Maintaining Active Directory Directory Services (AD DS) involves a variety of tasks related to backing up and restoring data, monitoring activity, and offline maintenance. Some of the tasks presented in this chapter should be performed regularly, and automated when feasible. Other tasks will only be necessary when certain situations arise, such as the need to optimize performance or to troubleshoot unexpected behavior. This chapter introduces the graphical and command prompt tools you use for maintaining a healthy and reliable Active Directory. The tasks discussed include:

• Configure backup and recovery.
• Perform offline maintenance.
• Monitor Active Directory.

Configuring Backup and Recovery

While nobody in their right mind hopes for disaster to strike experienced systems administrators know that its much better to have hundreds of backup tapes full of data that you never have to restore than to have a dire need to restore data yet not have the requisite tapes. Having a reliable system to automatically backup business data daily is critically important. However, implementing and testing such a system is not enough, after it is deployed you need to verify that it works by periodically restoring data. In this section we will take a look at the data backup and restoration tools available for Active Directory Domain Services (AD DS) in Windows Server 2008.

---

Real World Example of Why You Want to Verify Your Backups Work!

Long before my career at Microsoft began I worked for a small consulting company that had assigned me to a long-term project at one of the global Internet Service Providers (ISP) in the mid-1990’s. I was helping their most senior technical support team to support Windows-based servers in their web hosting business. Some of my colleagues took over responsibility for a new customer that had become one of ours due to a recent business acquisition. The customer was using our firm to host a complex website for collaborating with business partners. The core of this operation was an ever-growing FTP server where the customer and their partners exchanged huge volumes of critical data. After the ISP took over management the customer asked us to replace the FTP server with a much larger one, my teammates ended up deploying a huge disk array with all sorts of redundancy built-in, the total capacity was over a terabyte. Remember, this was back when a lot of new computers shipped with hard disks under 1 gigabyte.

The volume of data stored on the new FTP server grew rapidly, within a few months there was several hundred gigabytes. Each datacenter in the webhosting business used a tape-based system for backing up all of the customer’s webservers located in that datacenter over the network. The backup system worked great, when you needed to restore something it might take a while to pull the correct tape out of storage but you knew it was there, ready to go. Since we never had trouble restoring data none of the engineers who designed, implemented, or supported that FTP server with its huge storage array never thought to make sure they could restore data from the backups. You can guess rest. Something when horribly wrong with the array, I think one of the RAID controllers failed completely and the backup controller started writing corrupt data across the disk set. That destroyed nearly all of the data stored on the FTP server. Time to call in the backup tapes, but the restore jobs kept failing. None of them had more than 40 or 50 gigabytes of data, a fraction of should have been there! I was one of the lucky people called in to figure what went wrong and to try to fix things. We found that the backup job scheduled on the FTP server would start on time late each night and run for 24 hours, then it would abruptly terminate when the next scheduled backup job commenced. So no backup had more than 24 hours to complete, during that 24 hours only 40 or 50 gigabytes could be sent across the network to the backup device. We restored what we could and then spent weeks working with the customer and their partners to retrieve their copies of the data. Incidentally, the ISP went bankrupt a few years later, could be a coincidence, but still…

---

Using Windows Server Backup

The new Windows Server Backup tool is the built-in application for backing up data in Windows Server 2008. To install it from Server Manager navigate to Features and click Add Features. Expand Windows Server Backup Features and enable Windows Server Backup and Command-line Tools, click Add Required Features if prompted to install PowerShell as well.. Complete the wizard.

Backing up data in Windows Server 2008 differs from Windows Server 2003 and Windows 2000 in several important ways: Only full volumes can be backed up when using the graphical tool, you cannot backup system state separately; backups can only be written to disk or DVD, not tape; and performance has been improved through the use of the Volume Shadow Copy Service (VSS). You can use the wbadmin command line tool with the start systemstatebackup parameters to backup system state data rather than the entire system volume. Enter wbadmin /? from a command prompt to see the other options available with this tool.

