A. Ntdsutil snapshot “Activate Instance NTDS” create quit quit
B. Ntdsutil.exe “activate instance ntds” files integrity quit quit
C. Ntdsutil “activate instance ntds” snapshot “mount {GUID}” quit quit
D. Ntdsutil.exe “activate instance ntds” “semantic database analysis” “verbose on” “go fixup” quit quit
Lesson 3: Recovering Active Directory
In this lesson, you’ll learn how to configure the new tool to manage the Active Directory Recycle Bin and how you can use this tool to recover deleted objects.
After this lesson, you will be able to:
Implement Active Directory Recycle Bin.
Implement Active Directory backup.
Implement Active Directory recovery.
Estimated lesson time: 45 minutes
Active Directory Recycle Bin
The Active Directory Recycle Bin enables you to restore deleted Active Directory objects without the complexity of rebooting a domain controller computer into DSRM. Although the Active Directory Recycle Bin was available in Windows Server 2008 R2, the interface was command line only. This meant that performing an object restoration using the Active Directory Recycle Bin was as complicated as using DSRM. Combined with the necessity of upgrading the forest to the Windows Server 2008 R2 functional level, many administrators simply did not believe that the benefits outweighed the drawbacks, and did not bother with the technology.
The Active Directory Recycle Bin in Windows Server 2012 and Windows Server 2012 R2 provides a graphic interface, which makes it relatively straightforward for administrators to restore deleted items. The Active Directory Recycle Bin has the advantage that all link-valued and non-link-valued attributes of Active Directory deleted objects are stored with the object. This means that restored objects will retain attributes such as group membership and permissions that they had prior to deletion. You enable the Active Directory Recycle Bin on a forest-wide basis. Enabling the Active Directory Recycle Bin is a one-way operation, and after you enable Active Directory Recycle Bin, you can’t disable it.
To enable Active Directory Recycle Bin, perform the following steps:
1. Ensure that the forest functional level is set to Windows Server 2008 R2 or higher.
2. In the Active Directory Administrative Center, select the root domain, and then click Enable Recycle Bin in the Tasks pane. You see the Enable Recycle Bin Confirmation dialog box shown in Figure 4-22.
FIGURE 4-22 Enabling the Active Directory Recycle Bin
3. After you click OK, the Active Directory Recycle Bin is enabled in all domains in the forest.
You can use the Active Directory Recycle Bin only to restore objects that have been deleted since the Active Directory Recycle Bin was enabled. If there are objects that you need to restore that were deleted prior to enabling the Active Directory Recycle Bin, you have to use DSRM to accomplish this goal.
When you enable the Active Directory Recycle Bin using the default values, deleted objects can be recovered using the Active Directory Recycle Bin for 180 days. You can modify this value by changing the value of the msDS-deletedObjectLifetime attribute. You can modify the value of the msDS-deletedObjectLifetime attribute using the Set-ADObject cmdlet or the ldp.exe utility, as shown in Figure 4-23.
FIGURE 4-23 Modifying a deleted object lifetime
To recover items from the Active Directory Recycle Bin, perform the following steps:
1. Open Active Directory Administrative Center.
2. Navigate to the Deleted Objects container.
3. Select the object that you want to restore; in the Tasks pane, shown in Figure 4-24, click Restore if you want to restore it to its original location in Active Directory, or click Restore To if you want to restore it to an alternate location.
FIGURE 4-24 Recovering an item from the Active Directory Recycle Bin
With the Active Directory Recycle Bin, it isn’t possible to restore child objects if a parent object is deleted. For example, you can’t restore a single user account if the organizational unit (OU) that hosts the user account is also deleted. It is necessary to restore the deleted OU and then restore the deleted user account.
Quick check
What is the default length of time that a deleted object stays in the Active Directory Recycle bin?
Quick check answer
Deleted items stay in the Active Directory Recycle Bin for a default period of 180 days.
