Xem mẫu

  1. 646 Chapter 19 • Ensuring Active Directory Availability Figure 19.8 The Restore Progress Dialog Box During a Restore Figure 19.9 The Restore Progress Dialog Box After the Restore Has Completed Figure 19.10 The Restore Log 22. Click the Yes button in the Backup Utility dialog box when prompted to restart and reboot the server normally.
  2. Ensuring Active Directory Availability • Chapter 19 647 Authoritative Restore There are times when a normal restore of Active Directory isn’t sufficient; for example, when you accidentally delete an OU. Within a few minutes, the deletion will have replicated to the other DCs in the domain. If you perform a normal restore in an effort to repopulate the OU back into Active Directory, it will not work. When the DC reboots after the restore and replicates with its replication partners, they will have a higher version number for the deleted OU, and the restored DC will be told to delete the object all over again.To restore the object, you must use an authoritative restore. An authoritative restore is like a normal restore, up to a point. Once the system state data has been restored, rather than rebooting the server, the Ntdsutil command-line utility is used to mark one or more objects as authoritative.This gives them a very high version number so that when the server is rebooted and the replication process takes place, the other servers in the domain will see the high version number and replicate the object to their own Active Directory databases.To restore a database authoritatively, follow the steps from the preceding section up to number 18, and then proceed to these steps: 1. Click the No button in the Backup Utility dialog box when asked to restart. 2. Close the Backup utility, if it does not close by itself. 3. Open a command prompt (click Start | Run and type cmd). 4. Type ntdsutil to enter the Ntdsutil utility. Note that this is a command-line utility so the command prompt will change to ntdsutil:. 5. Type authoritative restore.The command prompt should change to display authoritative restore:. 6. Use one of the following commands to mark Active Directory or a portion of it as authoritative. I Type restore database to mark the domain and configuration containers of the database as authoritative.The schema container cannot be marked as authoritative; consequently, an authoritative restore can not be performed for the schema. Because you cannot delete objects from the schema, this is not an issue. I Τype restore subtree followed by the distinguished name of the object in Active Directory that you want to restore; for example, restore subtree OU=student,DC=syngress,DC=com to restore the OU named “student” in the syngress.com domain. I The verinc option can be used with either the restore database or restore sub- tree command. Remember, when an object or the database is restored authorita- tively, a large version number is applied to it.The verinc option is designed to be used when you need to perform another authoritative restore, on top of an existing authoritative restore. It allows you to choose your own version number, thus ensuring that it will be higher than the one used previously by the utility.The proper syntax is restore database verinc %d or restore subtree
  3. 648 Chapter 19 • Ensuring Active Directory Availability verinc %d, with %d being the desired increment for the version number. 7. Click Yes in the Authoritative Restore Confirmation dialog box, as shown in Figure 19.11. Figure 19.11 The Authoritative Restore Confirmation Dialog Box 8. Review the screen output while the command completes. Figure 19.12 shows the com- pleted operation. Figure 19.12 The Completed Authoritative Restore Process 9. Type quit to return to the ntdsutil: prompt. 10. Type quit again to exit the utility. 11. Close the command prompt and reboot the server normally. Primary Restore The primary restore method is new in Windows Server 2003., and is designed for situations where all DCs for a given domain have gone down and you need to rebuild the domain from backup.The first server that is restored in this situation should be restored using this method. Additional DCs can be restored using the normal restore method. A primary restore is also the new preferred method to use when restoring what Microsoft refers to as a standalone DC, which means the DC in a domain with only one DC. If you have a domain with only one DC and that server goes down, use this method to restore it.
