20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012
3.Type ntdsutil, and then press Enter.
4.Type activate instance ntds, and then press Enter.
5.Type snapshot, and then press Enter.
6.Type unmount GUID, where GUID is the GUID of the snapshot, and then press Enter.
7.Type quit, and then press Enter.
8.Type quit, and then press Enter.
Understanding How to Restore Deleted Objects
When an object in AD DS is deleted, it is moved to the Deleted Objects container, and stripped of many important attributes. You can extend
the list of attributes that remain when an object is deleted, but you can never retain linked attribute values (such as group membership).
As long as the object has not yet been scavenged by the garbage collection process after reaching the end of its tombstone lifetime, you can restore or reanimate the deleted object.
To restore a deleted object:
1.Click Start, and in the Start Search box, type LDP.exe, and then press Ctrl+Shift+Enter, which executes the command as an administrator.
2.The User Account Control dialog box appears.
3.Click Use another account.
4.In the User name box, type the user name of an administrator.
5.In the Password box, type the password for the administrative account, and then press Enter.
6.LDP opens.
7.Click the Connection menu, click Connect, and then click OK.
8.Click the Connection menu, click Bind, and then click OK.
9.Click the Options menu, and then click Controls.
10.In the Load Predefined list, click Return Deleted Objects, and then click OK.
11.Click the View menu, click Tree, and then click OK.
12.Expand the domain, and then double-click CN=Deleted Objects,DC=contoso,DC=com.
13.Right-click the deleted object, and then click Modify.
14.In the Attribute box, type isDeleted.
15.In the Operation section, click Delete.
16.Press Enter.
17.In the Attribute box, type distinguishedName.
3-MCT29 USEONLY
STUDENT . PROHIBITED USE
3-30 MCT
23. Use Active Directory Users and Computers to repopulate the object’s attributes, reset the passwordUSEONLY (for a user object), and enable the object (if disabled).
STUDENT .
When you enable Active Directory Recycle Bin, all link-valued and nonlink-valued attributes of the USE deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately
before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and Active
Directory Lightweight Directory Services (AD LDS) environments. |
PROHIBITED |
|
After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system |
||
|
preserves all of the object's link-valued and non-link-valued attributes, and the object becomes logically deleted. A deleted object is moved to the Deleted Objects container, and its distinguished name is mangled. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime. Within the deleted object lifetime, you can recover a deleted object with Active Directory Recycle Bin and make it a live Active Directory object again.
The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. For an item deleted after the Active Directory Recycle Bin has been enabled (recycled object), the recycled object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. When tombstoneLifetime
is set to null, the recycled object lifetime defaults to 180 days. You can modify the values of the msDSdeletedObjectLifetime and tombstoneLifetime attributes anytime. When msDS-deletedObjectLife is set to some value other than null, it no longer assumes the value of tombstoneLifetime.
Administering Windows Server® 2012 |
|
MCT |
|
3-31 |
|
||
Enabling the Active Directory Recycle Bin |
|
|
|
You can enable the Active Directory Recycle Bin only when the forest functional level is set to Windows |
|
|
|
Server 2008 R2 or higher. |
|
USE |
|
To enable the Active Directory Recycle Bin in Windows 2012, you can perform one the following: |
|
||
|
|
|
|
• From the Active Directory module for Windows PowerShell prompt, use the |
|
|
|
Enable-ADOptionalFeature cmdlet. |
|
|
|
• From Active Directory Administrative Center, select the domain, and then click Enable Active |
|
.ONLY |
|
Directory Recycle Bin in the Tasks pane. |
|
||
Only items deleted after the Active Directory Recycle Bin is turned on can be restored from the Active |
|
||
|
|
|
|
Directory Recycle Bin. |
|
|
|
Restoring Items from the Active Directory Recycle Bin |
|
|
|
In Windows Server 2012, the Active Directory Administrative Center provides a graphical interface for |
|
|
|
restoring AD DS objects that are deleted. When the Active Directory Recycle Bin has been enabled, the |
|
|
|
Deleted Objects container is visible in Active Directory Administrative Center. Deleted objects will be |
|
PROHIBITEDUSESTUDENT |
|
visible in this container until their deleted object lifetime period has expired. You can choose to restore |
|||
the objects to their original location or to an alternate location within AD DS. |
|
||
|
|
|
|
3-32 Maintaining Active Directory Domain Services
Lab: Maintaining AD DS |
|
MCT |
||
|
Scenario |
|
||
|
|
|
|
|
|
A. Datum Corporation is a global engineering and manufacturing company with its head office in London, |
|||
|
U.K.. An IT office and data center in London supports the head office and other locations. A. Datum |
|
|
|
|
recently deployed a Windows Server 2012 server and client infrastructure. |
|
|
|
|
A. Datum is making several organizational changes that require modifications to the AD DS infrastructure. |
|||
|
A new location requires a secure method of providing onsite AD DS, and you have been asked to extend |
USE |
||
|
|
|
||
|
the capabilities of Active Directory Recycle Bin to the entire organization. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual Machine(s) |
20411B-LON-DC1 |
|
|
|
|
20411B-LON-SVR1 |
|
|
|
|
|
|
|
|
User Name |
Administrator |
ONLY. |
|
|
|
|
||
•Install and configure a RODC.