Active Directory backup
Active Directory is backed up when you perform a backup of the server’s system state. This occurs when you back up all critical volumes on a domain controller. The primary tool you use for backing up this data is Windows Server Backup, which is not installed by default on computers running Windows Server 2012 or Windows Server 2012 R2. You can install Windows Server Backup as a feature using the Add Roles And Features Wizard, as shown in Figure 4-25.
FIGURE 4-25 Installing Windows Server Backup
After Windows Server Backup is installed, you can perform a full server backup, as shown in Figure 4-26, to back up the AD DS database.
FIGURE 4-26 Full backup protects you from accidental deletion
The majority of restore operations occur because Active Directory objects were accidentally (rather than deliberately) deleted. You can configure objects to be protected from accidental deletion by editing the object properties, as shown in Figure 4-27. When you attempt to delete an object that is protected from accidental deletion, a dialog box will inform you that the object can’t be deleted because it is protected from accidental deletion. This protection must be removed before the object is deleted.
FIGURE 4-27 Protecting from accidental deletion
Active Directory recovery
The simplest way to recover deleted Active Directory objects is to use the Active Directory Recycle Bin. In some environments, the Active Directory Recycle Bin may not be enabled for business reasons; for example, if the forest is still operating at the Windows Server 2003 or Windows Server 2008 forest functional level. If the Active Directory Recycle Bin is not available, and you need to recover a deleted object, you’ll need to restart the computer in DSRM and perform an authoritative restore.
Authoritative restore
You use an authoritative restore to recover deleted Active Directory objects. You can perform an authoritative restore for objects that were deleted within the value of the tombstone lifetime setting. The default value of the tombstone lifetime is 180 days for forests set to the Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 functional level. You can modify this attribute by using ADSIEdit or by using the Set-ADObject Windows PowerShell cmdlet. Where possible, you should perform an authoritative restore on a server that also holds the Global Catalog role.
You restore from a backup that holds the items that were deleted. You then mark those items as authoritative before replication can occur. When you mark an object for authoritative restore, the version number of the object is incremented higher than the version that applies to the deleted object. This higher version means that the restored object overwrites the deleted object, which will have a lower version number.
You can use authoritative restore to restore the following objects:
Objects in domain directory partitions. These objects must be restored on any domain controller in the domain.
Objects in application directory partitions. These objects need to be restored on domain controllers that host that specific application directory partition. If the application directory partition is deleted entirely, the restoration must occur on the computer that holds the domain-naming master operations master role.
Objects in configuration directory partitions. These objects can be restored on any domain controller in the forest.
You perform an authoritative restore from DSRM, which is a special mode in which you can start a domain controller. To start a domain controller in DSRM, run msconfig.exe, select the Boot tab, and choose the Safe Boot option with Active Directory Repair, as shown in Figure 4-28. You will need the DRSM password to enter DSRM. It is set during the installation of the domain controller, but you can reset it using the following command:
Ntdsutil.exe "Set DSRM Password" "Reset Password on server NULL" quit quit
FIGURE 4-28 Booting into DSRM mode
To perform an authoritative restore, perform the following steps:
1. Locate the most recent system state backup for the domain controller on which you want to perform the restore.
2. Restart the domain controller in DSRM mode and enter the DSRM password.
3. Use Windows Server Backup to restore the system state data.
4. Use the ntdsutil.exe command with the “authoritative restore” option to restore the item. For example, to restore the object Neptune from the OU Planets in the domain contoso.com, issue the following command.
Ntdsutil.exe "authoritative restore" "restore object
cn=Neptune,ou=Planets,dc=contoso,dc=com" quit quit
5. If you need to restore an OU and all objects underneath it, you can use the “restore subtree” option. For example, to restore all objects in the Planets OU of the contoso.com domain, issue the following command.