To initiate a backup or schedule periodic backups open Windows Server Backup from the Administrative Tools folder. Several wizards can be launched from the actions pane, to configure scheduled backups click Backup Schedule. You will be prompted for the following:

• Specify whether to backup the full server or only specific volumes
• Specify the time of day to perform the backup, or select multiple times if you wish to perform more than one backup per day, as shown in figure 1.

Figure 1: Specifying the  Backup Time.

• Select the disk where the backup will be written. By default only the most likely disk is show, click on Show All Available Disks to specify a different one.
• A Confirmation page will be displayed that summarizes the backup job’s configuration, as shown in figure 2.

Figure 2: Confirmation Page of the Backup Schedule Wizard.

The Backup Once Wizard is similar to the Backup Schedule Wizard; the primary difference is that you don’t specify a time because the backup begins immediately at the end of the wizard. Another difference with this wizard is that you can specify a network folder for the destination.

Important: To help recover from problems your production domains should each have multiple domain controllers (DC) so that if one fails the other can continue to provide AD DS services. When one DC fails it is usually possible to create a replacement by promoting a new server to that role however having more than one DC in a domain does not remove the need for backups. Several situations can arise where the only way to recover is by restoring from backup including when objects are accidentally deleted from the AD DS directory or when all domain controller are lost due to a major disaster such as an earthquake.

Restoring Active Directory Data

When you want to repair a failed DC rather than promote another server to that role you can perform a nonauthoritative restore to that DC after fixing it. A nonauthoritative restore means that the objects in the database on the recovered DC can be overwritten during replication. An authoritative restore differs significantly because restored objects are marked so that they are replicated to the other DCs in the domain overwriting whatever contradictory information they may have held. An authoritative restore is necessary when you are recovering lost data such as accidentally deleted objects.

To perform a nonauthoritative restore you must boot the server into Directory Services Recovery Mode (DSRM), one of the options available from the Advanced Boot Options menu which you access by pressing F8 at the beginning of the boot process. DSRM is another type of safe mode unique to DCs in which AD DS is not running.

1. Log in using the local administrator account, specify .\administrator as the username.
2. Open a command prompt.
3. To see a list of available backups enter wbadmin get versions –backuptarget:location where location is the drive letter or UNC path where the backups are stored, as shown in figure 3. The version identifier is the time and date the backup was performed.

Figure 3: Viewing Available Backups.

4. Type wbadmin start systemstaterecovery –version:id –backuptarget:location where id is the version identifier and location is the drive letter or UNC path where the backups are stored.
5. When prompted type enter y to verify that you want to begin the recovery process, as shown in figure 4.
6. Reboot the DC when the restore is finished.

Figure 4: Restoring AD DS Data.

Authoritative restores are conducted the same way, except before rebooting the DC Ntdsutil is used to mark objects as authoritative. You can mark objects one at a time, or you can mark entire subtrees. To perform an authoritative restore repeat steps 1 through 6 above, then proceed as follows:

7. Enter ntdsutil at the command prompt.
8. Enter activate instance ntds, then enter authoritative restore, as shown in figure 5.
9. Enter restore object “dn” to restore a single object, where dn is the object’s distinguished name. Enter restore subtree “dn” to restore a subtree, where dn is the subtree’s distinguished name. The process specifies the location of an LDIF file if backlinked objects are being restored.
10. Exit ntdsutil and reboot the DC.

Figure 5: Conducting an Authoritative Restore.