•Configure and view Active Directory snapshots.
•Configure the Active Directory recycle bin.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.In Hyper-V Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Log on using the following credentials:
a.User name: Administrator
b.Password: Pa$$w0rd
c.Domain: Adatum
5.Repeat steps 2 through 4 for 20411B-LON-SVR1.
Exercise 1: Installing and Configuring a RODC
Scenario
A. Datum is adding a new branch office. You have been asked to configure a RODC to service logon requests at the branch office. You also need to configure password policies that ensure caching only of passwords for local users in the branch office.
PROHIBITED USE STUDENT
Administering Windows Server® 2012 3-33
The main tasks for this exercise are as follows: |
MCT |
|||
1. |
Verify requirements for installing a RODC. |
|||
2. |
Install an RODC. |
USE |
||
3. |
Configure a password-replication policy. |
|||
|
||||
Task 1: Verify requirements for installing a RODC |
|
|||
1. |
On LON-DC1, from Server Manager, open Active Directory Users and Computers. |
.ONLY |
||
2. |
In the properties of Adatum.com, verify that the forest functional level is at least Windows |
|||
|
||||
|
Server® 2003. |
|
||
3. |
On LON-SVR1, open Server Manager, and verify whether the computer is a domain member. |
|
||
4. |
Use System Properties to place LON-SVR1 in a workgroup named TEMPORARY. |
|
||
5. |
Restart LON-SVR1. |
|
||
6. |
On LON-DC1, open Active Directory Users and Computers. |
STUDENT |
||
7. |
Delete the LON-SVR1 computer account from the Computers container. |
|||
|
||||
8. |
In the Domain Controllers OU, precreate a RODC account by using default settings, except for the |
|
||
|
following: |
|
||
|
o Computer name: LON-SVR1 |
|
||
|
o |
Delegate to: ADATUM\IT |
|
|
9. |
Close Active Directory Users and Computers. |
|
||
Task 2: Install an RODC |
|
|||
1. |
Sign in to LON-SVR1 as Administrator with the password Pa$$w0rd. |
|
||
2. |
On LON-SVR1, add the Active Directory Domain Services Role. |
|
||
3. |
Complete the Active Directory Domain Services Installation Wizard by using default options except |
USE |
||
|
those listed below: |
|||
|
|
|||
|
o |
Domain: Adatum.com |
|
|
|
o Network credentials: Adatum\April (a member of the IT group) |
|
||
|
o Password for April: Pa$$w0rd |
PROHIBITED |
||
|
o |
Directory Services restore mode password: Pa$$w0rd |
||
|
|
|||
|
o Replicate from: LON-DC1.Adatum.com |
|
||
4. |
When installation is complete, restart LON-SVR1. |
|
||
1. |
On LON-DC1, from Server Manager, open Active Directory Users and Computers. |
|
||
2. |
In the Users container, view the membership of the Allowed RODC Password Replication Group, |
|||
|
and verify that there are no current members. |
|
||
3. |
In the Domain Controllers OU, open the properties of LON-SVR1. |
|
||
4. |
On the Password Replication Policy tab, verify that the Allowed RODC Password Replication |
|
||
|
Group and Denied RODC Password Replication Group are listed. |
|
||
3-34 Maintaining Active Directory Domain Services
5. On LON-DC1, in Active Directory Users and Computers, in the Research OU, create a new group |
MCT |
|||
|
named Remote Office Users. |
|||
|
|
|||
6. Add Aziz, Colin, Lukas, Louise, and LON-CL1 to the membership of Remote Office Users. |
USE |
|||
7. On LON-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then |
||||
|
open the properties of LON-SVR1. |
|||
8. On the Password Replication Policy tab, allow the Remote Office Users group to replicate |
||||
|
passwords to LON-SVR1. |
|||
|
|
|
||
9. |
On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the |
|
|
|
|
properties of LON-SVR1. |
|
|
|
10. |
On the Password Replication Policy tab, open the Advanced configuration. On the Resultant |
|
|
|
|
Policy tab, add Aziz, and then confirm that Aziz’s password can be cached. |
