■
Differential Uses the archive attribute to determine which files have
changed since the last backup. Only the changed files are backed up.A
Differential backup does not clear the archive attribute.This means that subse-
quent backup operations back up files that have changed since the last backup
ran, and other files that changed but were backed up by earlier backup opera-
tions.
■
Daily This option reads the timestamps on files and only backs up files that
were created or modified on the day of the backup.This option does not clear
the archive attribute.
9. The Backup migrated Remote Storage data check box is located at the
bottom of the Type of Backup page. Infrequently used files can be migrated to
a near-time access point, using Remote Storage.When this occurs, they still show
up for users as local files on the system in Explorer type interfaces, although they
are stored remotely. Users are actually viewing reparse points, not the actual files.
Because of this, it is possible that you selected files in step 4 that are not actually
located on the local system disks, but have been migrated to Remote Storage.
Files migrated to Remote Storage can be recalled seamlessly when the reparse
point is clicked on by a user in an Explorer type interface. Checking this box
ensures that these reparse points will be backed up.After completing your selec-
tions on this page of the wizard, click the Next button.
10. The next page in the wizard, shown in Figure 11.21, contains the following three
check boxes:
■
Verify data after backup This reads the data back off the storage medium
used and compares it to the original information backed up.You should be
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 725
Figure 11.20 The Type of Backup Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 725

aware that this will greatly extend the amount of time required to finish the
backup job. However, when the data is critical and you need to be assured
that it was backed up correctly, you might want to select this option.
■
Use hardware compression, if available If the Backup utility detects a
tape drive or other storage mechanism that is capable of hardware compres-
sion, this box will be available for selection.Typically, these types of compres-
sion are very advanced and it is recommended that you make use of them.
This box will be grayed out if backup does not detect a device that supports
this setting.
■
Disable Volume Shadow Copy As mentioned earlier, this feature is used to
back up open files.This option is enabled by default. If you select to back up
the system state data, the option to disable it will be grayed out because it is
required for backing up the system state information.
11. After making your selections on the How to Back Up wizard page, click the
Next button.
12. The Backup Options page, shown in Figure 11.22, allows you to choose to
append this backup to an existing backup by selecting the Append this backup
to the existing backups option, or replace any existing backups on the media
selected by choosing the Replace the existing backups option. If replace the
existing backups is selected, the Allow only the owner or the
Administrator access to the backup data and to any backups appended
to this medium check box becomes available for selection.When checked, this
allows only the user who created the backup file or an administrator to restore
the backed up information. Click the Next button to continue with the wizard.
www.syngress.com
726 Chapter 11 • Ensuring Active Directory Availability
Figure 11.21 The How to Back Up Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 726

13. The Backup utility allows you to begin the backup immediately by selecting the
Now option on the When to Back Up page, shown in Figure 11.23. However,
you can also schedule a backup job to run at another time by selecting the Later
option.When this option is selected, the Job name: text box becomes available,
as does the Start date: option. Enter a descriptive name for the backup operation
in the Job name: box.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 727
Figure 11.22 The Backup Options Wizard Page
Figure 11.23 The When to Back Up Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 727
14. By default, the Start date: option is set to the current date and time when you
click the Later option.To change this to another date and time, or use the more
advanced schedule features, click the Set Schedule… button.
15. This displays the Schedule Job dialog box with the Schedule tab in the fore-
ground, as shown in Figure 11.24. Several options can be selected in the
Schedule Task: drop-down box, including:
■
Daily This setting allows you to specify a start time, and the number of con-
secutive days on which you would like the task to run. It also allows you to
click the Advanced… button to bring up the Advanced Schedule
Options dialog box.This box allows you to specify start and end dates, how
often the task will repeat, and the maximum duration or time past which the
backup job cannot run.
■
Weekly This option allows you to specify a start time, and you can click the
Advanced… button to configure all of the advanced options listed previ-
ously. In addition, it allows you to specify the number of consecutive weeks
the backup should run, and has selection boxes for each day of the week so
that you can determine on which days the backup job should run. Figure

