Back up and restore Active Directory

Source: Internet
Author: User
In Windows2000, it is very important to back up and restore Active Directory. In NT, all user and enterprise configuration information is stored in the registry. Therefore, you only need to back up the registry. However, in windows, all security information is stored in Active Directory, and its backup method is completely different from that in NT.

You cannot back up Active Directory separately. Windows2000 backs up Active Directory as part of system status data. System status data includes eight parts: Registry, System Startup File, class registration database, Certificate Service data, file replication service, cluster service, Domain Name Service, and activity directory, generally, only the first three parts are supported. These eight parts cannot be backed up separately and must be backed up as part of the system status data.

I. Back up active directory data

If more than one DC exists in one domain, it is not necessary to back up Active Directory when one of the DC is re-installed. You only need to delete and reinstall one of the DC from the domain, and make it back to the domain, then the other DC will naturally copy the data to this DC.

If the last DC is left in one domain, it is very necessary to back up Active Directory. The detailed process is as follows:

1. "Start" menu-> "run", enter "ntbackup" to start the Win2000 backup tool.
2. In the "welcome" tab, use the "backup wizard". In the backup wizard dialog box, select "Back up system status data only" on the backup content page. Next, click.
3. On the "backup storage location" Page, enter the name of the file that stores the backup data, for example, "d: \ Bak \ ad0322. BKF ", next, complete the backup wizard. If you want to perform some settings, such as verifying data after the backup is complete, use the "advanced" option for configuration.
4. Select "complete" to start the backup. It may take several minutes to ten minutes or even longer based on the data size. After the backup is completed, a backup report is generated.
5. Suggestion: Generally, the backup file is relatively large. I have backed up the file several times between-MB, so I need to find a large storage space. Because the backup contains sensitive account information, the backup data should be properly stored.

-------------------------- Unit 2
Ii. Recovery of Active Directory

There are two ways to restore Active Directory.

The first is to restore data from other DC in the domain, provided that a DC in the domain must be available. When the damaged DC is re-installed and added to its original domain, data is automatically replicated between DC and Active Directory is restored.

Another method is to recover from the backup media. In general, for most small companies, the entire company has only one domain, and because of financial restrictions and other aspects, there is only one DC, it is common to restore the Active Directory from the media.

1. Verification and non-verification methods

There are two ways to recover the Active Directory from the backup media: authoritative restore and Nonauthoritative restore ).

In general, Windows2000 restores data in non-authenticated mode: After Active Directory is restored from the backup media, other DC in the domain will overwrite the old recovered data with the new data during the replication process. For example, if today is Friday, you have used the backup on Wednesday to restore the Active Directory, data that has been changed since Wednesday will be copied to the DC where you are restoring Active Directory, that is, the new data will overwrite the data that you have restored using backup.

The verification mode is completely different. It forcibly copies the data recovered from the backup media to all the DC in the domain, regardless of whether the data has changed after the backup. Take the preceding example as an example. After you use the Wednesday backup to restore the Active Directory, the recovered data will be copied to all the DC servers in the domain, forcibly overwrite all the changed data after the backup, and the data in the domain is restored to the backup status. Authentication Mode recovery of Active Directory is usually used in this situation: Active Directory has a serious error on a DC in the domain, and this error is replicated to other DC in the domain, in this case, you need to use the Verification Method to restore the Active Directory on a DC, and force the domain to restore to the original good state. It should be said that this method is usually used to restore Active Directory.

Unit 3

2. Restore Active Directory without authentication

To achieve non-verified recovery, the directory service must be offline (the Directory Service does not have to be offline when backing up Active Directory ). To restore the Active Directory, you must use the server in "directory service recovery mode ". To do this, you need to restart the server. When the screen prompts you to select an operating system, press F8 to start the advanced menu of system startup and select "directory service recovery mode ".

When the user logon window appears in windows, enter the local administrator account and password (note that the account and password are not the Administrator account and password in Active Directory, because the Active Directory is offline and unavailable. You only need to log on using the Administrator account and password stored in the security account manager, which is sometimes called "Sam ). After successful logon, you can restore the Active Directory.

(1) Start the built-in backup of Windows2000Program: "Start"-> "run", enter "ntbackup ";
(2) Select "recovery wizard" in the welcome tab to skip the welcome screen. The backup program displays the backup set that can be used for data recovery.
(3) select an appropriate backup file to complete data recovery. Restart the machine.
(4) Note: Normally, you cannot recover the Active Directory data backed up 60 days ago. This is because of Windows2000 tombstone lifetime (which can be considered as the survival time, because it cannot accurately translate its meaning, we have to copy it. ---- Canghai), unless you have set it.

Unit 4

3. Verify the method to restore Active Directory

To restore the Authentication mode, you must first restore the non-Authentication mode, and then you can use the ntdsutil command line tool to restore the verified Active Directory. Verified recovery can recover all or part of active directory data.

(1) Restore Active Directory in non-authenticated mode and restart the machine.
(2) Use "directory service recovery mode" again to start Windows2000 and log on as an administrator.
(3) "start"-> "run", enter "ntdsutil", and start the command line tool.
(4) to restore the entire active directory database, run the following command:

Authoritative restore
Restore database

To restore some active directory data, run the following command:

Authoritative restore
Restore subtree ou = Brien, Dc = files, Dc = com

The red part depends on the actual situation. For example, your domain name is mydom. Net. If the ou to be restored is MYou, the second line of command should be: Restore subtree ou = MYou, Dc = mydom, Dc = net, and so on. The method for recovering part of the data is sometimes used to restore the deleted ou. For example, there are two administrators in a region. You and A have some dishes :), an important ou was accidentally deleted last night. Today, you can use a verified restore method to restore the ou, the premise is that you have a backup before the ou is deleted.

Finally, run the quit command to exit and restart the machine.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.