|
|
|
11. |
Attempt to log on to LON-SVR1 as Aziz. This logon will fail because Aziz does not have permission to |
|||
|
logon to the RODC, but authentication is performed and the credentials are cached. |
USESTUDENTONLY. |
||
12. |
On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the |
|||
|
|
|||
|
properties of LON-SVR1. |
|
|
|
13. |
On the Password Replication Policy tab, open the Advanced configuration. |
|
|
|
14. |
On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only |
|
|
|
|
Domain Controller option. Notice that Aziz’s password has been cached. |
|
|
|
15. |
On LON-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click |
|
|
|
|
LON-SVR1, and then click Properties. |
|
|
|
16. |
On the Password Replication Policy tab, open the Advanced configuration. |
|
|
|
17. |
On the Policy Usage tab, prepopulate the password for Louise and LON-CL1. |
|
|
|
18. |
Read the list of cached passwords, and then confirm that Louise and LON-CL1 have been added. |
|
|
|
19. |
Close all open windows on LON-DC1. |
|
|
|
|
|
|
|
|
|
|
|
|
|
As part of the overall disaster recovery plan for A. Datum, you have been instructed to test the process for taking Active Directory snapshots and viewing them. If the process is successful, you will schedule them to occur on a regular basis to assist in the recovery of deleted or modified AD DS objects.
1. |
Create a snapshot of AD DS. |
PROHIBITED |
|
2. |
Make a change to AD DS. |
||
|
|||
3. |
Mount an Active Directory snapshot, and create a new instance. |
|
|
4. |
Explore a snapshot with Active Directory Users and Computers. |
|
|
5. |
Unmount an Active Directory snapshot. |
|
Administering Windows Server® 2012 |
MCT |
|
3-35 |
|
|
Task 1: Create a snapshot of AD DS |
|
|
1.On LON-DC1, open a command prompt window, and then type the following commands each followed by Enter:
|
ntdsutil |
|
|
|
|
snapshot |
USE |
||
|
activate instance ntds |
|||
|
create |
|||
|
quit |
|||
|
Quit |
|||
|
|
|
||
|
|
|
|
|
2. |
The command returns a message indicating that the snapshot set was generated successfully. The |
|
|
|
|
globally unique identifier (GUID) that displays is important for commands in later tasks. Make a note |
|||
|
of the GUID or copy it to the Clipboard. |
ONLY. |
||
Task 2: Make a change to AD DS |
||||
1. |
On LON-DC1, open Server Manager. |
|||
2. |
From Server Manager, open Active Directory Users and Computers. |
|||
|
|
|||
3. |
Delete Adam Barr's account from the Marketing OU. |
|
|
|
Task 3: Mount an Active Directory snapshot, and create a new instance |
|
|
||
1. |
Open an administrative command prompt, and then type the following commands each followed |
|
|
|
|
by Enter: |
|
|
|
|
|
|
|
|
|
ntdsutil |
|
|
|
|
snapshot |
|
|
|
|
activate instance ntds |
|
|
|
|
list all |
|
|
|
|
|
|
|
|
|
The command returns a list of all snapshots. |
STUDENT |
||
2. |
Type the following commands each followed by Enter: |
|||
|
|
|||
|
|
|
|
|
|
mount guid |
|
|
|
|
quit |
USE |
||
|
Quit |
|||
|
|
|||
|
Where guid is the GUID of the snapshot you created. |
|||
|
|
|
||
3. |
Use the snapshot to start an instance of Active Directory by typing the following command, all on one |
|||
|
line, and then press Enter: |
|
|
|
|
|
|||
|
|
|
|
|
1. |
Switch to Active Directory Users and Computers. Right-click the root node of the snap-in, and then |
|||
|
click Change Domain Controller. Type the directory server name and port LON-DC1:50000, and |
PROHIBITED |
||
|
then press Enter. Click OK. |
|||
2. |
Locate the Adam Barr user account object in the Marketing OU. Note that Adam Barr's object is |
|||
|
displayed because the snapshot was taken prior to deleting it. |
|||
|
|
|||
3-36 Maintaining Active Directory Domain Services
Task 5: Unmount an Active Directory snapshot
1.In the command prompt, press Ctrl+C to stop DSAMain.exe.