Ntdsutil.exe "authoritative restore" "restore subtree
OU=Planets,dc=contoso,dc=com" quit quit
6. Restart the domain controller. The changes will replicate, restoring the deleted items.
More Info: Authoritative restore
Although this article refers to Windows Server 2008 R2, the advice it contains also applies to Windows Server 2012 and Windows Server 2012 R2. You can find it at http://technet.microsoft.com/en-us/library/cc816878(WS.10).aspx.
Non-authoritative restore
When you perform a non-authoritative restore, you restore a backup of Active Directory that’s in a good known state. When rebooted, the domain controller contacts replication partners and overwrites the contents of the non-authoritative restore with all updates that have occurred to the database since the backup was taken. Non-authoritative restores are appropriate when the Active Directory database on a database has been corrupted and needs to be recovered. You don’t use a non-authoritative restore to recover deleted items, as any deleted items that are restored when performing the non-authoritative restore will be overwritten when changes replicate from other domain controllers.
Performing a full system recovery on a domain controller functions in a similar way to performing a non-authoritative restore. When the recovered domain controller boots, all changes that have occurred in Active Directory since the backup was taken overwrite existing information in the database.
Other methods of recovering deleted items
Although the recommended way of ensuring that deleted Active Directory objects are recoverable is to enable the Active Directory Recycle Bin or to perform an authoritative restore using DSRM, you can also use tombstone reanimation to recover a deleted object. Tombstone reanimation involves using the ldp.exe utility to modify the attributes of the deleted object so that it no longer has the deleted attribute. You should use tombstone reanimation only if no backups of the system state data exist and you haven’t enabled the Active Directory Recycle Bin because it can lead to unpredictable results.
Although Active Directory snapshots do represent copies of the Active Directory database at a particular point in time, you should use mounted snapshots to determine which backup contains the items you want to authoritatively restore. It is possible to export objects from snapshots and to reimport them into Active Directory using tools such as LDIFDE, but this can lead to unpredictable results.
Lesson summary
The Active Directory Recycle Bin is enabled on a per-forest basis and can’t be disabled after it’s enabled.
The Active Directory Recycle Bin requires a minimum forest functional level of Windows Server 2008 R2.
By default, objects stay in the Active Directory Recycle Bin for 180 days. You can modify this length of time by changing the value of the msDS-deletedObjectLifetime attribute using the Set-ADObject cmdlet or the ldp.exe utility.
Items recovered from the Active Directory Recycle Bin retain their original attributes, such as group membership and permissions.
You can’t use the Active Directory Recycle Bin to recover an item deleted before you enabled Active Directory Recycle Bin.
You can back up the Active Directory database by backing up the system state data of a domain controller.
Perform an authoritative restore from DSRM to recover deleted objects if the Active Directory Recycle Bin has not been enabled.
Where possible, you should perform authoritative restore operations on a Global Catalog server.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. What is the minimum forest functional level required to enable Active Directory Recycle Bin?
A. Windows Server 2003
B. Windows Server 2008
C. Windows Server 2008 R2
D. Windows Server 2012
2. Which console enables you to use Active Directory Recycle Bin? (Choose all that apply.)
A. Active Directory Users And Computers
B. Active Directory Administrative Center
C. Active Directory Sites And Services
D. Active Directory Domain
3. A domain controller’s AD DS database has become corrupt. You have a backup of all critical volumes, which include system state data, from earlier in the week. No important Active Directory objects have been deleted. Which of the following steps do you need to take to recover Active Directory? (Choose all that apply.)
A. Restart in DSRM.
B. Restore system state data.
C. Perform an authoritative restore.
D. Perform a non-authoritative restore.
4. Which of the following techniques can you use to recover deleted user accounts in a three-domain forest configured to run at the Windows Server 2008 forest functional level? (Choose all that apply.)
A. Authoritative restore using DSRM.
B. Non-authoritative restore using DSRM.
C. Restore by using the Active Directory Recycle Bin.
D. Restore by editing Active Directory attributes with ldp.exe.
5. You want to minimize the chance that important user and computer accounts can be deleted. Which of the following steps can you take to accomplish this goal?