Restoring group membership requires additional effort. AD DS uses links between user objects and group objects based on the distinguished name tag (DNT). These links are stored locally on each DC, The links stored with the group are called forward links while backlinks are stored with the user objects indicating what groups they belong to. Backlinks are unique to each DC, they are not replicated, only forward links are replicated. Windows Server 2003 introduced linked value replication (LVR) which reduces replication traffic by only replicating changes in group membership rather than the entire membership list. The version of ntdsutil available with Windows Server 2008 and Windows Server 2003 with Service Pack 1 uses the backlink attribute to update membership in groups if LVR is enabled, if not then it creates an LDIF file that can be used to update the group memberships as follows:

11. After the reboot is complete open a command prompt and enter repadmin /syncall domaincontroller /a /d /A /P /q where domaincontroller is the name of the restored DC.
12. Navigate to the directory where the LDIF file was created by ntdsutil during step 9 above.
13. Enter ldifde –i –k –f file where file is the name of the LDIF file. Repeat for each LDIF file created by ntdsutil.

Note: Ntdsutil is also used to reset the DSRM administrator password. From the ntdsutil prompt enter set dsrm password; next, enter reset password server dc where dc is the name of the DC; finally, enter the new password when prompted.

Using the Database Mounting Tool

Windows Server 2008 provides a new tool that can be used to examine a snapshot of the AD DS database without having to reboot in DSRM called dsamain. It’s a Lightweight Directory Access Protocol (LDAP) server which you access using ldp, ADSI Edit, and other LDAP tools. Dsamain can expose snapshots created with ntdsutil or those restored to an alternate location by Windows Server Backup. This is very useful because you can examine the contents of various backups to ensure you restore the version that will most effectively recover the lost data without having to repeatedly perform authoritative restores. The syntax for dsamain is Dsamain /dbpath file /ldapport port where file is the path and filename for the database file and port an unused port number that dsamain can listen on. You then specify this port number when connecting via your preferred LDAP utility.

Performing Offline Maintenance

There are a few AD DS management tasks in addition to restoring data that have to be undertaken offline. Each DC automatically runs a garbage collection process every 12 hours to reclaim space freed up from object deletion. Every 12 hours each DC also defragments its copy of the domain database which helps to optimize performance. When complete an entry with event ID 701 is written to the Directory Service log as shown in figure 6.

Figure 6: Viewing a Successful Online Defragmentation Event

Conducting Offline Defragmentation

Online defragmentation allows AD DS to reuse free space without actually shrinking the file size. The only way to reduce the size of the database is to conduct offline defragmentation. To do so perform the following:

1. Open the Services console and stop the Active Directory Domain Services and all dependent services.
2. Open a command prompt and enter ntdsutil.
3. Enter Activate Instance NTDS.
4. Enter files.
5. Enter info to see information about the path for the AD DS database and log files.
6. Enter compact to path where path is the drive and directory where ntdsutil can store a new, degragmented copy of the database. It will be called ntds.dit.
7. When defragmentation is complete exit ntdsutil and copy the new ntds.dit file over the original, delete the old log files too.
8. Reboot the DC.

Configuring Active Directory Database Storage Allocation

If you want to move the location where the AD DS database and log files are stored do the following:

1. Open the Services console and stop the Active Directory Domain Services and all dependent services.
2. Open a command prompt and enter ntdsutil.
3. Enter Activate Instance NTDS.
4. Enter files.
5. Enter info to see information about the path for the AD DS database and log files.
6. To move the database enter move db to path where path is the new location.
7. To move the log files enter move logs to path where path is the new location.

Understanding Restartable Active Directory

In previous versions of AD DS conducting offline functions required rebooting the DC in DSRM and then rebooting again into normal mode when finished. With Windows Server 2008 you can stop the AD DS service and other services that depend on it, perform maintenance tasks such as offline defragmentation, and then restart the services. Although the DC will not be able to authenticate users or replicate the AD DS database while the services are stopped other network services that it provides such as shared network folders and printers will continue to be available. Other DCs in the domain will be able to conduct user authentication and other AD DS functions though.

Monitoring Active Directory

A properly designed AD DS usually runs well with little administrator intervention, however things do go wrong occasionally. Additionally, in order to improve performance you need to understand what is going on and what aspects of your deployment are limiting performance. This section discusses the tools you use for monitoring and troubleshooting AD DS.