11.24 shows this option.
■
Monthly As with the Daily and Weekly options, this option allows you to
specify a start time and click the Advanced… button to configure all of the
advanced options listed previously.You can select the day of the month on
which you want to have the job run.This can include patterns such as the
first Tuesday of the month. Clicking the Select Months button brings up
the Select Months dialog box with check boxes for each month of the year,
all of which are selected by default.
■
Once This option will run the backup job one time, and allows you to
specify a start time and access the Advanced… button options. It provides a
Run on: drop-down box that enables you to select a date from a calendar.
This is the default setting.
■
At System Startup This option starts the backup job when the computer is
booted.
■
At Logon This option starts the backup job when a user logs on to the
computer.
■
When Idle This option allows you to specify an idle setting for the com-
puter in the When the computer has been idle for: entry box.This refers
to the amount of time the system is not in use.The default is 10 minutes.
www.syngress.com
728 Chapter 11 • Ensuring Active Directory Availability
256_70-294_11.qxd 9/4/03 4:47 PM Page 728
16. At the bottom of the Schedule tab is the Show multiple schedules check box.
When selected, it adds a new section to the top of the tab, which consists of a
drop-down box, a New button, and a Delete button.The current schedule

becomes the first entry in the drop-down box. Additional schedules can be cre-
ated by clicking the New button and modifying the options on the Schedule
tab. Changes to existing schedule entries can be made by selecting the schedule
from the drop-down box and changing the settings on the tab.Any schedule can
be deleted by selecting it in the drop-down box and clicking the Delete button.
17. The Schedule Job dialog box contains a second tab labeled Settings, which is
shown in Figure 11.25.When selected, this tab displays a number of additional
scheduling options, including the following:
■
Delete the task if it is not scheduled to run again. This removes the
task from the list of scheduled tasks if it is not scheduled to run in the future.
■
Stop the task if it runs for: This allows you to specify the number of
hours and minutes that a backup job can run before it is terminated. Failed
backup jobs often just keep running and consuming resources.They can even
cause subsequent jobs to fail because they still have exclusive use of the
required system resources, such as tape drives.The default value is 72 hours.
■
Only start the task if the computer has been idle for: This allows you
to specify how much time must pass since the computer has been used by a
user before a backup must begin.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 729
Figure 11.24 The Schedule Tab in the Schedule Job Dialog Box
256_70-294_11.qxd 9/4/03 4:47 PM Page 729
■
If the computer has not been idle that long, retry for up to: This
works in conjunction with the previous setting and allows you to specify how
long the scheduler will continue to check to see if the required amount of
idle time has been accumulated before giving up.

■
Stop the task if the computer ceases to be idle. This terminates the
backup job if a user begins to use the computer again.
■
Don’t start the task if the computer is running on batteries. Because
backups require the use of system resources such as the hard drive, they can
be very power intensive.This setting allows you to specify that you do not
want to have the backup start if the computer is running on batteries.This is
primarily a setting for laptops.
■
Stop the task if battery mode begins. This setting terminates the backup
job if the computer on which it is running switches over to battery power
after the job has started.This setting is also primarily for laptops.
■
Wake the computer to run this task. If a power-saving mode is in use
on the computer, this selection can be used to wake the system up so that the
backup job can be run at the scheduled time.
18. When you have finished configuring the options on each of the tabs in the
Schedule Jobs dialog box, click the OK button.
19. Click the Next button in the wizard.
www.syngress.com
730 Chapter 11 • Ensuring Active Directory Availability
Figure 11.25 The Settings Tab in the Schedule Job Dialog Box
256_70-294_11.qxd 9/4/03 4:47 PM Page 730
20. This brings up the Set Account Information dialog box, shown in Figure
11.26.The backup job must be set to run with the user rights of a member of the
local administrators or backup operators group.Alternatively, it can be run by a
user who has been granted the right to Back up files and directories. In the
Run as: text box, specify a user account that meets these requirements. Provide
the password associated with the account in the Password: and Confirm pass-