A. Enable the Active Directory Recycle Bin.
B. Configure Deleted Item Protection.
C. Enable DSRM.
D. Change the value of the msDS-deletedObjectLifetime attribute.
Practice exercises
The goal of this section is to provide you with hands-on practice with the following:
Managing operations master roles
Deploying a read-only domain controller
Configuring Global Catalog server placement
Defragmenting the AD DS database
Performing file and semantic integrity checks in the Active Directory database
Creating and viewing snapshots of the AD DS database
Enabling and using Active Directory Recycle Bin
Performing Active Directory backup and restore
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.
Exercise 1: Domain controller installation
In this exercise, you perform several domain controller management tasks, including transferring operations master roles, deploying an RODC, configuring a Global Catalog server, and using UGMC. To complete this exercise, perform the following steps:
1. Power on computers SYD-DC and MEL-DC.
2. Sign on to MEL-DC as Administrator with the password Pa$$w0rd.
3. Open the Windows PowerShell prompt and type the following commands.
Add-Computer -DomainName contoso.com
4. In the Windows PowerShell Credentials dialog box type don_funk@contoso.com and Pa$$w0rd, and click OK.
5. Type the following command in the Windows PowerShell prompt to restart the computer.
Restart-Computer
6. Sign on to computer SYD-DC as Contoso\don_funk.
7. In Server Manager, click All Servers.
8. On the Manage menu, click Add Servers.
9. In the Add Servers dialog box, click Find Now.
10. In the list of servers, click MEL-DC, click the arrow to add MEL-DC to the selected list, as shown in Figure 4-29, and click OK.
FIGURE 4-29 Adding a server
11. In Server Manager, click All Servers, and click MEL-DC.
12. In the Manage menu, click Add Roles And Features.
13. On the Before You Begin page of the Add Roles And Features Wizard, click Next.
14. On the Installation Type page, click Role-Based Or Feature-Based Installation, and click Next.
15. On the Select Destination Server page, shown in Figure 4-30, click MEL-DC.contoso.com, and click Next.
FIGURE 4-30 Selecting a destination server
16. In the Select Server Roles dialog box, click Active Directory Domain Services, as shown in Figure 4-31. The Add Roles And Features dialog box opens.
FIGURE 4-31 Adding the Active Directory Domain Services role
17. In the Add Roles And Features dialog box, click Add Features.
18. On the Select Server Roles page, click Next.
19. On the Select Features page, click Next.
20. On the Active Directory Domain Services page, click Next.
21. On the Confirmation page, select the Restart The Destination Server Automatically If Required check box, as shown in Figure 4-32, click Install, and click Close.
FIGURE 4-32 Restart the server if required
22. In Server Manager, click All Servers, and click MEL-DC. Click the Warning notification item. Click Promote This Server To A Domain Controller.
23. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, click Add A Domain Controller To An Existing Domain, and ensure that the Domain option is set to Contoso.com, as shown in Figure 4-33.
FIGURE 4-33 Adding a domain controller to an existing domain
24. Click Change. In the Windows Security dialog box, configure the following credentials and click OK:
Username: Contoso\don_funk
Password: Pa$$w0rd
25. In the Deployment Configuration dialog box, click Next.
26. On the Domain Controller Options page, configure and confirm the DSRM password Pa$$w0rd, as shown in Figure 4-34.
FIGURE 4-34 Configuring domain controller options
27. On the DNS Options page, click Next.
28. On the Additional Options page, click the arrow next to Replicate From, and click SYD-DC.contoso.com, as shown in Figure 4-35. Click Next.
FIGURE 4-35 Configuring additional options
29. On the Paths page, click Next.
30. On the Review Options page, click Next.
31. On the Prerequisites Check page, review the results to ensure that only Warning messages are present and no Error messages are present, as shown in Figure 4-36, and then click Install.