  4. Ensuring Active Directory Availability • Chapter 19 649 Performing a primary restore is similar to performing a normal restore.The only difference is that you select the check box next to When restoring replicated data sets, mark the restored data as the primary data for all replicas in the Advanced portion of the Restore wizard. Troubleshooting Active Directory Availability Microsoft recommends checking the Event Viewer logs and careful monitoring of performance coun- ters as initial steps when troubleshooting Active Directory availability. Another important factor to con- sider when troubleshooting Active Directory is name resolution. Windows 2000 and later computers use the DNS service to locate Active Directory components, including GC servers and DCs. Setting Logging Levels for Additional Detail The default level of logging for all aspects of Active Directory is 0.This is the lowest level of log- ging, and while it guarantees that fatal and critical errors will be logged, it omits substantial amounts of information that can be beneficial when troubleshooting.The possible range is from 0 (which logs the least amount of information) to 5 (which logs the most). Most of the information is logged to the application log in Event Viewer. Setting the logging value above 3 for any aspect of Active Directory can fill the application log very quickly and substantially degrade system performance. In general, the level should be elevated temporarily only in instances when you need more information for troubleshooting purposes. There is a wide range of individual aspects of Active Directory for which you can specify indi- vidual logging levels by editing the Registry. All of the pertinent values are located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Registry subkey. In addition to the additional detail that can be specified for logging to the Event Viewer, Active Directory provides log sources for tracking and troubleshooting purposes.These are located in the %SYSTEMROOT%\Debug folder. Included are logs that were created during the installation of AD that provide significant information about the configuration of Active Directory and its related services. When the maximum number of 5 log files is reached, the oldest is deleted and a new one is created in its place, and all existing log file names will be decremented by 1. New logs will also be created when existing logs get full. By default, these logs generally hold between 1.5 to 2.5MB of information before Active Directory considers them full. Using Ntdsutil Command Options A number of repair options within the Ntdsutil command-line utility provide assistance in ensuring the consistency of the database. In the following subsections, we’ll examine the use of these options in troubleshooting and maintaining Active Directory health and availability. Using the Integrity Command The integrity command is used to detect low-level corruption of the database. It performs its work at the binary level, which means that it reads every byte of the ESE database structure looking for cor- ruption. Note that although the ESE structure forms the basis of Active Directory, this command
  5. 650 Chapter 19 • Ensuring Active Directory Availability might not parse all Active Directory database information. Some critical Active Directory information is additional to and outside the knowledge of the esentutl command that this option uses. Because of the detailed checking it performs, this tool often takes a while to complete its operations. In addition to the byte-level corruption check mentioned previously, the Ntdsutil integrity com- mand also performs a full check on the integrity of the directory service files. After successfully run- ning the command, Microsoft suggests that you perform a semantic database analysis (covered in a later section).The Ntdsutil integrity command must be performed when the database is offline, so you have to run it from Directory Services Restore Mode.To use the command, follow these steps: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key. 4. Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key. 5. You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt. 6. Log on by providing the password for the local administrator account and clicking the OK button. 7. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 8. Open a command prompt. 9. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command prompt will change to ntdsutil:. 10. Type files.The command prompt should change to display file maintenance:. 11. Type integrity. 12. View and evaluate the information displayed on the screen as the process runs. Figure 19.13 shows an error-free display, and Figure 19.14 shows a display showing errors. Figure 19.13 A Successful Integrity Check Showing No Errors
  6. Ensuring Active Directory Availability • Chapter 19 651 Figure 19.14 An Integrity Check Showing Errors 13. Type quit to return to the ntdsutil: prompt. 14. Type quit again to exit the utility. 15. Close the command prompt window and reboot the server normally. Using the recover Command Remember that transactions are written to log files before being committed to the Active Directory database file. In the event of power failure or other system problems, not all transactions will be written to the database. When the system is booted, ESE should use the checkpoint, log, and database files to determine what was committed properly to the database and what still needs to be written. Although this process works in most cases, occasionally inconsistencies result and it is neces- sary to run the process again manually.The recover command performs a “soft” recovery of the database log files, which means that it writes transactions from the log files to the directory service database.This process is sometimes also referred to as “re-running” the log files manually. Like the other commands used in conjunction with the Ntdsutil command, the recover command must be run from Directory Services Restore Mode. As with the other maintenance commands covered in this section, Microsoft recommends running a semantic database analysis after the recover command has completed successfully.To run the recover command, follow these steps: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key. 4. Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key.