word: text boxes. Click the OK button to proceed.
21. Click the Next button in the wizard.
22. Review the summary information for the backup job and click the Finish button
to close the wizard.
23. The backup will take at least a few minutes.The Backup Progress screen is dis-
played during this time, as shown in Figure 11.27. Even on the most basic
Windows Server 2003 DC, the system state data will average approximately
500MB in size. Note that the file size can be even larger.The actual backup file
can take up to twice as much disk space as the amount listed in the Backup
Progress dialog box. As an example, the file shown in these images actually con-
sumed 857,175KB of disk space.
24. When the backup has completed, click the Close button to close the Backup
Progress dialog box, shown in Figure 11.28, or click the Report… button to
view the backup log associated with the job. Clicking the Report… button will
open the Notepad application with the log file displayed, as shown in Figure
11.29.You should review the log for any error messages, such as those pertaining
to files that were skipped. After reviewing the log, close the Notepad application.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 731
Figure 11.26 The Set Account Information Dialog Box
256_70-294_11.qxd 9/4/03 4:47 PM Page 731
www.syngress.com
732 Chapter 11 • Ensuring Active Directory Availability
Figure 11.27 The Backup Progress Dialog Box During Backup
Figure 11.28 The Backup Progress Dialog After the Backup Has
Completed
Figure 11.29 The Backup Log
256_70-294_11.qxd 9/4/03 4:47 PM Page 732
Backing Up at the Command Line
Instead of using the graphical Backup utility, you can back up the system state data by using

the command-line version of the Backup utility.This might be desirable for use with
administrative scripts.The command-line utility is a full-featured backup program that can
specify many of the same options covered in the previous section.To back up the system
state data, open a command prompt (Start | Run and type cmd) and use the following
command and options: ntbackup backup systemstate /J “Syngress Backup Job” /F
“C:\backupfile.bkf ”.
■
Ntbackup is the name of the command-line backup utility.
■
Backup is the option to specify a backup operation.
■
Systemstate is the option used to specify that the system state data should be
backed up.
■
/J specifies the backup job name, which should be surrounded in quotes if it
contains spaces.
■
/F specifies the name of the backup file.
Note that when you run this command, the graphical utility appears to show you the
progress of the job.
There are many more switches that you can use with the Ntbackup command-line
utility; those described here are the ones you will most commonly use to back up the
system state data.
TEST DAY TIP
Although you can back up the system state data from the command line using the
Ntbackup utility, you cannot perform a restore with this utility. Restores must be
done from the graphical Backup utility.
Restoring Active Directory
Windows Server 2003 includes three types of directory services restore methods:
■

Primary
■
Normal
■
Authoritative
Microsoft has designed each of these restoration types to address a complex need that
arises when restoring Active Directory or one of its related components. In addition to these
three modes, specialty restore functionality is also provided within the Ntdsutil command-line
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 733
EXAM
70-294
OBJECTIVE
2.4
2.4.1
2.4.2
256_70-294_11.qxd 9/4/03 4:47 PM Page 733
utility and the Directory Services Restore Mode. It is very important for you to know which
modes, features, and utilities to use to restore your server in a given recovery scenario.An
improper restore can destabilize your entire Active Directory forest.
Directory Services Restore Mode
Before we discuss the three different restore methods that can be used, it is important to
discuss the Directory Services Restore Mode.We mentioned this mode earlier in the
chapter when discussing maintenance operations, such as moving the Active Directory
database. Remember that the special feature of this mode is that it allows a DC to boot
without initializing its copy of the Active Directory database. Because you must always log
on to a Windows Server 2003 computer before you can use the operating system, a small
version of a local directory service database (called a SAM database) remains on the com-
puter after it has been promoted to a DC.This database has a single account, the local
administrator account.

When you have booted to the Directory Services Restore Mode using the directions
given earlier in the chapter, you must log on with this account. After you are authenticated,
you can perform certain limited maintenance functions, such as running the Ntdsutil utility
mentioned earlier.You can also run the Backup utility to perform restores of the Active
Directory database. It is necessary to perform all restores while running in this mode,
because the Active Directory database must be offline to be restored. In this mode, you are
logged on to a local account and the Active Directory database is not in use.
Normal Restore
The simplest of all restore methods is the normal restore.This method can be used in the
following circumstances:
www.syngress.com
734 Chapter 11 • Ensuring Active Directory Availability
New Restore Options in Windows 2003
The Active Directory restore options have seen some significant changes since
Windows 2000. In Windows 2000, there were only two methods of restoration:
Authoritative and Non-Authoritative. With Windows Server 2003, Authoritative
restores remain unchanged; however, Non-Authoritative restores are now referred
to as Normal restores. Despite the name change, they function exactly as they
always have.
A new type of restore is added, the Primary restore. This is designed to be
used when all DCs for a given domain have been wiped out and need to be
restored. Under Windows 2000, this could be an exhaustive Authoritative restore
process involving many hours of labor and double-checking. With the new Primary
restore type, it is as simple as selecting a check box.
New & Noteworthy
256_70-294_11.qxd 9/4/03 4:47 PM Page 734
■
When a domain only has one DC, and the DC needs to be restored.You can also
opt to use the primary restore method (covered later) for this scenario.
■