FIGURE 4-36 Prerequisite check
32. Click Close.
33. In Server Manager, click the AD DS node, and verify the presence of MEL-DC as a domain controller.
Exercise 2: RODC deployment
In this exercise, you deploy an RODC. To complete this exercise, perform the following steps:
1. Power on ADL-DC and sign on as Administrator with the password Pa$$w0rd.
2. Open the Windows PowerShell prompt and type the following commands.
Add-Computer -DomainName contoso.com
3. In the Windows PowerShell Credentials dialog box type don_funk@contoso.com and Pa$$w0rd, and click OK.
4. Type the following command in the Windows PowerShell prompt to restart the computer.
Restart-Computer
5. Ensure you are signed on to SYD-DC as contoso\don_funk.
6. In Server Manager on SYD-DC, click All Servers.
7. Click Manage, and click Add Servers.
8. In the Add Servers dialog box, click Find Now.
9. Click ADL-DC and click the arrow to add ADL-DC to the list of selected computers, as shown in Figure 4-37, and click OK.
FIGURE 4-37 Adding servers
10. Click All Servers, and then click ADL-DC. On the Manage menu, click Add Roles And Features.
11. On the Before You Begin page, click Next.
12. On the Installation Type page, click Role-Based Or Feature-Based Installation, and click Next.
13. On the Select Destination Server page, click ADL-DC.contoso.com, as shown in Figure 4-38, and click Next.
FIGURE 4-38 Selecting ADL-DC.contoso.com
14. On the Server Roles page, click Active Directory Domain Services. You will be prompted by the Add Roles And Features dialog box. Click Add Features, and click Next.
15. On the Features page, click Next.
16. On the Active Directory Domain Services page, click Next.
17. On the Confirmation page, click Restart The Destination Server Automatically If Required, click Install, and click Close.
18. In Server Manager, click All Servers, and click ADL-DC.
19. Click the Warning notification icon, and click Promote This Server To A Domain Controller.
20. On the Deployment Configuration page, click Add A Domain Controller To An Existing Domain, and click Change next to <No Credentials Provided>.
21. In the Windows Security dialog box, configure the following credentials, as shown in Figure 4-39, and click OK.
Username: Contoso\don_funk
Password: Pa$$w0rd
FIGURE 4-39 Providing credentials for domain controller promotion
22. On the Deployment Configuration page, click Next.
23. On the Domain Controller Options page, click Read Only Domain Controller (RODC), and configure the following Directory Services Restore Mode password: Pa$$w0rd, as shown in Figure 4-40, and click Next.
FIGURE 4-40 Configuring a domain controller as an RODC
24. On the RODC Options page, click BUILTIN\Backup Operators, and click Remove. Click BUILTIN\Account Operators, and click Remove, as shown in Figure 4-41, and click Next.
FIGURE 4-41 Configuring RODC password replication
25. On the Additional Options page, click Any Domain Controller, and then click MEL-DC.contoso.com. Click Next.
26. On the Paths page, shown in Figure 4-42, review the default paths, and then click Next.
FIGURE 4-42 Configuring database, log files, and SYSVOL location
27. On the Review Options page, click Next.
28. On the Prerequisites Check page, verify that no error messages are present, and click Install. When the installation completes, click Close.
Exercise 3: Transfer operations master roles
In this exercise, you transfer several operations master roles from SYD-DC to MEL-DC. To complete this exercise, perform the following steps:
1. In Server Manager on SYD-DC, click the Tools menu, and then click Active Directory Users And Computers.
2. Click Contoso.com. On the Action menu, click Change Domain Controller.
3. In the Change Directory Server dialog box, click MEL-DC.contoso.com, as shown in Figure 4-43, and then click OK.
FIGURE 4-43 Selecting a domain controller
4. In Active Directory Users And Computers, click Contoso.com. On the Action menu, click Operations Masters.
5. In the PDC tab of the Operations Masters dialog box, click Change.
6. In the Active Directory Domain Services dialog box, click Yes, and then click OK.
7. Verify that the PDC tab of the Operations Master dialog box shows the PDC operations master as MEL-DC.contoso.com, as shown in Figure 4-44, and then click the Infrastructure tab.
