Interview Question for active directory and exchange
1 Backing Up Active Directory
16.1.1 Problem
You want to back up Active Directory to tape or disk.
16.1.2 Solution
Back up the
16.1.2.1 Using a graphical user interface
<>1. <>Go to Start 
All Programs (or Programs for Windows 2000) Accessories System Tools Backup.<><><><><><><><>
<>2. <>Click the Advanced Mode link.
<>3. <>Click the Backup tab.
<>4. <>Check the box beside
<>5. <>Check the box beside any other files, directories, or drives you would also like to back up.
<>6. <>For Backup destination, select either File or Tape depending on where you want to back up the data to.
<>7. <>For Backup media or file name, type either the name of a file or select the tape to save the backup to.
<>8. <>Click the Start Backup button twice.
16.1.2.2 Using a command-line interface
The NtBackup utility supports several command-line parameters that you can use to initiate backups without ever bringing up the GUI.
For the complete list of supported commands on Windows 2000, see MS KB 300439 (How to Use Command Line Parameters With the "Ntbackup" Command).
For the complete list of supported commands on Windows Server 2003, see MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003).
2 Restarting a Domain Controller in Directory Services Restore Mode
16.2.1 Problem
You want to restart a domain controller in DS Restore Mode.
16.2.2 Solution
To enter DS Restore Mode, you must reboot the server at the console. Press F8 after the power-on self test (POST), which will bring up a menu, as shown in Figure 16-1. From the menu, select Directory Services Restore Mode.
Figure 16-1. Boot options
3.Resetting the Directory Service Restore Mode Administrator Password
16.3.1 Problem
You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain.
16.3.2 Solution
16.3.2.1 Using a graphical user interface
<>1. <>For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information).
<>2. <>Go to Start Run.<><>
<>3. <>Type compmgmt.msc and press Enter.
<>4. <>In the left pane, expand System Tools Local Users and Computers.<><>
<>5. <>Click on the Users folder.
<>6. <>In the right pane, right-click on the Administrator user and select Set Password.
<>7. <>Enter the new password and confirm, then click OK.
16.3.2.2 Using a command-line interface
With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1.
> ntdsutil "set dsrm password" "reset password on server DC1"ntdsutil: set dsrm passwordReset DSRM Administrator Password: reset password on server DC1Please type password for DS Restore Mode Administrator Account: **********
Please confirm new password: **********
Password has been set successfully. Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely.
4 Performing a Non authoritative Restore
16.4.1 Problem
You want to perform a nonauthoritative restore of a domain controller. This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem.
16.4.2 Solution
16.4.2.1 Using a graphical user interface
<>1. <>You must first reboot into Directory Services Restore Mode (see Recipe 16.2 for more information).
<>2. <>Open the NT Backup utility; go to Start All Programs (or Programs for Windows 2000) Accessories System Tools Backup.<><><><><><><><>
<>3. <>Click the Advanced Mode link.
<>4. <>Under the Welcome tab, click the Restore Wizard button and click Next.
<>5. <>Check the box beside
<>6. <>Click the Advanced button.
<>7. <>Select Original location for Restore files to.
<>8. <>For the How to Restore option, select Replace existing files and click Next.
<>9. <>For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points. Then click Next.
<>10. <>Click Finish.
<>11. <>Restart the computer.
5 Performing an Authoritative Restore of an Object or Subtree
16.5.1 Problem
You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database.
16.5.2 Solution
Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer.
To restore a single object, run the following:
> ntdsutil "auth restore" "restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q To restore an entire subtree, run the following:
> ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q Restart the computer.
There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.
6 Performing a Complete Authoritative Restore
16.6.1 Problem
You want to perform a complete authoritative restore of the Active Directory database because something very bad has happened.
16.6.2 Solution
Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer.
Run the following command to restore the entire database:
> ntdsutil "auth restore" "restore database" q Restart the computer.
7 Checking the DIT File's Integrity
16.7.1 Problem
You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.
16.7.2 Solution
16.7.2.1 Using a command-line interface
First, reboot into Directory Services Restore Mode. Then run the following commands:
> ntdsutil files integrity q q> ntdsutil "semantic database analysis" "verbose on" go 8 Moving the DIT Files
16.8.1 Problem
You want to move the Active Directory DIT files to a new drive to improve performance or capacity.