If there are multiple DCs on the network for the domain, and at least one remains
functional, a normal restore can be used to bring the downed DCs back to life.
Like all Active Directory restores, a normal restore is performed by running the Backup
utility while logged on to Directory Services Restore Mode.When the restore has com-
pleted, the DC is rebooted.When it comes back up, it begins normal replication with its
replication partners. Because it was restored from a backup, some of its objects will have
older version numbers than ones currently on the network.This will cause updates and
deletions to be replicated to the DC and will bring its Active Directory database up to date.
To perform a normal restore, follow these steps:
1. Boot or reboot the computer.
2. When prompted, press F8 during Windows Server 2003 startup.
3. Select Directory Services Restore Mode (Windows DCs only) in the
Windows Advanced Options menu that appears, and press the Enter key.
4. Select your operating system (for example, Windows Server 2003, Enterprise),
and press the Enter key.
5. You will see a number of checks performed while the system is booting, and
eventually you will receive the Safe Mode logon prompt.
6. Log on by providing the password for the local administrator account and clicking
the OK button.
7. Click the OK button in the dialog box that notifies you that Windows is running
in safe mode.
8. Open the Windows Server 2003 Backup utility from Start | All Programs |
Accessories | System Tools | Backup.
9. On the initial page of the wizard, click the Next button.
10. Select the option button next to Restore files and settings, as shown in Figure
11.30, and click the Next button.
11. The What to Restore page, shown in Figure 11.31, contains an Explorer style
interface similar to the one you encountered while configuring your backup job.
Click the plus sign next to File in the left pane.This should reveal the file to
which you backed up the system state data earlier. If it doesn’t, you can click the

Browse… button and select the file from the Open Backup File dialog box.
Click the plus sign next to the file to which you backed up and select the check
box next to the backup you want to restore that appears beneath it. Click the
Next button after making your selection.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 735
256_70-294_11.qxd 9/4/03 4:47 PM Page 735
12. At this point in the wizard, you can click the Finish button and allow the restore to
proceed with the default advanced settings. However, we want you to see more of
the settings that are available within the wizard, so click the Advanced… button.
13. The Where to Restore page, shown in Figure 11.32, appears with three options
that can be selected from the Restore files to: drop-down box.
■
Original location This option restores all files to their original locations
and is the default.When you select this option and click the Next button, a
dialog box appears, informing you that restoring system state will always over-
write the current system state information unless you restore to an alternate
location. Click the OK button to proceed to the next screen.
www.syngress.com
736 Chapter 11 • Ensuring Active Directory Availability
Figure 11.30 The Backup or Restore Wizard Page
Figure 11.31 The What to Restore Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 736
■
Alternate location Selecting this option reveals the Alternate location:
text box and a Browse… button that opens the Restore Path dialog box.
You can use this option to restore the files to a different location.This can be
helpful for verification and file comparison purposes.
■
Single folder This option reveals the Alternate location: text box and

Browse… button, which opens the Restore Path dialog box. As with the
Alternate location setting, you can use this option to restore the files to an
alternate location.When this option is selected, all restored files are placed in
a single directory, rather than having their directory structures restored.
14. Click the Next button after making your selection.
15. Depending on your selection, a Warning dialog box (shown in Figure 11.33)
might appear to inform you that a restore of system state data will always over-
write the current system state data unless you choose to restore it to an alternate
location. Click the OK button if you receive this dialog box.
16. The How to Restore page, shown in Figure 11.34, contains the following three
options:
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 737
Figure 11.32 The Where to Restore Wizard Page
Figure 11.33 The System State Restore Warning Dialog Box
256_70-294_11.qxd 9/4/03 4:47 PM Page 737
■
Leave existing files (Recommended) This option ensures that the restore
process does not overwrite any files that currently exist on the DC.
■
Replace existing files if they are older than the backup files This
option permits the files on the disk to be overwritten, but only if the backup
file is newer than the one currently on the DC.
■
Replace existing files Always copies the files from the backup media to the
DC and replaces all files existing on the DC, regardless of whether they are
newer.
17. After making your selection, click the Next button to proceed.
18. The Advanced Restore Options page, shown in Figure 11.35, contains the fol-
lowing five check boxes:

■
Restore security settings This option is selected by default, and should
remain selected. It shows the power that a user with restore rights has, because
any such user can, by deselecting this check box, restore the files without
their associated permissions. In some circumstances, difficulties can arise when
restoring data that was on a disk formatted in the NTFS file system, which
supports file level permissions, to one using the FAT file system, which does
not support file level permissions. In circumstances like these, clearing this
check box has been known to resolve some of the issues.This is because
selecting this box restores a wide range of extended data (permissions,
auditing information, and ownership information) that is not supported by
the FAT file system.
■
Restore junction points, but not the folders and file data they refer-
ence Among other things, junction points are used to reference mounted
drives. In Windows Server 2003, volumes can be mounted in folders of
another volume, instead of being accessed through a drive letter. If you do not
www.syngress.com
738 Chapter 11 • Ensuring Active Directory Availability
Figure 11.34 The How to Restore Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 738
restore junction points, you will not be able to restore the information on
mounted drives unless you recreate the junction points manually.
■
Preserve existing volume mount points This option relates to the pre-
ceding point.When using mounted drives, it is necessary to create mount
points, which are the empty folders to which the volume is mounted (thus
creating the mounted drive).When selected, this box protects existing mount
points on the volume being restored.This is helpful if you have already for-
matted the disk to which you are restoring and added these mount points

prior to beginning the restore. However, if you have formatted the disk to
which you are restoring and have not added these mount points back manu-
ally, clearing this check box will restore your old mount points from tape.This
option is selected by default.
■
Restore the Cluster Registry to the quorum disk and all other nodes
This option restores the cluster quorum database and replicates it to all of the
nodes in the server cluster.This option will be grayed out if the DC is not
part of a server cluster.
■
When restoring replicated data sets, mark the restored data as the
primary data for all replicas This option is used to perform a primary
restore and is covered in detail later in the chapter.
19. Click the Next button after making your selections.
20. Click the Finish button to begin the restore.
21. The restore will take at least a few minutes and display its progress as shown in
Figure 11.36.When it is finished, click the Close button (shown in Figure 11.37)
to close the Restore Progress dialog box, or click the Report… button to view
the backup log associated with the job. Clicking the Report… button will display
the Notepad application with the log file displayed, as shown in Figure 11.38.You
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 739
Figure 11.35 The Advanced Restore Options Wizard Page
256_70-294_11.qxd 9/4/03 4:47 PM Page 739
should review the log for any error messages, such as those pertaining to files that
had to be skipped.When you have finished reviewing the log, close the Notepad
application.
www.syngress.com
740 Chapter 11 • Ensuring Active Directory Availability
Figure 11.36 The Restore Progress Dialog Box During a Restore

Figure 11.37 The Restore Progress Dialog Box After the Restore Has
Completed
Figure 11.38 The Restore Log
256_70-294_11.qxd 9/4/03 4:47 PM Page 740
22. Click the Ye s button in the Backup Utility dialog box when prompted to
restart and reboot the server normally.
Authoritative Restore
There are times when a normal restore of Active Directory isn’t sufficient; for example,
when you accidentally delete an OU.Within a few minutes, the deletion will have repli-
cated to the other DCs in the domain. If you perform a normal restore in an effort to
repopulate the OU back into Active Directory, it will not work.When the DC reboots after
the restore and replicates with its replication partners, they will have a higher version
number for the deleted OU, and the restored DC will be told to delete the object all over
again.To restore the object, you must use an authoritative restore.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 741
Keep Them Separated
Although members of the administrators and backup operators local groups have
the right to back up and restore files, in larger environments it is important to sep-
arate these roles for security purposes. Instead of making your backup administra-
tors members of the backup operators group, you should consider creating two
new groups instead. Grant one of the groups the right to back up files and folders,
and give the other group restore privileges. Let’s look at why this is a good idea.
The advanced restore option Restore security settings must be checked in
order for NTFS permissions, auditing settings, and ownership information to be
restored with a file. In other words, your company’s files are a check box away from
having no security permissions associated with them. This means that anyone with
both backup and restore privileges can restore any file he or she wants to view with
no permissions or ownership information. There is nothing standing between
someone with these user rights and untraceable access to the information on your