FIGURE 4-44 Transferring the PDC emulator role
8. On the Infrastructure tab, click Change.
9. In the Active Directory Domain Services dialog box, click Yes, and then click OK.
10. Verify that the infrastructure master role is assigned to MEL-DC.contoso.com, as shown on Figure 4-45, and click Close.
FIGURE 4-45 Transferring the infrastructure master role
11. Close Active Directory Users And Computers.
12. Right-click the Windows PowerShell item on the taskbar, and click Run As Administrator.
13. Type the following command to register the Active Directory Schema snap-in.
Regsvr32.exe schmmgmt.dll
14. In the RegSvr32 dialog box, click OK.
15. Close the Windows PowerShell window.
16. Right-click the Start icon, click Run, and type mmc.exe.
17. In the Console1 – Console Root dialog box, click File, and click Add/Remove Snap-In.
18. In the Add Or Remove Snap-Ins dialog box, click Active Directory Schema, and click Add, as shown in Figure 4-46. Click OK.
FIGURE 4-46 Adding an Active Directory Schema snap-in
19. In Console1, click Active Directory Schema.
20. On the Action menu, click Change Active Directory Domain Controller.
21. In the Change Directory Server dialog box, click MEL-DC.contoso.com, and click OK.
22. In the Active Directory Schema dialog box, click OK.
23. In Console1, click Active Directory Schema.
24. On the Action menu, click Operations Master.
25. In the Change Schema Master dialog box, shown in Figure 4-47, click Change.
FIGURE 4-47 Changing the schema master
26. In the Active Directory Schema dialog box, click Yes, and then click OK.
27. Verify that the schema master role has been transferred to MEL-DC.contoso.com, and click Close.
28. Close Console1.
29. On the Tools menu, click Active Directory Domains And Trusts.
30. On the Action menu of the Active Directory Domains And Trusts console, click Change Active Directory Domain Controller.
31. In the Change Directory Server dialog box, click MEL-DC.contoso.com, and click OK.
32. On the Action menu, click Operations Master.
33. In the Operations Master dialog box, click Change.
34. In the Active Directory Domains And Trusts dialog box, click Yes, and click OK.
35. Verify that the domain naming master role has been moved to MEL-DC.contoso.com, and click Close.
Exercise 4: Active Directory Recycle Bin
In this exercise, you perform several operations related to deleting and recovering items from Active Directory. To complete this exercise, perform the following steps:
1. On the Tools menu of the Server Manager console, click Active Directory Administrative Center.
2. In the Active Directory Administrative Center, click Contoso (Local).
3. In the Tasks pane, click Change Domain Controller.
4. In the Change Domain Controller dialog box, click MEL-DC, and click Change.
5. In the Tasks pane of the Active Directory Administrative Center, click Enable Recycle Bin.
6. In the Enable Recycle Bin Confirmation dialog box, shown in Figure 4-48, click OK.
FIGURE 4-48 Enabling the Active Directory Recycle Bin
7. Review the message in the Active Directory Administrative Center dialog box, and click OK.
8. In the Active Directory Administrative Center, double-click the Users container.
9. In the Tasks pane, click New, and click User.
10. In the Create User dialog box, configure the following information and click OK:
Full name: Kim Akers
User SamAccountName: contoso\kim_akers
11. In the Tasks pane, click New, and click Group.
12. In the Create Group dialog box, configure the following information and click OK:
Group Name: Don_Funk_Reports
Members: Contoso\don_funk, Contoso\kim_akers
13. In the Active Directory Administrative Center, hold down the Ctrl key and click Kim Akers and Don_Funk_Reports.
14. In the Tasks pane, click Delete.
15. In the Delete Confirmation dialog box, click Yes.
16. In Active Directory Administrative Center, click Contoso (Local).
17. Double-click the Deleted Objects container. If this container is not present, click Refresh.
18. Verify that Kim Akers and Don_Funk_Reports are present, as shown in Figure 4-49.
FIGURE 4-49 Recycle Bin contents
19. Select both Don_Funk_Reports and Kim Akers.
20. In the Tasks pane, click Restore.
21. Click the Users container. Verify that Kim Akers and Don_Funk_Reports have been restored.
22. Verify that Don Funk and Kim Akers are members of the restored Don_Funk_Reports security group.
Suggested practice exercises
The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.
Exercise 1 Remove the Global Catalog server role from SYD-DC.
Exercise 2 Shut down MEL-DC to simulate irrecoverable failure of this server. Use Active Directory Users And Computers to clean up the Active Directory metadata. Verify that the operations master roles have been restored to SYD-DC.
Exercise 3 Create a new OU and populate it with two user accounts. Configure one of the user accounts to be protected from deletion. Attempt to delete the user account. Remove the deletion protection and then delete the OU and the two user accounts. Recover only one of the user accounts.
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
1. Correct answers: A, B, and D
A. Correct. To create copies of virtualized domain controllers, the hypervisor on which the virtual machine (VM) is running must support VM-GenerationID.
B. Correct. To create a copy of a virtualized domain controller, the source domain controller must be a member of the Cloneable Domain Controllers security group.
C. Incorrect. The schema master does not need to be online or running Windows Server 2012 or Windows Server 2012 R2 for domain controller cloning to function.
D. Correct. The PDC emulator must be online and running Windows Server 2012 or Windows Server 2012 R2 for domain controller cloning to function.
2. Correct answer: B
A. Incorrect. The infrastructure master is responsible for keeping track of changes made in other domains that influence objects in the local domain.
B. Correct. The PDC emulator is responsible for managing password changes, synchronizing clocks, functioning as the master browser, and managing updates to Group Policy.
C. Incorrect. The RID master generates pools of relative identifiers. They are combined with identifiers generated by domain controllers to ensure that domain SIDs are unique.
D. Incorrect. The domain-naming master is responsible for managing the addition and deletion of domains and application partitions in the forest.
E. Incorrect. The schema master is responsible for managing updates made to the Active Directory schema.
3. Correct answer: E
A. Incorrect. The infrastructure master is responsible for keeping track of changes made in other domains that influence objects in the local domain.
B. Incorrect. The PDC emulator is responsible for managing password changes, synchronizing clocks, functioning as the master browser, and managing updates to Group Policy.
C. Incorrect. The RID master generates pools of relative identifiers. They are combined with identifiers generated by domain controllers to ensure that domain SIDs are unique.
D. Incorrect. The domain-naming master is responsible for managing the addition and deletion of domains and application partitions in the forest.
E. Correct. The schema master is responsible for managing updates made to the Active Directory schema.
4. Correct answer: C
A. Incorrect. The infrastructure master is responsible for keeping track of changes made in other domains that influence objects in the local domain.
B. Incorrect. The PDC emulator is responsible for managing password changes, synchronizing clocks, functioning as the master browser, and managing updates to Group Policy.
C. Correct. The RID master generates pools of relative identifiers. They are combined with identifiers generated by domain controllers to ensure that domain SIDs are unique.
D. Incorrect. The domain-naming master is responsible for managing the addition and deletion of domains and application partitions in the forest.
E. Incorrect. The schema master is responsible for managing updates made to the Active Directory schema.
5. Correct answer: D
A. Incorrect. The infrastructure master is responsible for keeping track of changes made in other domains that influence objects in the local domain.
B. Incorrect. The PDC emulator master is responsible for managing password changes, synchronizing clocks, functioning as the master browser, and managing updates to Group Policy.
C. Incorrect. The RID master generates pools of relative identifiers. They are combined with identifiers generated by domain controllers to ensure that domain SIDs are unique.