16.8.2 Solution
16.8.2.1 Using a command-line interface
First, reboot into DS Restore Mode. Then, run the following commands, in which
> ntdsutil files "move db to <DriveAndFolder>" q q> ntdsutil files "move logs to <DriveAndFolder>" q q 9 Repairing or Recovering the DIT
16.9.1 Problem
You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state.
16.9.2 Solution
16.9.2.1 Using a command-line interface
First, reboot into DS Restore Mode.
Run the following command to perform a soft recovery of the transaction log files:
> ntdsutil files recover q q If you continue to experience errors, you may need to run a repair, which does a low level repair of the database, but can result in loss of data:
> ntdsutil files repair q q If either the recover or repair are successful, you should then check the integrity (see Recipe 16.7).
10 Performing an Online Defrag Manually
|
16.10.1 Problem
You want to initiate an online defragmentation. This can be useful if you want to expedite the defrag process after deleting a bunch of objects.
16.10.2 Solution
16.10.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of the target domain controller.
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials of a user from one of the administrator groups.
<>8. <>Click OK.
<>9. <>From the menu, select Browse Modify.<><>
<>10. <>Leave the Dn blank.
<>11. <>For Attribute, enter DoOnlineDefrag.
<>12. <>For Values, enter 180.
<>13. <>For Operation, select Add.
<>14. <>Click Enter.
<>15. <>Click Run.
16.10.2.2 Using a command-line interface
Create an LDIF file called online_defrag.ldf with the following contents:
dn:changetype: modifyreplace: DoOnlineDefragDoOnlineDefrag: 180 11 Determining How Much Whitespace Is in the DIT
16.11.1 Problem
You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag.
16.11.2 Solution
16.11.2.1 Using a graphical user interface
<>1. <>Run regedit.exe from the command line or Start Run.<><>
<>2. <>Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Diagnostics.<><><><><><><><><><>
<>3. <>In the right pane, double-click on 6 Garbage Collection.
<>4. <>For Value data, enter 1.
<>5. <>Click OK.
16.11.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN]
Collection" /t REG_DWORD /d 1 12 Performing an Offline Defrag to Reclaim Space
16.12.1 Problem
You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file.
16.12.2 Solution
16.12.2.1 Using a command-line interface
<>1. <>First, reboot into Directory Services Restore Mode.
<>2. <>Next, check the integrity of the DIT, as outlined in Recipe 16.7.
<>3. <>Now, you are ready to perform the defrag. Run the following command to create a compacted copy of the DIT file. You should check to make sure the drive on which, you create the copy has plenty of space. A rule of thumb is that it should have at least 115% of the size of the current DIT available.
> ntdsutil files "compact to <TempDriveAndFolder>" q q <>4. <>Next, you need to delete the transaction log files in the current NTDS directory.
> del <>5. <>You may want to keep a copy of the original DIT file for a short period of time to ensure nothing catastrophic happens to the compacted DIT. If you are going to copy or move the original version, be sure you have enough space in its new location.
<>6. <>> move <CurrentDriveAndFolder>\ntds.dit <TempDriveAndFolder>\ntds_orig.dit
> move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit <>7. <>Repeat the steps in Recipe 16.7 to ensure the new DIT is not corrupted. If it is clean, reboot into normal mode and monitor the event log. If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible.
13 Changing the Garbage Collection Interval
16.13.1 Problem
You want to change the default garbage collection interval.
16.13.2 Solution
16.13.2.1 Using a graphical user interface
<>1. <>Open ADSI Edit.
<>2. <>In the left pane, expand cn=Configurationcn=Services cn=Windows NT. <><><><>
<>3. <>Right-click on cn=Directory Service and select Properties.
<>4. <>Edit the garbageColPeriod attribute and set it to the interval in hours that the garbage collection process should run (the default is 12 hours).
<>5. <>Click OK.
16.13.2.2 Using a command-line interface
Create an LDIF file called change_garbage_period.ldf with the following contents:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>changetype: modifyreplace: garbageCollPeriodgarbageCollPeriod: <IntervalInHours>- then run the following command:
> ldifde -v -i -f change_garbage_period.ldf 14 Logging the Number of Expired Tombstone
16.14.1 Problem
You want to log the number of expired tombstone objects that are removed from Active Directory during each garbage-collection cycle.
16.14.2 Solution
16.14.2.1 Using a graphical user interface
<>1. <>Run regedit.exe from the command line or Start Run.<><>
<>2. <>Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Diagnostics.<><><><><><><><><><>
<>3. <>In the right pane, double-click on 6 Garbage Collection.