Using Task Manager

The version of Task Manager included with Windows Server 2008 includes many improvements over what was available in Windows Server 2003. There are new tabs available and more information is available  in some tabs. To start Task Manager right-click anywhere on the Taskbar and select Task Manager. You can use the Applications tab to view and terminate applications running in the context of the account that you are currently logged on with. Right-click on an application to see what commands are available for managing them, you can create a dump file for debugging purposes, end the application, jump to the process that owns the application on the Processes tab and perform a few other operations.

As shown in figure 7, from the Processes tab you can right-click on a process to perform other procedures including opening a new Windows Explorer window at the location where the binary file for the process is located; end the process or the process’ tree; change its CPU affinity; debug; manage virtualization; create a dump file, change priority, view properties, or jump to the corresponding service for the process on the Services tab. The virtualization command merits further note, Windows automatically virtualizes the file system and registry for programs that do not appear to be Windows Vista or Windows Server 2008-compatible. This command allows you to forcibly virtualize or de-virtualize processes on-the-fly. When virtualized changes to the registry or file system are written to your user profile rather than a machine-wide location such as %programfiles%.You can view the processes executing in the context of your account, or you can view all processes by enabling Show processes from all users. Do so will let you see processes running in the context of service accounts, the local system account, and other users. Be cautious when ending processes, changing virtualization, or changing priority as these actions could make the server unstable or even unresponsive if the wrong action is performed on a critical one. You can see additional information about running processes by selecting Select Columns from the View menu and specifying which columns to display.

Figure 7: Viewing the Processes Tab in Task Manager

From the Services tab you can right-click on a service and stop or start it, or jump to its corresponding process on the Processes tab. The Performance tab displays a summary of CPU and memory usage while the Networking tab presents an overview of the utilization of each active network interface. The Users tab displays all of the interactively logged on users, you can right click on a user to forcibly disconnect or log them off.

Tip: While the built-in Task Manager is an improvement its still not as powerful as some systems administrators would like. In 2007 Microsoft acquired a company called Systems Internals, a company that has published some brilliant utilities for Windows. Links to their utilities can be found at http://www.microsoft.com/sysinternals, Process Monitor is my favorite. Mark Russinovich and Bryce Cogswell created it, and they continue to maintain it. Its much more powerful than Task Manager and capable of logging very detailed information about system activity. Although you do not need to study Process Monitor or other Systems Internals tools for the exam, you may find them to be valuable.

Using Event Viewer

In Creating and Maintaining Active Directory Objects, the auditing and event logging subsystems in Windows Server 2008 and Windows Vista have been rewritten from the ground up. Event Viewer is dramatically different from earlier versions both in its appearance and its capabilities. Figure 8 shows the new user interface, note that many new logs are visible in the navigation tree to the left and new commands are available in the actions pane on the right.

Figure 8: Examining the Event Viewer User Interface.

You can select any log in the navigation tree and view individual events in the details pane, double-clicking on an event opens a new window with detailed information about the event. You can right-click on an event to perform a few additional actions. You can configure Windows to automatically perform tasks such as sending email messages to systems administrators or restarting system services when a particular event occurs by selecting Attach Task To This Event. The Create Basic Task Wizard will launch, it walks you through the procedure of configuring actions for a task. When you complete the wizard the task is recorded in Task Scheduler, you can modify the task from that management tool by navigating to Event Viewer Tasks in the navigation pane, right-clicking the task, and selecting Properties, as shown in figure 9. Additional options are available in the Properties dialog box on each tab.

Figure 9: Viewing the Properties of an Event Viewer Task.

Microsoft has made many additional logs available in Event Viewer: expand Applications and Services Logs, expand Microsoft, then expand Windows to view the list of categories. Expand an individual category to view its logs. Other software vendors are able to register their own logs in the same manner if they wish. Custom Views allows you to collect events from multiple sources and filter them, several custom views are pre-configured for domain controllers and other server roles. The first time you click on Subscriptions you will be prompted to enable the Windows Event Collector Service. You can subscribe to events from remote computers so that you can view events from various logs on multiple computers in a single interface. This is a powerful troubleshooting feature, once you configure a subscription the specified events will be collected and stored locally. You will also need to enter the following at a command prompt with administrative privileges on each source computer: winrm quickconfig.