network.
You can limit the potential for abuse by making some administrators responsible
for backups (and adding them to the backup group you created earlier) and other
administrators responsible for restores (and adding them to the restore group you
created earlier). Although those in the restore group can still restore any file without
permissions, auditing, or ownership information, they cannot choose which files are
backed up for them to view. Ensuring that the restore group is comprised of the most
trusted employees who perform these roles will further enhance security.
Additional levels of security can also be realized through the use of encryp-
tion, including both EFS and third-party file encryption tools. Encrypted files are not
decrypted before being backed up. They are stored on the tape in encrypted form,
and are restored in encrypted form. As a result, although they can be restored
without their associated permissions, they are still encrypted and will not be view-
able by the restore administrator.
Head of the Class…
256_70-294_11.qxd 9/4/03 4:47 PM Page 741
An authoritative restore is exactly like a normal restore, up to a point. Once the system
state data has been restored, rather than rebooting the server, the Ntdsutil command-line
utility is used to mark one or more objects as authoritative.This gives them a very high ver-
sion number so that when the server is rebooted and the replication process takes place, the
other servers in the domain will see the high version number and replicate the object to
their own Active Directory databases.To restore a database authoritatively, follow the steps
from the preceding section up to number 18, and then proceed to these steps:
1. Click the No button in the Backup Utility dialog box when asked to restart.
2. Close the Backup utility, if it does not close by itself.
3. Open a command prompt (click Start | Run and type cmd).
4. Type ntdsutil to enter the Ntdsutil utility. Note that this is a command-line
utility so the command prompt will change to ntdsutil:.
5. Type authoritative restore.The command prompt should change to display
authoritative restore:.

6. Use one of the following commands to mark Active Directory or a portion of it
as authoritative.
■
Type restore database to mark the domain and configuration containers of
the database as authoritative.The schema container cannot be marked as
authoritative; consequently, an authoritative restore can not be performed for
the schema. Because you cannot delete objects from the schema, this is not an
issue.
■
Τype restore subtree followed by the distinguished name of the object in
Active Directory that you want to restore; for example, restore subtree
OU=student,DC=syngress,DC=com to restore the OU named “student”
in the syngress.com domain.
■
The verinc option can be used with either the restore database or restore
subtree command. Remember, when an object or the database is restored
authoritatively, a large version number is applied to it.The verinc option is
designed to be used when you need to perform another authoritative restore,
on top of an existing authoritative restore. It allows you to choose your own
version number, thus ensuring that it will be higher than the one used previ-
ously by the utility.The proper syntax is restore database verinc %d or
restore subtree <distinguished name of object to mark authoritative>
verinc %d, with %d being the desired increment for the version number.
7. Click Ye s in the Authoritative Restore Confirmation dialog box, as shown in
Figure 11.39.
www.syngress.com
742 Chapter 11 • Ensuring Active Directory Availability
256_70-294_11.qxd 9/4/03 4:47 PM Page 742
8. Review the screen output while the command completes. Figure 11.40 shows the
completed operation.