<>4. <>For Value data, enter 3.
<>5. <>Click OK.
16.14.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN]
Collection" /t REG_DWORD /d 3 16.14.2.3 Using VBScript
' This code enables garbage collection logging.' ------ SCRIPT CONFIGURATION ------strDCName = "intValue = 3
' ------ END CONFIGURATION --------- const HKLM = &H80000002strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValueWScript.Echo "Garbage Collection logging enabled" 15 Determining the Size of the Active Directory Database
16.15.1 Problem
You want to determine the size of the Active Directory database.
16.15.2 Solution
16.15.2.1 Using a command-line interface
If you are in DS Restore Mode, you can use ntdsutil to report the size of the Active Directory database:
> ntdsutil files info If you are not in DS Restore Mode and run this command, you will receive the following error message:
*** Error: Operation only allowed when booted in DS restore mode"set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!
As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION environment variable to DSREPAIR, but I do not recommend this unless you know what you are doing. By setting that environment variable, the ntdsutil command will not stop you from performing other commands. This can be very dangerous.
Another method, which is safer and easier, is to bring up a command shell by going to Start Run, typing cmd.exe, and pressing Enter. Then type cd
then run the following command:
> ldifde -v -i -f online_defrag.ldf 16 Searching for Deleted Objects
16.16.1 Problem
You want to search for deleted objects.
16.16.2 Solution
16.16.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller you want to target (or leave blank to do a serverless bind).
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Connect.<><>
<>7. <>Enter credentials of a user that is an administrator for the domain.
<>8. <>Click OK.
<>9. <>From the menu, select Options Controls.<><>
<>10. <>For Windows Server 2003, select the Return DeletedObjects control under Load Predefined.
<>11. <>For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button.
<>12. <>Click OK.
<>13. <>From the menu, select Browse Search.<><>
<>14. <>For BaseDN, enter: cn=Deleted Objects,
<>15. <>For Scope, select One Level.
<>16. <>For Filter, enter: (isDeleted=TRUE).
<>17. <>Click the Options button.
<>18. <>Under Search Call Type, select Extended.
<>19. <>Click OK.
<>20. <>Click Run.
16.16.2.2 Using a command-line interface
As of this writing, none of the standard command-line tools provide a way to search for deleted objects.
17 Restoring a Deleted Object
|
16.17.1 Problem
You want to restore an object that was previously deleted.
16.17.2 Solution
16.17.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials of a user that can restore the deleted object (only administrators for the domain by default).
<>8. <>Click OK.
<>9. <>From the menu, select Options Controls.<><>
<>10. <>Select Return deleted objects from the Load Predefined selection.
<>11. <>Click OK.
<>12. <>From the menu, select Browse Modify.<><>
<>13. <>For Dn, enter the distinguished name of the deleted object you want to restore.
<>14. <>For Attribute, enter distinguishedName.
<>15. <>For Values, enter the original DN of the object.
<>16. <>For Operation, select Replace.
<>17. <>Click Enter.
<>18. <>For Attribute, enter isDeleted.
<>19. <>For Values, remove any text.
<>20. <>For Operation, select Delete.
<>21. <>Click Enter.
<>22. <>Add mandatory attributes as necessary:
<>23. <>For Attribute, enter
<>24. <>For Values, enter
<>25. <>For Operation, select Add.
<>26. <>Check the box beside Extended.
<>27. <>Click Run.
<>28. <>The results will be displayed in the right pane.
18 Modifying the Tombstone
16.18.1 Problem
You want to change the default tombstone lifetime for a domain.
16.18.2 Solution
16.18.2.1 Using a graphical user interface
<>1. <>Open ADSI Edit.
<>2. <>In the left pane, expand cn=Configurationcn=Services cn=Windows NT. <><><><>
<>3. <>Right-click on cn=DirectoryService and select Properties.
<>4. <>Set the tombstoneLifetime attribute to the number of days that tombstone objects should remain in Active Directory before getting removed completely (the default is 60 days).
<>5. <>Click OK.
16.18.2.2 Using a command-line interface
Create an LDIF file called change_tombstone_lifetime.ldf with the following contents:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>changetype: modifyreplace: tombstoneLifetimetombstoneLifetime: <NumberOfDays>- then run the following command:
> ldifde -v -i -f change_tombstone_lifetime.ldf <>
<>
No comments:
Post a Comment