What kinds of events should you watch when monitoring AD DS? You should track events relating to the Active Directory service, database storage, and replication. You should also track File Replication Service, the Distribute File System Replication, DNS, and the operations masters roles.

Monitoring Active Directory Replication

The Directory Service Log is a great source of information on AD DS replication, there are also two command prompt tools you should be familiar with: repadmin and dcdiag. Dcdiag can perform a variety of tests that help to isolate unexpected behavior with domain controllers. For example, entering dcdiag /test:replications displays information about replication including any errors. Repadmin is used to view the replication topology from a domain controller, force replication, manually configure replication, and to view replication data. The four most common commands to use with repadmin when troubleshooting replication issues are the following:

• repadmin /replsummary – Summarizes problems with replication.
• repadmin /showrepl – Shows the status of the most recent inbound replication job on the specified domain controller.
• repadmin /showrepl /csv – Displays the showrpl report in a comma-separated value (CSV) format, useful for analyzing in a spreadsheet application.

Caution: just because you can manually configure the replication topology does not mean you should. Under normal operations the Knowledge Consistency Checker automatically manages the replication topology, incorrectly configuring it could cause frustrating problems.

Using Reliability and Performance Monitor

The new Reliability and Performance Monitor is much more capable than the comparable tools that were available in Windows 2000 and Windows Server 2003. It also includes many of the features available in the Windows Server 2003 downloadable utility called Server Performance Advisor. To get started with the Reliability and Performance Monitor use the console tree to navigate to Performance Monitor, you can add performance counters to see detailed information about resource usage of various system components. Right-click on the graph and select Add Counters. Under Available counters, expand DirectoryServices, and select several counters as shown in figure 10. Click Add to copy the counters to the Added counters list. To view a brief description of each counter enable the Show description checkbox. When you are finished adding counters click OK.

Figure 10: Adding Counters in Performance Monitor.

New to Windows Server 2008 and Windows Vista are Data Collector Sets, these contain data collection points which can be used for scheduling data collection, viewing the data collection set, and running scripts or other tasks after the Data Collector Set stops collecting information. They can include performance counters, event trace data, system configuration information, and alerts. You can use a predefined set to get started, right-click on Active Directory Diagnostics and select Start to begin collecting data. After a few minutes right-click Active Directory Diagnostics and select Stop, then navigate to Reports, System, Active Directory Diagnostics and select the new report. There is a tremendous amount of data available in the report, I encourage you to explore it thoroughly.

Using Windows System Resource Manager

Windows System Resource Manager (WSRM) is an optional tool available with the Enterprise Edition of Windows Server 2008. WSRM controls how CPU and memory resources are allocated based on characteristics such as date, time, user, and process path. To install WSRM from Server Manager click on Add Features, select Windows System Resource Manager (WSRM), add required features if prompted, click Next, then click Install. WSRM. Start WSRM from the Administrative Tools menu, you will be prompted to specify which computer you want to manage. I am surprised that it is listed on the exam’s list of topics because I do not see how WSRM can do any monitoring activities that cannot be done more easily with the other tools discussed in this section. You could use it to adjust resource allocation to various AD DS components such as the DNS service or the File Replication Service, but making poor choices when configuring resource allocation could easily lead to reduced performance so proceed carefully and test thoroughly.

First you configure a process matching criteria by right-clicking on Process Matching Criteria and clicking New Process Matching Criteria. You can specify a path, running process, system service, or application. Then use your new criteria to create an allocation policy. Right-click Resource Allocation Policies then click New Resource Allocation Policy. You select the process matching criteria and configure CPU allocation on the General tab of the Add or Edit Resource Allocation dialog box, as shown in figure 10. The Memory tab is used to configure the maximum committed memory and maximum working set. You can specify which CPU to use or suballocate processor resources on the Advanced tab.