9. Type quit to return to the ntdsutil: prompt.
10. Type quit again to exit the utility.
11. Close the command prompt and reboot the server normally.
Primary Restore
The primary restore method is new in Windows Server 2003, and is designed for situations
where all DCs for a given domain have gone down and you need to rebuild the domain
from backup.The first server that is restored in this situation should be restored using this
method. Additional DCs should be restored using the normal restore method. A primary
restore is also the new preferred method to use when restoring what Microsoft refers to as
a standalone DC, which means the DC in a domain with only one DC. If you have a
domain with only one DC and that server goes down, use this method to restore it.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 743
Figure 11.39 The Authoritative Restore Confirmation Dialog Box
Figure 11.40 The Completed Authoritative Restore Process
256_70-294_11.qxd 9/4/03 4:47 PM Page 743
Performing a primary restore is similar to performing a normal restore.The only differ-
ence is that you select the check box next to When restoring replicated data sets,
mark the restored data as the primary data for all replicas in the Advanced portion
of the Restore wizard, as shown in Figure 11.35. Refer to step 14 in the Normal Restore
section of this chapter, or complete Exercise 11.04, which walks you through the entire
process of performing a primary restore.
EXERCISE 11.04
PERFORMING A
PRIMARY RESTORE
1. Reboot or boot your DC.
2. When prompted, press F8 during Windows Server 2003 startup.
3. On the Advanced Startup Options menu that appears, select Directory
Services Restore Mode.
4. Log on by providing the password for the local administrator account

and clicking the OK button.
5. Open the Windows Server 2003 Backup utility from Start | All
Programs | Accessories | System Tools | Backup.
6. On the initial page of the wizard, click the Next button.
7. Select the option button next to Restore files and settings, and click
the Next button.
8. Click the plus sign next to File in the left pane. If your backup file does
not appear, click the Browse… button and select the file from the
Open Backup File dialog box.
9. Click the plus sign next to the file to which you backed up the system
state data and select the check mark next to the backup you want to
restore that appears beneath it.
10. Click the Next button after making your selection.
11. Click the Advanced… button.
12. Accept the default restore location, Original location, and click the
Next button.
13. Select the Replace existing files option and click the Next button to
proceed.
14. On the Advanced Restore Options page, select the check box next to
When restoring replicated data sets, mark the restored data as the
primary data for all replicas and accept all other defaults.
www.syngress.com
744 Chapter 11 • Ensuring Active Directory Availability
256_70-294_11.qxd 9/4/03 4:47 PM Page 744
15. Click the Next button.
16. Click the Finish button to begin the restore.
17. The restore will take at least a few minutes. When it is finished, click
the Report… button to view the restore log associated with the job.
Review it for any error messages, such as those pertaining to files that
had to be skipped. After reviewing the log, close the Notepad applica-

tion.
18. Close the Backup utility and reboot the server normally.
Troubleshooting
Active Directory Availability
Microsoft recommends checking the Event Viewer logs and careful monitoring of perfor-
mance counters as initial steps when troubleshooting Active Directory availability. As men-
tioned previously, each of these tools can provide you with detailed and extensive
information regarding where to begin your efforts. Another very important factor to con-
sider when troubleshooting Active Directory is name resolution.Windows 2000 and later
computers use the DNS service to locate Active Directory components, including GC
servers and DCs.
Setting Logging Levels for Additional Detail
The default level of logging for all aspects of Active Directory is 0.This is the lowest level
of logging, and while it guarantees that fatal and critical errors will be logged, it omits sub-
stantial amounts of information that can be beneficial when troubleshooting.The possible
range is from 0 (which logs the least amount of information) to 5 (which logs the most).
Most of the information is logged to the application log in Event Viewer.
WARNING
Setting the logging value above 3 for any aspect of Active Directory can fill the
application log very quickly and substantially degrade system performance. In gen-
eral, the level should be elevated temporarily only in instances when you need
more information for troubleshooting purposes.
There is a wide range of individual aspects of Active Directory for which you can
specify individual logging levels by editing the Registry. All of the pertinent values are
located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
NTDS\Diagnostics Registry subkey, shown in Figure 11.41.The available settings include:
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 745
EXAM
70-294

OBJECTIVE
2.5.3
256_70-294_11.qxd 9/4/03 4:47 PM Page 745
■
Knowledge Consistency Checker (KCC)
■
Security Events
■
ExDS Interface Events
■
MAPI Interface Events
■
Replication Events
■
Garbage Collection
■
Internal Configuration
■
Directory Access
■
Internal Processing
■
Performance Counters
■
Initialization/Termination
■
Service Control
■
Name Resolution
■