  7. 652 Chapter 19 • Ensuring Active Directory Availability 5. You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt. 6. Log on by providing the password for the local administrator account and clicking the OK button. 7. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 8. Open a command prompt. 9. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility, so the command prompt will change to ntdsutil:. 10. Type files.The command prompt should change to display file maintenance:. 11. Type recover. 12. View and evaluate the information displayed on the screen as the process runs. Figure 19.15 shows a successful recover operation, and Figure 19.16 shows a failed recover operation. Figure 19.15 A Successful Recover Operation Figure 19.16 A Failed Recover Operation
  8. Ensuring Active Directory Availability • Chapter 19 653 13. Type quit to return to the ntdsutil: prompt. 14. Type quit again to exit the utility. 15. Close the command prompt window. Using the Semantic Database Analysis Command The semantic database analysis command is the primary command that is used to verify the full integrity of the Active Directory database.You might be wondering what the difference is between this command and the integrity command from the files: prompt. Recall that the integrity command works by calling the Esentutl utility, which has full knowledge of the ESE database system but not necessarily all portions of the Active Directory database.The semantic database analysis command is specific to Active Directory and does not use the Esentutl command. As its name implies, it analyzes the Active Directory database, based on Active Directory semantics (whereas the integrity command bases its check on ESENT database semantics). Running semantic database analysis includes checks for the following: I Reference counts I Counts references from the data table and the link table to ensure that they match the listed counts for the record. I Ensures that each object has a full distinguished name, GUID, and nonzero refer- ence count. I For each deleted object, the utility verifies that it does not have a distinguished name or GUID and makes sure that it has a deleted time and date. I Deleted objects I Verifies that the object has a deleted time and date. I Ensures that the object has a special relative distinguished name. I Ancestor checks Determines if the Distinguished Name Tag is equal to: I The ancestor list of the parent I The current Distinguished Name Tag I Security descriptor checks I Verifies a valid descriptor. I Ensures that it has a control field. I Verifies that the discretionary access control list is not empty. I A warning is generated if deleted objects without a discretionary control access list are located.
  9. 654 Chapter 19 • Ensuring Active Directory Availability I Replication checks I Checks the up-to-dateness vector in the directory partition head to ensure that the correct number of cursors exist. I Checks to ensure that every object has a property metadata vector. Errors generated by the semantic database analysis command are written to dsdit.dmp.xx log files, which are located in the profile directory of the user running the utility (for example, C:\Documents and Settings\Administrator). As with most low-level database tools, this command must be run when the database is not initialized (in other words, in Directory Services Restore Mode). Microsoft recommends that you perform a full backup of the system state data prior to run- ning this command. Follow these steps to perform a semantic database check: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key. 4. Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key. 5. You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt. 6. Log on by providing the password for the local administrator account and clicking the OK button. 7. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 8. Open a command prompt. 9. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility, so the command prompt will change to ntdsutil:. 10. Type Semantic database analysis, and press the Enter key. 11. At the semantic checker: prompt, type Verbose on, and press Enter.This option dis- plays the Semantic Checker. 12. Choose one of the following options: I To start the Semantic Checker and not have it repair any of the errors it encoun- ters, type Go, and press the Enter key. I To start the Semantic Checker and have it repair the errors it encounters, type Go Fixup, and press the Enter key. 13. View and evaluate the information displayed on the screen as the process runs.There is very little difference visually between the two modes. Figure 19.17 shows the go mode.
  10. Ensuring Active Directory Availability • Chapter 19 655 Figure 19.17 Semantic Database Analysis Using Go Mode 14. Type quit or q to return to the ntdsutil: prompt. 15. Type quit or q again to exit the utility. 16. Close the command prompt window. 17. Navigate to your profile directory and use Notepad to open the log file (shown in Figure 19.18) that you saw in step 15 (for example, dsdit.dmp.0). Figure 19.18 The Log File Produced by Semantic Database Analysis Go Mode 18. View the contents of the log, paying careful attention to any warning messages, and then close Notepad. 19. Reboot the server normally.
nguon tai.lieu . vn