Figure 11: Configuring a Resource Allocation Policy in WSRM

You can learn more about WSRM online by reading Windows Server Code Name "Longhorn" Windows System Resource Manager Step by Step Guide.

Using Network Monitor

Network Monitor is a packet sniffer for capturing and analyzing network traffic. It can be used for troubleshooting certain kinds of problems, however, leveraging this tool effectively requires an understanding of the protocols under examination. Network Monitor is available for download from Microsoft. Download and install it on a server in the AD DS domain in your practice lab. Open the tool and verify that the network interface used for AD DS communication is enabled by examining the Select Network tab in the lower left pane, then click Create a new capture file in the upper left pane. The user interface changes considerably, there are now five panes visible, some with multiple tabs, as well as menus and icons in rows near the top.

First, start capturing traffic by clicking the Start Capture icon, it looks like a green arrow pointing to the right. You can also start capturing by pressing the F10 button. Open Windows Explorer on a different computer in the same domain and navigate to \\servername\c$ where servername is the name of the server running Network Monitor. Stop capturing traffic by clicking the Stop Capture icon, it looks like a red square to the right of the Start Capture icon. You can also stop capturing by pressing the F11 button. Network Monitor should look similar to figure 12, however I resized the panes because I cannot read hexadecimal as displayed in the Hex Details pane and I added a display filter so that only traffic between the DC and the server connecting to it is visible.

Figure 12: Reviewing Packets Captured by Network Monitor

Take a close look at the interface, all of Network Monitor’s functions can be accessed through the menus and icons at the top of the window. Below the toolbar there are several tabs visible, Start Page is displayed when you first open the tool; capture tabs are created each time you click Create a new capture tab on the Start Page; and the Parsers tab displays all of the built-in parsers than can ease the burden of deep analysis. The pane on the left of the capture tab allows you quickly filter out traffic based on whether or not the local computer was the origin or destination of the frame, note that no traffic will be visible in Other Traffic unless the network card supports promiscuous mode.

The top-right frame has four tabs. You can filter out traffic as it is captured so that less data is recorded in the frame capture buffer using the Capture Filter tab. You can filter what traffic that has already been captured is visible using the Display Filter tab. There are many filters already included with Network Monitor and you can add your own once you understand the language used for filters. You can enable and disable capturing traffic from various interfaces on the Select Networks tab. You can configure Network Monitor to display user-friendly names rather than IP addresses by configuring aliases for each address on the Aliases tab.

The Frame Summary pane lists all of the capture frames that are allowed based on the current display filter. You can see that many frames are not being displayed in Figure 12 because the frame numbers jump from 5 to 8 and then to 50. The Frame Details pane shows the contents of the frame currently selected in the Frame Summary pane. Network Monitor organizes the view in the pane based on what it understands about the selected frame, you can drill down into the details in this pane however if you right-click on the frame, as shown in figure 13, and select View Selected Frame in a New Window you will have a lot more space to work with, as shown in figure 14. The Hex Details pane shows the raw hexadecimal data for the currently selected frame.

 

Figure 13: Working With a Frame in Network Monitor

If you look carefully at figure 14 you can see that I captured a Server Message Block (SMB) request in which the client computer begins to negotiate which version of the SMB protocol it will use with the server. The packet includes several protocols encapsulated within one another. At its core, its an SMB message, which you can see as the fifth top-level element. The SMB message is encapsulated in Nbtss, which is NetBIOS or TCP/IP. The NetBIOS or TCP/IP protocol in turn is wrapped within Transmission Control Protocol (TCP), you can see that the was sent from port 61939 on the client and directed to port 445 on the server. The TCP protocol is enclosed within Internet Protocol version 4 (IPv4), which is then bound within an Ethernet frame. By examining the SMB portion of the frame you can see that the client has suggested a handful of file sharing protocols including the most recent, SMB 2.002.

