Before
Going Through this install Backup from Server Manager
1.
Open up your command prompt by clicking Start and type “cmd” and hit
enter.
2.
In your command prompt type
wbadmin start systemstatebackup -backuptarget:e:
and press enter.
wbadmin start systemstatebackup -backuptarget:e:
and press enter.
Note:
You can use a different backup target of your choosing
3.
Type “y” and press enter to start the backup process.
When
the backup is finished running you should get a message that the backup
completed successfully. If it did not complete properly you will need to
troubleshoot.
Now
you have a system state backup of your 2008 Server!
Authoritative
Restore of Active Directory
So
now what if you accidentally delete an OU, group, or a user account and it’s
already replicated to your other servers? We will need to perform an
authoritative restore of the Active Directory object you accidentally
deleted.
1.
To do this you will need to boot into DSRM (Directory Services Restore Mode) by
restarting your server and pressing F8 during the
restart.
2.Choose
Directory Services Restore Mode from the Advanced Boot
menu.
3.
Login to your server with your DSRM password you created during Active Directory
installation.
4.
Once you’re logged into your server and in DSRM safe mode, open a command prompt
by clicking Start, type “cmd“, and press enter.
5.
To make sure you restore the correct backup it’s a good idea to use the “wbadmin
get versions” command and write down the version you need to
use.
6.
Now we need to perform a non-authoritative restore of Active Directory by
typing
wbadmin start systemstaterecovery -version:04/14/2009-02:39
wbadmin start systemstaterecovery -version:04/14/2009-02:39
Note:
The version of backup will vary depending on your situation. Type “y” and press
enter to start the non authoritative restore.
7.
Go grab some coffee and take a break while the restore
completes.
8.
You
can mark the sysvol as authoritative by adding the –authsysvol switch to the end
of the wbadmin command.
9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.
For
this example we are going to restore a user account with a distinguished name
of
"CN=Test User,CN=Users,DC=example,DC=com"
So the commands would be:
"CN=Test User,CN=Users,DC=example,DC=com"
So the commands would be:
ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=example,dc=com”
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=example,dc=com”
Note:
The
quotes are required
10.
Reboot your server into normal mode and you’re finished. The object will be
marked as authoritative and replicate to the rest of your
domain.
Using
Active Directory Snapshots
There
is a really cool new feature in Windows Server 2008 called Active Directory
Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active
Directory as a type of backup. They are very quick to create and serve as
another line of defense for your backup strategy.
With
your server booted into normal mode open a command prompt by clicking Start,
type “cmd“, and press enter.
We
are going to use the ntdsutil again for creating the Active Directory snapshots.
The commands are:
ntdsutil
snapshot
activate instance ntds
create
quit
quit
snapshot
activate instance ntds
create
quit
quit
So
now that you have a snapshot of AD, how do you access the data? First we need to
mount the snapshot using ntdsutil. The commands are:
ntdsutl
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit
Your
snapshot is mounted, but how do you access the data? We need to use the dsamain
command to accomplish this. Then we need to select an LDAP port to use. The
command is as follows:
dsamain –dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit –ldapport 10001
The
result should look like this:
Now
we need to go to Start, Administrative Tools, then Active Directory Users and
Computers.
Right
click Active Directory Users and Computers and select Change Domain
Controller.
In
the area that says < Type a Directory Server name [:port] here > enter the
name of your server and the LDAP port you used when running the dsamain
command.
For
my example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001
Now
you can browse the snapshot of Active Directory without affecting anything else
negatively.
No comments:
Post a Comment