Backup
■
Field Engineering
■
LDAP Interface Events
■
Setup
■
Global Catalog
■
Inter-site Messaging
■
Group Caching
■
Linked-Value Replication
■
DS RPC Client
■
DS RPC Server
■
DS Schema
In addition to the additional detail that can be specified for logging to the Event
Viewer,Active Directory provides log sources for tracking and troubleshooting purposes.
These are located in the
%SYSTEMROOT%\Debug folder. Included are logs that were created
during the installation of AD that provide significant information about the configuration
of Active Directory and its related services. Other key logs in this directory relate to the
FFRS. For example, the NtFrs_XXXX.log files contain detailed information about the
function of FRS on the DC.There might be several of these on your system. Generally,
another is added with each system reboot, and they will appear as NtFrs_0001.log to

NtFrs_0005.log.When the maximum number of 5 is reached, the oldest is deleted and a
www.syngress.com
746 Chapter 11 • Ensuring Active Directory Availability
256_70-294_11.qxd 9/4/03 4:47 PM Page 746
new one is created in its place, and all existing log file names will be decremented by 1.
New logs will also be created when existing logs get full. By default, these logs generally
hold between 1.5 to 2.5MB of information before Active Directory considers them full.
Using Ntdsutil Command Options
A number of repair options within the Ntdsutil command-line utility provide assistance in
ensuring the consistency of the database. In the following subsections, we’ll examine the use
of these options in troubleshooting and maintaining Active Directory health and availability.
Using the Integrity Command
The integrity command is used to detect low-level corruption of the database. It performs
its work at the binary level, which means that it reads every byte of the ESE database struc-
ture looking for corruption. Note that although the ESE structure forms the basis of Active
Directory, this command might not parse all Active Directory database information. Some
critical Active Directory information is additional to and outside the knowledge of the esen-
tutl command that this option uses. Because of the detailed checking it performs, this tool
often takes a while to complete its operations.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 747
Figure 11.41 Configuring Additional Logging Detail Using the Registry
256_70-294_11.qxd 9/4/03 4:47 PM Page 747
In addition to the byte-level corruption check mentioned previously, the Ntdsutil
integrity command also performs a full check on the integrity of the directory service files.
After successfully running the command, Microsoft suggests that you perform a semantic
database analysis (covered in a later section).The Ntdsutil integrity command must be per-
formed when the database is offline, so you have to run it from Directory Services Restore
Mode.To use the command, follow these steps:
1. Boot or reboot the computer.

2. When prompted, press F8 during Windows Server 2003 startup.
3. Select Directory Services Restore Mode (Windows DCs only) in the
Windows Advanced Options menu that appears, and press the Enter key.
4. Select your operating system (for example, Windows Server 2003, Enterprise),
and press the Enter key.
5. You will see a number of checks performed while the system is booting, and
eventually you will receive the Safe Mode logon prompt.
6. Log on by providing the password for the local administrator account and clicking
the OK button.
7. Click the OK button in the dialog box that notifies you that Windows is running
in safe mode.
8. Open a command prompt.
www.syngress.com
748 Chapter 11 • Ensuring Active Directory Availability
Where Did Esentutl Come From?
Esentutl.exe was included in Windows NT 4.0. A similarly named utility, eseutil.exe,
comes with Exchange. As the name implies, these were designed for repairing ESE
databases. In Windows 2000/2003, Ntdsutil acts as a “front end” for esentutl. You
can also run the Esentutl utility itself, by typing esentutl at the command line with
one of the following parameters to denote mode of operation:
■
/d <database name> Defragmentation mode
■
/r <logfile base name> Recovery mode
■
/g <database name> Integrity mode
■
/k <database name> Checksum mode
■
/p <database name> Repair mode

■
/m[mode-modifier] <filename> File dump
We address the use of esentutl by itself later in this chapter.
Head of the Class…
256_70-294_11.qxd 9/4/03 4:47 PM Page 748
9. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the
command prompt will change to ntdsutil:.
10. Type files.The command prompt should change to display file maintenance:.
11. Type integrity.
12. View and evaluate the information displayed on the screen as the process runs.
Figure 11.42 shows an error-free display, and Figure 11.43 shows a display
showing errors.
13. Type quit to return to the ntdsutil: prompt.
14. Type quit again to exit the utility.
15. Close the command prompt window and reboot the server normally.
www.syngress.com
Ensuring Active Directory Availability • Chapter 11 749
Figure 11.42 A Successful Integrity Check Showing No Errors
256_70-294_11.qxd 9/4/03 4:47 PM Page 749