Figure 14: Viewing the Details of a Frame in Network Monitor

An entire chapter could be devoted to discussing the use of Network Monitor, but that would be overkill for the purposes of preparing for the exam. It is a great troubleshooting tool that I encourage you to explore further. You can also learn a lot more about how to exploit its capabilities by seeking out information online about packet sniffing, traffic analysis, and Network Monitor. Two introductory articles are noted in the References section at the end of the chapter.

Troubleshooting Group Policy Using RSOP

Creating and Maintaining Active Directory Objects mentioned briefly that you can use the Group Policy Results feature of Group Policy Management Console (GPMC) to view the settings applicable to a user or computer and the command prompt tool gpresults to view the resultant set of policy (RSOP). This section will take a closer look at how you can use information from these to troubleshoot certain kinds of group policy problems. To determine the RSOP from the GPMC double-click the desired forest, right-click Group Policy Results, and then select Group Policy Results Wizard. The wizard will gather the following information from you, which computer to analyze, whether to process both user and computer settings, and which user to analyze. The report shows you what computer and user settings will be in effect and what GPO applied them when the user you specified logs onto the computer you specified. Figure 15 shows the Summary tab where you can view information about which GPOs apply to the user and computer, what group memberships are in effect, and what WMI filters apply.

Figure 15: The Summary tab of a Group Policy Results Report.

Figure 16 shows a portion of what is available on the Settings tab. The settings are organized in the same way as they are in the Group Policy Editor, you can drill down into a section by clicking it and then see which settings in that section are being applied and what GPO the setting came from.

Figure 16: The Settings tab of a Group Policy Results Report.

To see similar information from a command prompt enter the following:

Where hostname is the name of the computer to analyze and username is the name of the user to analyze in domain\user format. If no domain is specified then the domain of the currently logged on administrator is used. Gpresult displays a lot of information, it is usually easier to analyze the output by piping it to a filename. For example, the following command will analyze the administrator account on the local computer and store the results in a text file in the root of drive C:.

The first few dozen lines of the file present the same kind of information visible in the Summary page of RSOP when viewed with GPMC. Then each setting that is in effect is displayed including what section of group policy contains the setting, the setting value, and the GPO that applied the setting, in the following format:

Summary

This chapter showed you how to use a variety of tools for maintaining, monitoring, and troubleshooting AD DS. Some of the procedures presented need to be implemented proactively before problems arise, such as backing up data and verifying that the backups work. Other tasks are reactionary in that you should only have to resort to them when trying to resolve problems, for example, using RSOP to figure out why group policies are not being applied as you intend.

Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. Which is the correct procedure for backing up system state and nothing else?
   1. Enter ntbackup start systemstatebackup at a command prompt.
   2. Enter wbadmin start systemstatebackup at a command prompt.
   3. Enter wbadmin systemstatebackup at a command prompt.
   4. Enter ntbackup backup systemstate at a command prompt.
   5. Open Windows Server Backup, click Backup Once Wizard, select Advanced Mode, click the Backup tab, then enable the System State box.
2. When configuring a scheduled backup job in Windows Server Backup which of the following is not a valid destination to store the backup archive? Select 2.
   1. A locally attached tape storage device.
   2. An external hard disk.
   3. An internal hard disk
   4. An internal DVD drive.
   5. A remote shared folder.
3. Which of the following is the correct method for recovering objects accidentally deleted from AD DS?
   1. Use wbadmin to restore the AD DS database, then use ntdsutil to mark objects as authoritative, reboot the DC.
   2. Use Windows Server Backup to launch the Recover Wizard, specify that you are conducting an authoritative restore, reboot the DC when the restore job is complete.
   3. Reboot the DC to Directory Services Recovery Mode, then use wbadmin to restore the AD DS database, then use ntdsutil to mark objects as authoritative, reboot the DC.
   4. Reboot the DC to Safe Mode, then use wbadmin to restore the AD DS database, then use ntdsutil to mark objects as authoritative, reboot the DC.
4. What is dsamain?
   1. The primary AD DS executable file that provides core services such as LDAP support and user authentication.
   2. The command prompt utility for performing AD DS database maintenance, managing single master operation roles, and manage local administrative roles on a read-only domain controller.
   3. The command prompt utility for adding objects to the AD DS database.
   4. The database mounting tool for viewing AD DS data stored in a snapshot or backup.
5. What is the primary benefit of AD DS database offline defragmentation over online defragmentation?
   1. Offline defragmentation reduces the database file size.
   2. Offline defragmentation is faster.
   3. Offline defragmentation completely removes deleted objects from the database.
   4. Offline defragmentation is the only way to clean up certain kinds of deleted objects such as GPOs.
6. Which of the following tools are used to move the AD DS database file to a new location?
   1. Dsamain
   2. Dsadd
   3. Dsmgmt
   4. Dsmove
   5. Ntdsutil
7. From which tab do you change a process’ processor affinity in Task Manager?
   1. Applications
   2. Processes
   3. Services
   4. Performance
   5. Networking
   6. Users
8. When you enable an event to trigger a task in Event Viewer which of the following actions can be configured to occur?
   1. Start a program.
   2. Send an email message.
   3. Display a message on the desktop of the interactively logged on user.
   4. All of the above.
9. Which of the following, when entered at a command prompt on a DC, will display a summary of the current state of AD DS replication?
   1. Dcdiag /test:replications
   2. Dcdiag /replsource:localhost
   3. Repadmin /replicate
   4. Repadmin /syncall
   5. Repadmin /showrepl /csv
10. Which of the following tools is used to configure how system resources are allocated to processes based on date, time, user, and other characteristics?
    1. Task Manager
    2. Reliability and Performance Monitor
    3. Windows System Resource Manager
    4. Group Policy
11. Look at the network frame captured by Network Monitor shown in figure 17, which of the following protocols was not used in the construction of this frame?

Figure 17:

1. LDAP
2. UDP
3. Ethernet
4. IPv4
5. Parser
11. Checksum

Answers

1. B is correct. Ntbackup is the backup utility included in Windows 2000, Windows XP, and Windows Server 2003. You cannot use Windows Server Backup to backup the system state alone, the steps described in answer 5 are actually from the Backup or Restore Wizard included with Windows Server 2003.
2. A and E are correct, Windows Server 2008 does not support the use of tapes for backing up data and you can only use remote shared folders when running the Backup Once wizard.
3. C is correct, you can only restore AD DS data from Directory Services Recovery Mode, and you must use ntdsutil to mark the objects that are authoritative, that is, the restored objects that will overwrite other versions of those objects that may currently exist on other DCs.
4. D is correct. A actually describes what lsass performs on DCs; B is a reasonable description of either dsmgmt or ntdsutil; and C describes dsadd.
5. A is correct. Offline defragmentation is not faster, and certainly not easier since you have to stop and then restart the AD DS service and services that depend on it. Both offline and online defragmentation safely remove data from any kind of deleted object.
6. E is correct, you can specify a new location by stopping the AD DS service and launching ntdsutil.
7. B is correct, you can also end a process, end a process tree, change a process’ priority, debug a process, and create a dump file for a process by right-clicking on a process in the Process tab.
8. D is correct, and since you can cause the event to start a program or script virtually any action can occur.
9. A is correct. B will not accomplish a great deal, the command tests the connection between the DC where the command is run and another DC, however, since localhost is specified it will simply test replication with itself. C tests replication. D causes the DC to replicate with all of its replication partners. D shows the replication status from when the DC last undertook inbound replication.
10. C is correct
11. E is correct, Checksum represents the checksum calculated by the IPv4 protocol to help detect errors introduced during network communications.

References

Step-by-Step Guide for Windows Server 2008 AD DS Backup and Recovery.

Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008.

Windows Server 2008 Restartable AD DS Step-by-Step Guide.

How to capture network traffic with Network Monitor.

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring by Kevin Timm.