2.Type the following commands:
ntdsutil snapshot
activate instance ntds list all
unmount guid list all quit
Quit
Where guid is the GUID of the snapshot.
Results: After completing this exercise, you will have configured AD DS snapshots.
Exercise 3: Configuring the Active Directory Recycle Bin
Scenario
As part of the Disaster Recovery plan for AD DS, you need to configure and test the Active Directory Recycle Bin to allow for object and container level recovery.
The main tasks for this exercise are as follows:
1.Enable the Active Directory Recycle Bin.
2.Create and delete test users.
3.Restore the deleted users.
4.To prepare for the next module.
Task 1: Enable the Active Directory Recycle Bin
1.On LON-DC1, from Server Manager, open Active Directory Administrative Center.
2.Enable the Recycle Bin.
3.Press F5 to refresh Active Directory Administrative Center.
Task 2: Create and delete test users
1.In Active Directory Administrative Center, create the following users in the Research OU. Give each a password of Pa$$w0rd:
o Test1
o Test2
2.Delete the Test1 and Test2 accounts.
Task 3: Restore the deleted users
1.In Active Directory Administrative Center, navigate to the Deleted Objects folder for the Adatum domain.
2.Restore Test1 to its original location.
3.Restore Test2 to the IT OU.
4.Confirm that Test1 is now located in the Research OU and that Test2 is in the IT OU.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012
To prepare for the next module
•When you finish the lab, revert the virtual machines to their initial state.
Results: After completing this exercise, you will have configured the Active Directory Recycle Bin.
3-MCT37 USEONLY
STUDENT . PROHIBITED USE
3-38 Maintaining Active Directory Domain Services
Module Review and Takeaways
Best Practices for Administering AD DS
•Do not virtualize all domain controllers on the same hypervisor host or server.
•Virtual machine snapshots provide an excellent reference point or quick recovery method, but you should not use them as a replacement for regular backups. They also will not allow you to recover objects by reverting to an older snapshot.
•Use RODCs when physical security makes a writable domain controller unfeasible.
•Use the best tool for the job. Active Directory Users and Computers is the most commonly used tool for managing AD DS, but it is not always the best. You can use Active Directory Administrative Center for performing large-scale tasks or those tasks that involve multiple objects. You also can use the Active Directory module for Windows PowerShell to create reusable scripts for frequently repeated administrative tasks.
•Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can be invaluable in saving time when recovering accidentally deleted objects in AD DS.
Tools
Tool |
Used for |
Where to find it |
|
|
|
Hyper-V Manager |
Managing virtualized hosts on |
Server Manager - Tools |
|
Windows Server 2012 |
|
Active Directory module for |
Managing AD DS through scripts |
Server Manager - Tools |
Windows PowerShell |
and from the command line |
|
Active Directory Users and |
Managing objects in AD DS |
Server Manager – Tools |
Computers |
|
|
Active Directory |
Managing objects in AD DS, |
Server Manager - Tools |
Administrative Center |
enabling and managing the Active |
|
|
Directory Recycle Bin |
|
Ntdsutil.exe |
Managing AD DS snapshots |
Command prompt |
Dsamain.exe |
Mounting AD DS snapshots for |
Command prompt |
|
browsing |
|
|
|
|
PROHIBITED USE STUDENT .ONLY USE MCT