D. Correct. The domain-naming master is responsible for managing the addition and deletion of domains, and application partitions in the forest.
E. Incorrect. The schema master is responsible for managing updates made to the Active Directory schema.
Lesson 2
1. Correct answer: B
A. Incorrect. You use this command to dismount a snapshot.
B. Correct. You use this command to mount a snapshot.
C. Incorrect. You use this command to create a snapshot.
D. Incorrect. You use this command to perform a semantic analysis of the Active Directory database.
2. Correct answer: B
A. Incorrect. You use this command to perform an integrity check of the file that hosts the Active Directory database.
B. Correct. You use this command to defragment the AD DS database.
C. Incorrect. You use this command to dismount a snapshot.
D. Incorrect. You use this command to mount a snapshot.
3. Correct answers: A and D
A. Correct. You use this command to create a snapshot.
B. Incorrect. You use this command to perform a check of the logical integrity of the Active Directory database.
C. Incorrect. You use this command to perform an integrity check of the file that hosts the Active Directory database.
D. Correct. You use this command to defragment the AD DS database.
4. Correct answer: C
A. Incorrect. You use this command to perform a check of the logical integrity of the Active Directory database.
B. Incorrect. You use this command to defragment the AD DS database.
C. Correct. You use this command to perform an integrity check of the file that hosts the Active Directory database.
D. Incorrect. You use this command to mount a snapshot.
5. Correct answer: D
A. Incorrect. You use this command to create a snapshot.
B. Incorrect. You use this command to perform an integrity check of the file that hosts the Active Directory database.
C. Incorrect. You use this command to mount a snapshot.
D. Correct. You use this command to perform a check of the logical integrity of the Active Directory database.
Lesson 3
1. Correct answer: C
A. Incorrect. The minimum forest functional level required to enable the Active Directory Recycle Bin is Windows Server 2008 R2.
B. Incorrect. The minimum forest functional level required to enable the Active Directory Recycle Bin is Windows Server 2008 R2.
C. Correct. The minimum forest functional level required to enable the Active Directory Recycle Bin is Windows Server 2008 R2.
D. Incorrect. The minimum forest functional level required to enable the Active Directory Recycle Bin is Windows Server 2008 R2.
2. Correct answer: B
A. Incorrect: The Active Directory Recycle Bin is available through Active Directory Administrative Center.
B. Correct. The Active Directory Recycle Bin is available through Active Directory Administrative Center.
C. Incorrect. The Active Directory Recycle Bin is available through Active Directory Administrative Center.
D. Incorrect. The Active Directory Recycle Bin is available through Active Directory Administrative Center.
3. Correct answers: B and D
A. Incorrect. You only have to restart in DSRM when performing an authoritative restore.
B. Correct. Restoring the system state data restores the uncorrupted Active Directory database.
C. Incorrect. You only have to perform an authoritative restore when you are recovering deleted items.
D. Correct. Performing a non-authoritative restore enables you to recover the AD DS database when it has become corrupted.
4. Correct answers: A and D
A. Correct. In environments in which the Active Directory Recycle Bin is not available, you need to perform an authoritative restore to recover deleted Active Directory objects.
B. Incorrect. You can’t use a non-authoritative restore to recover deleted items.
C. Incorrect. You can’t use the Active Directory Recycle Bin with a forest configured to run at the Windows Server 2008 forest functional level.
D. Correct. Although it is possible to restore items by editing active directory attributes, this method is not recommended.
5. Correct answer: B
A. Incorrect. Enabling the Active Directory Recycle Bin does not minimize the chance that items will be deleted.
B. Correct. Configuring deleted item protection minimizes the chance that a specific item will be deleted.
C. Incorrect. You use DSRM to recover deleted items. You can’t use this mode to minimize the chance that items will not be deleted.
D. Incorrect. Changing the value of this attribute modifies how long you have to recover items using Active Directory Recycle Bin.